CyberWire Daily - Unveiling the updated NICE Framework & cybersecurity education’s future. [Special Edition]
Episode Date: March 17, 2024The Workforce Framework for Cybersecurity (NICE Framework) (NIST Special Publication 800-181, revision 1) provides a set of building blocks for describing the Tasks, Knowledge, and Skills (TKS) that... are needed to perform cybersecurity work by individuals or teams. Through these building blocks, the NICE Framework enables organizations to develop their workforces to perform cybersecurity work, and it helps learners to explore cybersecurity work and to engage in appropriate learning activities to develop their knowledge and skills. On this Special Edition podcast, N2K CyberWire's Dave Bittner is joined by the team at NIST and FIU's Jack D. Gordon Institute for Public Policy to delve into the history of the NICE Framework through its latest update and looking into the future. Brian Fonseca, Director at the Jack D. Gordon Institute for Public Policy, shares an introduction to the NICE Framework. Karen Wetzel, NICE Framework Manager, discusses the updates to the framework. Rodney Petersen, Director of NICE, talks about what these updates mean to cybersecurity education's future. Resources: NICE Framework Resource Center Getting Started with the NICE Framework 2024 NICE Conference and Expo: Strengthening Ecosystems: Aligning Stakeholders to Bridge the Cybersecurity Workforce Gap Take advantage of the early bird pricing until March 19, 2024. Don’t miss out on this opportunity! Jack D. Gordon Institute for Public Policy at Florida International University (FIU) Veterans and First Responders Training Initiative Intelligence Fellowship And be sure to check out our live webinar: CISOs are the new Architects (of the Workforce) Join N2K’s Simone Petrella and Intuit’s Kim Jones on Wednesday, March 27th for an online discussion about the pivotal role security leaders play in shaping the security workforce landscape, and how we can start showing up for the future of our industry. Learn more and register on the event page. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
With TD
Direct Investing, you can get live support.
So whether you need help buying a
partial share from your favorite tech company,
opening a TFSA, or learning about investing tools, we're here to help.
But keeping your cat off your keyboard? That's up to you.
Reach out to TD Direct Investing today and make your investing steps count.
Plus, enjoy 1% cash back.
Conditions apply. Offer ends January 31, 2025.
Visit td.com slash dioffer to learn more.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most. Stay in the know.
Download the free CBC News app or visit cbcnews.ca. Hello, everyone, and welcome to this special edition N2K Cyber Wire podcast.
Today, we're peeling back the layers on something that's become the cornerstone of cybersecurity workforce development,
the NICE framework. It's more than just a guideline. It's the foundation for building a skilled, knowledgeable cybersecurity workforce, ready to tackle the challenges of today and
tomorrow. I'm your host, Dave Bittner. Today, we've got a lineup that's as informative as
it is inspiring. To kick things off, Brian Fonseca from the Jack D. Gordon Institute for Public Policy
will give us a primer on what the NICE framework is all about.
Following that, Karen Wetzel, the NICE framework manager,
will take us through the latest updates and what they signify for the industry.
And to bring it all home, Rodney Peterson, director of NICE,
will share insights on how these changes are shaping the future of cybersecurity education.
The NICE framework isn't just about tasks, knowledge, and skills essential for cybersecurity work.
It's about paving the way for individuals and organizations to elevate their capabilities in this ever-evolving field.
ever-evolving field. So, whether you're part of an organization looking to bolster your cybersecurity defenses, or an aspiring cyber professional eager to carve out your path,
this episode is for you. Let's get started.
For someone who is not at all familiar with the NICE framework, with the interaction with NIST,
and all that kind of stuff.
How do you explain it to someone who's really not up to speed on what it is?
Right. So, I mean, think about the NICE framework, the National Initiative for Cyber Education
Framework. We refer to it as the NICE Cybersecurity Workforce Framework, which is
essentially a comprehensive guide that helps lay the foundation
for how we define and standardize, codify the cybersecurity workforce. The spirit of the
framework is to categorize and describe cybersecurity work into categories, specialty areas,
work roles, knowledge, skills, and abilities, also
known as KSAs, for each of the required roles.
This is a framework that's designed to bring a variety of sectors together.
When I say sector, I mean bring academic institutions, industry, government, and try to align them
towards improving the cybersecurity
workforce and reducing what has become a really pronounced gap in terms of the number of
cybersecurity positions available and the workforce that we have to fill those roles.
