This is an important question for a number of reasons. Popular media often talk about the growing shortage of skilled cybersecurity workers needed to fill critical open positions both in government and the private sector. This is true, but employers need specific details on the work force so they can make informed decisions about whom to hire and potential employees need to know what to study to position themselves to be hired. The problems of a lack of common language and terms, a complex new field and the ever-changing technology that enables much of cybersecurity combine to make analysis of this work force particularly difficult.
For the past few years, the federal government, by way of its National Initiative for Cybersecurity Education (NICE), has been hard at work on these and many other issues related to cybersecurity education, training, awareness and work force development. A major achievement of NICE has been the creation of the National Cybersecurity Workforce Framework (NCWF). This document was developed to provide a common understanding of and lexicon for cybersecurity work. Defining the cybersecurity population consistently using standardized terms is an essential step in ensuring that our country is able to educate, recruit, train, develop and retain a highly qualified work force.
In designing the framework, “Categories” and “Specialty Areas” were used as organizational constructs to group similar types of work. The categories, serving as an overarching structure for the framework, group related specialty areas together. Within each specialty area, typical tasks and knowledge, skills and abilities are provided. In essence, specialty areas in a given category typically are more similar to one another than to specialty areas in other categories.
The intention of the NCWF is to describe cybersecurity work regardless of organizational structures, job titles or other potentially idiosyncratic conventions. For example, under this structure an individual may perform tasks in more than one specialty area or all of an individual’s work may fall within a single specialty area. Similarly, large agencies may have many individuals devoted to a single specialty area while smaller agencies may need individuals to cross multiple specialty areas. Within any given organization, the way these groupings are organized into positions, career fields or work roles depends on a number of factors, including organizational characteristics, constraints and mission. Thus, due to the variety of jobs, occupations, cultures and structures within any given agency or organization, there may not always be a one-to-one crosswalk of jobs or career fields to individual specialty areas.
Since this framework was published in 2012, it has received support from academia, the certification community, the private sector, and state and local governments. Through the Office of Personnel Management, the government has produced a set of data elements, adding them to established federal job series to indicate the amount and type of cybersecurity work done by the individual. A letter has gone out to all federal agencies to implement these data elements as soon as possible. Once this process is complete, the federal government will, for the first time, be able to obtain quickly detailed information on its cybersecurity work force. This baseline information is a necessary first step to begin any gap analysis and proper management of this critical sector of the work force.
From the beginning, the NCWF was envisioned as a living document. The rapid change occurring in the cybersecurity field demands that both workers and managers stay current on all the latest developments. The Department of Homeland Security is one of the major stakeholders and supports NICE. In its leadership role for cybersecurity work force development and training, the department has started the process of generating the next version of the framework. This process will take up to a year to complete and will involve experts from all sectors and comments from the general public. Regular revisions of the NCWF will occur every two to three years. It is expected that the general overall structure of the framework will remain largely intact while 5 percent to 10 percent of the details can change.
Effective cybersecurity management is essential to protecting our nation’s technology infrastructure. The professionals accountable for this protection constitute a critical work force. Until now, there has been little consistency in terms of how cybersecurity work is defined and categorized, who is responsible for the work and what skill sets are needed to perform successfully. Even within organizations, individuals performing cybersecurity work are difficult to identify, locate and quantify. As a nation, we must establish consistency in how the cybersecurity work force is defined and classified.
Dr. McDuffie leads the National Initiative for Cybersecurity Education at the National Institute of Standards and Technology. Other notable achievements include appointment as the associate director of the National Coordination Office (NCO) for Networking and Information Technology Research and Development and serving as acting director of the NCO. Prior to joining that office, McDuffie served as the deputy director of the Office of Naval Research–Science and Technology for America’s Readiness (N-STAR) Initiative.