Can you take us through a little bit of the history here? I mean, what led us to this point
where we find ourselves today? So, I mean, first and foremost, the rapid, you know, rise of tech and the proliferation of tech
and the growing insecurity in cyberspace has led to a huge, you know, demand for cybersecurity
professionals. And I think at some point, you know, in the last two decades,
we realized that, you know, universities and educational institutions
weren't spitting out enough workforce to fill the demand.
And so what was happening was the delta between the growing demand
for cyber professionals and the number of cyber professionals
going into the workforce was continuing to sort of become more pronounced. And so this was an initiative by the U.S improve the nation's ability to educate cyber professionals,
train workforce by upskilling, reskilling workforce in an effort entirely to mitigate
the growing workforce gap that we saw in cyber. Can you give us some insights as to what the
process has been like of bringing all these different stakeholders to the table to make sure that you end up with a balanced approach here in the framework?
That's a great question.
And so at FIU, I help lead the National Initiative for Cyber Education annual university convening.
It's something we've been doing now.
university convening. It's something we've been doing now. This is going to be our sixth year in which we've been organizing this annual convening that is designed to bring academic
institutions, industry, government, civil society into one space and be thoughtful about
where the cybersecurity workforce is going and how we need to pivot or evolve to ensure that we're producing workforce
that can meet the demands. This is about alignment, ensuring that what universities are doing
in terms of curriculum aligns with what the industry needs. We've seen that iteratively
over time is that universities were not necessarily aligning their curriculum with industry and in a sort of rapidly evolving workforce landscape.
And so this NIST, NICE, and our annual convening that we lead underneath NICE
is designed to create that sort of alignment to ensure that, again,
universities are producing the talent that is needed by the workforce
and is evolving as rapidly as the
workforce demands are evolving.
So that's sort of the origin and background of this.
You do it through a series of convenings.
There's iterative processes by which we continue to, I mean, first the framework itself was
developed and then it's constantly sort of
evaluated and refined to ensure that what's codified in the framework does in fact map
to where the cybersecurity workforce is going or where it is and where it's going, of course.
And so that's really, it's this multi-stakeholder approach of bringing these organizations together,
So that's really, you know, it's this multi-stakeholder approach of bringing these organizations together, bringing these communities together, and building, you know, sort of, you know, thoughtfulness into how we prepare the workforce of, you know, of the future.
You mentioned academic institutions, and I'm curious, how does the release of the framework affect those institutions? What is the interaction and how does it align with where they find themselves today?
Yeah, that's a great question.
And I think the most impact that the framework and sort of the evolution of the framework is having on institutions is it's helping inform institutions of the skills needed to meet the demands of the workforce. And so that translates back to evolving curriculum, evolving experiential
learning opportunities to ensure students are getting the skills that they need through formal
classes, through experiential opportunities, professionalization, programming to, again,
align with what industry needs in order to address what has been a fairly
large gap between number of cybersecurity jobs out there and the amount of workforce that
is in play to help address those vacancies. And so, universities rely on the framework, again,
to make sure that there's alignment on their end, that the things that they're doing in higher ed
is producing meaningful talent that's going off into the workforce. It strikes me that it really is
important to have something like this as a standard to calibrate across the various
universities and colleges and even boot camps, like that, that are trying to get people up to speed here for these jobs to have a ground truth, a North Star that everyone can point to and say, okay, here's, you know, here's the basis for which this is where we begin.
Yeah, that's absolutely right. And I think that's the spirit of this is to help inform that conversation of what that point of departure is in terms of preparation of workforce.
And again, you know, NICE itself has been sort of an evolution. As I mentioned, it, you know,
it launched in 2008, roughly, initiative under, you know, sort of federal charge of improving the
national security, the nation's national security or cybersecurity workforce. And then sort of,
you know, the development and release of the first actual framework occurred, you know, at the turn of the last, you know, the last decade, the 2010-12 period
is when the first NICE framework was published. And again, universities, you know, quickly started
to gravitate towards pulling that framework in to drive, you know, how, you know, academia was
positioning to help produce what was this growing demand.
I mean, at the end of the day, that's what universities' charge is,
is to produce workforce in part, which is the large part.
And so this framework has been so vital for institutions like ours
to help inform how we align with what the workforce needs are.
I'm curious.
We have this explosion of interest in AI, and I think it's
fair to say that it's really captured both the public's imagination and also professionals as
well. There's a huge demand for people with knowledge and expertise in this area. How does
something like that play into the framework when you you have this big, shiny object right now that is
AI, what's the interplay between that and the framework itself? That's a great question. And
in fact, many have sort of suggested that much of our success in addressing the workforce gap is going to come through the use of AI, right? AI
in many ways is automating some of the work roles. And so those that are pursuing careers
in cybersecurity, I think it's a must at this point, must be familiar with the tools and
capabilities that AI brings to securing cyberspace,
securing physical systems, networks, software, and applications.
And so that's where I think this goes,
is that the framework is going to have to build into the framework
maybe AI-specific roles and competencies,
or at least helps ensure that those that are being
trained, you know, also understand sort of the limits and opportunities of leveraging AI
in pursuit of their respective cybersecurity roles. And so that's where I see this sort of
evolving. And I think that's going to be part of our, you know, a big part of our conversation going forward is how does the cybersecurity workforce better incorporate, you know, machines in meaningful ways to help address the threat landscape and help, you know, create efficiencies and, you know, and make impact on their respective roles as they, again, try to safeguard and protect cyberspace.
And so I think, again, that framework is going to evolve rapidly to absorb this.
I made comments at the last NICE annual convening in Seattle to the effect that we as a community
need to pivot and embrace AI and automation in ways that help us become more effective
in our ability to secure cyberspace. I know at our next convening that's going to take place in June
in Dallas is also going to touch on, if not heavily address, the growing demand for AI in
the cybersecurity space. And then how do we, and that's where our conversation is going to go,
how do we incorporate AI meaningfully into the framework
so that we're producing talent that is both capable of securing cyberspace,
but leveraging what automation and AI can help provide?
Can you give us some examples of some of the ways
that the NICE framework is used within industry?
Yeah, I mean, absolutely.
So you can imagine that part of the NICE framework
kind of lays out these work roles,
but also starts to touch on mapping of what skill sets
are required to be effective in a particular position.
And so what we're seeing is that employers are looking at
the framework, one, to better understand the capabilities needed to address that particular
function in the organization. This is a huge gap going forward is that most HR managers are not
versed in hiring in tech, but every organization has a requirement to hire some type of technical
capability, either in-house or on contract.
And so what the NICE framework does for those organizations is help lay out what that landscape looks like and what skills they should be looking for in candidates to fill technical roles within
their organizations. And part of that also is inclusive of, well, what certifications and what
type of credentials should we be looking for that validate that that person has a skill set that's needed to do the position that I need in our organization.
It's really helpful in educating non-technical personnel on sort of the left, right, lateral limits of what these positions are designed to do
and then what's their pathway in terms of progression within an organization.
And so it becomes a really useful map as you're mapping out the technical growth of human capital within your organization.
Up next, we are joined by Karen Wetzel, Manager of the Workforce Framework for Cybersecurity
NICE Framework at NIST, discussing updates to the NICE Framework.
So let's start off with some high-level stuff here.
Can you give us a little bit of the background of what led up to this release of version 1.0.0 of the NICE Framework components?
1.0.0 of the NICE framework components?
Sure. We're very excited about this release and what it means for supporting cybersecurity workforce. In 2020,
we updated the NIST Special Publication 800-181,
the Workforce Framework for Cybersecurity, otherwise known as the NICE Framework.
And we made some updates to that framework structure at that time.
It's essentially been since then that we've been working on updating all of the components
that are the NICE framework in order to match up with that structure.
And it's given us an opportunity to take a look at that content
and make sure that we're addressing things like redundancy and duplication
and lack of clarity at the same time.
Well, let's go through some of the details together here.
I mean, what are some of the key elements here
that you want folks to know about?
Essentially, what we've put out is a great step forward
to be able to improve the usability of the NICE framework.
And we've really been working on making sure
that we are engaging with the community throughout
through calls for comments
on every one of these different components and updates that we've made for them. So it includes everything from
looking at our work role categories and making sure that there are updates there,
make sure that they're clearer and more easily used, as well as looking at our work roles
themselves. And really importantly, we've also introduced new competency areas that will extend the capabilities that we have with the NICE framework and updated all of our task knowledge and skill statements, the building blocks of the framework.
Can you share with us some insights as to what goes into the process of doing an update like this?
What was it like coming up with these new standards?
We've essentially been engaged with the community throughout this entire process.
We had, when we released the NIST special publication revision at the end of 2020,
we had asked prior to that for feedback from our community about things that they would
want to see changed in that.
During that process, we also got additional feedback
about what kinds of changes would be necessary
for the components to make them more useful.
As we went through and reviewed all these components,
we engaged with subject matter experts
and stakeholders in that entire process
through workshops, meetings, and individual calls
in order to understand what we would want to do
in order to address these.
We came up with a TKS authoring guide, a task knowledge and skill statement authoring guide
to guide us in this process as well. And for every stage of the process, we put these out
for comment to make sure that we were heading down the right path. You've also updated the
NICE Framework Resource Center, which is the online resource.
Can you tell us about that?
Sure. The NICE Framework Resource Center is our website that is all things NICE Framework.
It's where we have guidance and tools and point to other uses of the NICE Framework.
And it was really important for us to make sure that we had updates there to make it easier for people to understand this transition
with this new release of the Nice Framework components.
So we've updated our FAQs.
We have a quick start guide
for people who are just getting started
with using the Nice Framework.
We made sure that there's a mapping
of the original 2017 components to this new version.
We've also included in there change logs
as well as other kinds of summaries
of the updates that we've made.
So essentially really making sure
that if there's a question,
we're trying to answer it there.
And it's also going to help us in the future
as we start to develop new resources
about how to use the NICE framework,
developing out resources for employers,
for learners, for academia
and training organizations, for example.
Can you share with us some examples of how the NICE framework is being used by folks across the industry?
Yeah, the NICE framework has broad usage, which is great.
It means that what we're really doing is making sure that that common language that the NICE framework establishes
is being used in all
portions of the ecosystem. So that includes being used when you're talking to K-12 and thinking
about career discovery, looking at those NICE framework work role categories and be able to
explain the different kinds of work that happen in cybersecurity, and then looking at the work roles and really showing how much variety there is in this profession. It's also used in education,
and that includes both at K-12 level as well as in higher education and then in training
and ongoing education, where the NICE framework is used when developing curriculum to align courses so that we can see that connection
between what is being taught and what work someone might do. And then, of course, it's being used by
employers. That includes both assessing their workforce, being able to gauge their capabilities
and understand what kinds of needs an organization might need or have. And then it also includes
during the hiring processes. It could be
used to help develop job descriptions. And we have a resource on our website that explains how to do
that. It could be used during an assessment as we're seeing more skills-based assessments
happening. It really is at all stages of one's career. For that person who is in a mode of learning, who's trying to up their skill level, or perhaps someone who's looking to enter this workforce, what part can the NICE framework play for them?
It's a really great resource for them.
If you're looking to enter into the cybersecurity profession, it gives you a great point of entry in terms of understanding the kinds of work that might happen
and the kinds of opportunities that you might have. If you're looking at coming in from a
mid-career transition, you can see how your skills and capabilities can evolve and transition over
into cybersecurity, how you can put those into play in different kinds of work roles.
It also will help you identify gaps and then be able to see what kinds of
learning that you might want to pursue in order to help fill those gaps so that you're really doing
the work that's specific to what your goals are versus maybe taking a shot in the dark and hoping
you get the right skill set that you need. You know, we see a lot of complaints from folks who
are out there looking for jobs that some of the job descriptions are all over the place
or making unrealistic asks.
We want 10 years of experience for a technology
that's only existed for five years, things like that.
From an employer's point of view,
can the framework provide some clarity
in putting together these job role descriptions?
Absolutely.
And that's, I think,
one of the really important things to understand
is that this could be used
not just by the practitioners
or by the hiring managers,
but by HR as well.
We don't expect HR, human resources staff,
to understand everything there is to know
about cybersecurity.
That's not their area of expertise.
Their area of expertise is about
making sure that
they are creating effective job descriptions, working with the hiring managers and understanding
what their needs are, and being able to assess and be able to bring in the employees that are
going to be useful for that organization. So what we do with the NICE framework is provide guidance
around what kind of work someone in a work role might do and what knowledge and skills they might
need to have in
order to do that work. And so by looking at those, you can go ahead and create a job description
that's more realistic. You could go through a work role and say, yes, for our organization,
this person would need to do these tasks, all of them, or maybe a subset of them, or we may need
to add some in that aren't there because our unique organizational needs. And so by giving them that starting place, it can help make sure that that process is a lot
more effective. This is version 1.0 of the framework here. What do you look forward to
in the future? How is this going to evolve and grow over time? Well, there's a lot to do.
And we are working with the community at
all points in order to make sure that we move forward in its ongoing development. We know that
cybersecurity is not an area that is static by any means. And so we need to go ahead and reflect that
in our workforce framework. So this includes looking at developing out those 11 new competency areas.
We have this week the very first meeting of folks who are going to help us to do that, develop out knowledge and skill statements to help support those new competency areas.
We're also looking at updating some of our existing work rules.
And we're doing that right now to be able to make sure that what we have with this new content is meeting current needs
and that we aren't missing anything. We're looking at how things like automation and AI are having an
impact. So not only looking at how do we secure AI, but how AI could be used in the workforce
to do these kinds of work. So it involves a number of new work roles that we're looking at developing.
It involves looking at existing work roles
and going ahead and addressing those competency areas.
That's what the framework itself,
but we also are looking at developing guidance
outside of the framework too.
So whether that's a profiles for specific industries
or specific jobs or just other kinds of resources
to help people
along the way. It really strikes me that this has been a deliberately collaborative process here,
that beyond the work that you and your colleagues are doing there, that there really has been
an intentionality about working with industry and the various stakeholders.
Absolutely. It's essential that we engage
all of the players in our development of those framework. It is them who are the ones,
it's the employers who are telling us what the needs are. It's the academics who need to
understand that to be able to translate that into training and education to be able to bring
those learners forward. It's about working with the learner community
to understand what kinds of resources they might need
and how they might understand this
to use this for career pathways, for example.
So it really is essential that we are reflecting
what is happening in the workforce
rather than telling the workforce what it should be doing.
It's about listening and about incorporating that.
And that's at all stages. It also includes working with our federal agencies and departments who are in this area,
as well as in private industry, too.
We'll be right back.
Transat presents a couple trying to beat the winter blues. We'll be right back. Yes, yes, yes! With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Next, we have Rodney Peterson, Director of NICE at NIST in the U.S. Department of Commerce, discussing cybersecurity education's future.
I would love to hear, in your own words, kind of the significance of this recent release of this new version of the NICE framework? Yeah, so the NICE framework exists
to create a common taxonomy or lexicon
to describe cybersecurity work.
But we all know that cybersecurity work
is evolving and rapidly changing.
So the NICE framework needs to be able
to keep up with those changes
and provide periodic updates accordingly.
So a lot of the updates that came out
in the recent revision
are not only an attempt to update some language from the 2017 publication, but to really reflect
some of the modern needs, particularly in the areas of competency areas, which we're introducing
or reintroducing for the first time, and they address some emerging and important areas that didn't exist or weren't as important in 2017 as they are today in 2024.
Can we dig into some of the details here?
I mean, what are some of the highlights of the changes and updates?
So starting with kind of the component structure, it's organized around seven categories.
And we made some minor but important modification to the category name.
So, for example, the first one was previously called securely provisioned,
which was both a confusing term and maybe not a very accurate term
to describe what the category included.
And it's now called design and develop.
And when you think about the design and development
of not only cybersecurity solutions,
but technology solutions in general, this is a pretty critically important part of cybersecurity.
In other words, making things secure by design. So whether it is Internet of Things or artificial
intelligence or software or hardware, the design and develop category was renamed to reflect
that that really applies across all products and services and technology. Another example was just
changing the descriptions to be more consistent, so they follow the same kind of nomenclature to
operate and implement, oversee and govern, protect and defend, etc. That at the category level was done.
Similarly, at the work role level, which is kind of the next level of components,
renaming for consistency, but also removing things that may have sounded like job title.
A simple example is a system administrator, a previous work role,
is now called system administration.
And even though it may
directly correspond to the job title or the job of system administrator, we know in small
organizations, you might be doing multiple roles and you may not actually go by that title.
And then finally, the most significant and intensive changes were made to the actual
statements themselves, the thousands of task knowledge and skill statements that were updated to address a variety of grammatical redundancies
and other just corrections that need to be made to modernize the framework.
You know, I think it's fair to say that the NICE framework has really come a long way
since you all originally launched it. What do you think some of the ways are that this latest update
is going to impact the future of cybersecurity education
and workforce development?
Yeah, so I think in the beginning, in fact,
we even changed the name in 2020 to reflect that it was a framework
for cybersecurity, not just for the workforce
or not just for employers to use.
So in our 2020 revision, we really stress the fact that this is for education and training
providers, those that are providing credentials, as well as the learners themselves. And for us,
learners not only include students or maybe job or career seekers, but include employees who are
trying to develop themselves and perhaps increase their own credentials or their own knowledge and skills.
So changing the language to be more inclusive of the entire ecosystem was critically important.
And I think the more recent updates by trying to, again, standardize around some of the language and the details helps address that kind of comprehensive set of stakeholders. Can we talk a little bit
about partnerships here and the organization's efforts to promote that? I'm thinking between
like academia and industry and government. I know partnerships between those groups is
something that's important to you and your colleagues. Yeah, so we often talk about NICE
being a partnership of government, industry,
and academia. And so starting at the federal government, we certainly work closely with our
interagency partners, including organizations like the National Science Foundation or the
Department of Education, which are mostly supporting education and research. But we also
work with organizations like the Cybersecurity
Infrastructure Security Agency, Department of Defense, and others who have the workforce needs
that the NICE framework can help to build upon. And then there are other partners, whether they
be at the White House, the Office of Management and Budget, Office of Personnel Management,
that are helping to bring in the federal workforce that is needed in cybersecurity. But we don't limit our engagement to the federal government. We also work closely
with state governments, especially through associations and organizations like the
National Governors Association or the National Association of State CIOs or even the Multi-State
Information Sharing and Analysis Center. At the industry level, it's a little
more complicated because there's so many players and again, so many industries, both by sector,
the economy, as well as companies to work with. So once again, we try to leverage relationships
with organizations like the Small Business Administration or the Business Roundtable
that represents 250 of the largest employers in the country. And then just naturally,
the Department of Commerce has lots of relationships with small and medium businesses,
minority businesses, and others. And so we try to make sure we're inclusive in that industry
engagement. And at the academic level, it's a continuum from K-12 education to community
colleges to universities. And we have relationships,
in fact, we do events that target those populations. But specifically at the high school level,
you know, we work closely, again, with the Department of Education and its career technical
education programs of study. Many of those are also in partnership with community colleges
resolving in dual enrollment,
where students might receive a degree when they graduate from high school that's both a high school diploma and a community college degree.
And then at the university and community college level, a very close partnership with both NSA and CISA's National Centers of Academic Excellence in Cybersecurity.
Staying with academia, industry, and government here for the moment,
I'm curious, as this goes out in the world,
what are your expectations in terms of those different groups using this,
putting it to use, the differences between those verticals
and the similarities and the ways that they will approach this
and put it to good use?
Yeah, so the value of a standard
is that it becomes the standard
by which other organizations use it.
But we also have a set of principles and attributes
that we talk about in the NICE framework
that talks about flexibility and agility.
So we certainly expect other sectors
and maybe even individual
organizations, companies, or nonprofit organizations to have unique needs, either
work that doesn't exist elsewhere or maybe their own nuanced way of doing things.
We would hope that the NICE framework could be the North Star by which organizations are
oriented on themselves.
And if they have improvements or ways that the NICE framework is more effective,
maybe in their environment or maybe their sector,
that we would benefit from knowing about, we're very open and receptive to that type of feedback
because ultimately this is meant to be a national,
and I might add international, resource that's being used pretty heavily.
And anything we can do to improve it on behalf of the user community, we're more than welcome to learn about.
Can you share with us some of the specific ways that the NICE framework is being used in industry?
Yeah, so I think this is true of both industry and government or any enterprise.
But one basic way it can be used as a way to assess your workforce,
to identify those in your organization who are performing cybersecurity work roles.
And that allows you to take an inventory of what you currently have.
And then secondly, it leads to your ability to do a gap analysis to identify maybe areas
where you need more workers or where you have gaps that the NICE framework can help you fill.
So that cybersecurity workforce assessment is a really important first step.
Secondly, with respect to existing employees and their own professional development, the
NICE framework can allow you to take them from where they are and increase their proficiency
level either within their current work role or maybe for a new work
role or area that they want to advance into as part of their career advancement. And then finally,
certainly as a way to use it for recruitment and hiring to make sure as they're writing job
descriptions and position descriptions, they're really emphasizing the work to be done, what we
refer to as the task statements, and then the knowledge and skills,
or what might be thought of as the qualifications to do the work. And if we can begin to standardize
around job and position descriptions, not only does that help employers to have a better fit
for the candidates they're looking for, it actually helps the workers to be able to be more mobile.
And I know that may be controversial to some employers that don't want their employees to leave, but the reality is employees are moving from one
organization to another, even within the federal government, from one department and agency to
another. And having more standardized approaches to job descriptions, position descriptions,
helps with that mobility as well. Rodney, I'm curious, as you and your colleagues have seen this through
and to the point of publishing this,
this 1.0 version here,
what does it feel like to have gone through this process
and then send it out into the world?
Well, of course, we're holding our breath
and waiting for the feedback,
even though we've done a pretty comprehensive job of requesting comments to draft versions of this.
We recognize that sometime it's when the rubber meets the road that people start to test out and realize that there may be some things that we could further refine and improve.
So we're looking forward to that additional feedback as people start to test drive the new information.
to that additional feedback as people start to test drive the new information.
But secondly, it's exciting because it puts behind us a very important kind of cleanup activity we've been working on for several years.
So we can focus more not only on the work that's needed here and now, but what's around
the corner.
And we know, again, in technology, there's going to be a lot of new work roles and a
lot of new tasks that need to be done and certainly knowledge and
skills that need to be developed. And we're excited to be able to turn our attention to
the future as much as cleaning up what we needed to correct from the past.
To wrap things up, we've got closing remarks from each of our guests.
One of the things that we are working with in order to be able to figure out how do we do that better,
a lot of it does come down to how do we get the data about who's using this and what kind of impact we're seeing.
We are partnering with organizations like CyberSeek.org, which is showing us data about hiring in the United States
and what kinds of positions are open and what kinds of gaps there are in cybersecurity profession.
And we're seeing a little bit of a positive movement there.
We're looking, though, as well at how do we align this
with other kinds of data resources?
So, for instance, in the end of last year,
we worked with the Office of the National Cyber Director
to hold a workshop around how to measure cybersecurity workforce and using the
NIST framework as part of that. And so we're looking at how do we improve those and continue
to do this. But a lot of it is also building up community. We have a NIST framework users group
where we hope to hear about what does work and what doesn't work. One thing I would add is that
it's not just about the workforce framework that NIST and NICE is known for, but it's the other work,
the other body of work that NIST does regularly in cybersecurity. For example, just a couple weeks
ago, we announced a new version and update to the NIST cybersecurity framework. And quite frankly,
that is probably more well-known and more widely adopted by enterprises. But if enterprises are
using the NIST cybersecurity framework to address cybersecurity at their enterprises,
they might be addressing the why,
but now they need to go to the who.
Who is the workforce we need?
What knowledge and skills do they need?
How do we need to prepare them?
And how do we need to recruit and hire
to address what the NIST cybersecurity framework
might require us to do?
And that's just the tip of the iceberg.
We certainly have a risk management framework.
We have a secure software development framework
and many other resources that NIST produces.
So part of our aspiration is to more closely align
with existing NIST guidance and publications,
as well as guidance and publications that exist
outside of our own department and agency or that the private sector produces.
I think organizations could probably, will probably find or will certainly find value
by going to the NICE website.
And at the NICE website, you can actually start to pull a variety of resources that
can help you do a range of things, training
your organization. So they have a lot of free tools that are designed to help improve your
respective workforce, as well as the actual framework where you can begin to explore the
framework in an interactive way to understand where the gaps are in your organization and what capacity you need to
help fill those gaps to create sort of, you know, sort of strengthen the resiliency of
your organization to operate in sort of the cyberspace realm.
That is our special edition N2K CyberWire program.
Thank you all for joining us.
And thanks to our special guests, Brian Fonseca, Karen Wetzel, and Rodney Peterson for sharing their expertise and insights.
Remember, N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at N2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening.
We'll see you back here soon.