Security Experts:

Connect with us

Hi, what are you looking for?


Training & Awareness

NIST Publishes Cybersecurity Workforce Framework

NIST Proposes Ways for Organizations to Improve How to Identify, Recruit, Develop, and Retain Cybersecurity Talent

NIST Proposes Ways for Organizations to Improve How to Identify, Recruit, Develop, and Retain Cybersecurity Talent

The National Institute of Standards and Technology (NIST) has published a cybersecurity workforce framework (PDF) to support organizations’ ability to develop and maintain an effective cybersecurity workforce. The framework defines roles; necessary knowledge, skills and abilities (KSAs) for those roles; and a common lexicon to clarify communication between cybersecurity educators, trainers/certifiers, employers, and employees. It is intended to help employers develop their existing workforce, and academic institutions prepare the future workforce in a consistent manner.

Like all frameworks, it will benefit some organizations who use it, and be ignored by others. One security leader who can see potential benefits is Martin Zinaich, information security officer with the City of Tampa. In 2015, he compared the current state of cybersecurity to the slow descent and ultimate crash of Eastern Air Lines Flight 401 in 1972 — the crew simply had insufficient awareness of what was serious and what was not so serious.

In his paper, he wrote, “National Research Council in its report, ‘Professionalizing the Nation’s Cybersecurity Workforce Criteria for Decision-making’ (2013) stated that cybersecurity is still too new a field in which to introduce professionalization standards for its practitioners.”

“Yet here we are a mere 4 years later,” he told SecurityWeek, “and NIST is actually proposing educational workforce standards. We’re slowly getting there,” he added.

The NIST framework defines seven primary security workforce categories: Securely Provision; Operate and Maintain; Oversee and Govern; Protect and Defend; Analyze; Collect and Operate; and Investigate. For some, this compartmentalism is a strength; for others, it is a potential concern.

Steve Durbin, managing director of the Information Security Forum (ISF), comments, “Although the size of the information security workforce in an organization is expected to increase by more than a quarter in the next two years (according to recent ISF research), in some organizations additional staff will not be affordable. The Framework,” he believes, “may further help business leaders produce retraining and ambassadorial opportunities for existing staff, in information security and beyond which will go some way to plugging what is an ever-growing skills gap in an affordable manner.”

Nathan Wenzler, chief security strategist at AsTech, is not so confident. He believes it might work in a “heavily structured and siloed environment, such as the Federal government. But,” he told SecurityWeek, “for the vast majority of organizations which are already struggling to find qualified cyber security professionals, it may work against them as more and more people are brought up through this Framework and are only adept at a single specialty. Most organizations need much more flexibility from their security personnel.”

Steven Lentz, CSO and director of information security at Samsung research America, has similar concerns. “The Cybersecurity Workforce Framework is a good idea, but in reality, will companies use or pay attention to it — that is the real question,” he said. 

Lentz believes that its effectiveness will depend on its reception by the existing security training companies. “How will the current security training certification sites be affected — such as ISC2, ISACA, SANs and others? Will they participate and help develop and guide the NIST initiative, or look at it as an alternative that may not go far enough — or as a government alternative?  We all need to keep up with training,” he added, “but the training partners need to work together in order for us practitioners to become stronger.” 

There are other practitioners with even greater concerns. One is Chris Roberts, chief security architect at Acalvio. “I’m not a fan of certificates, of degrees and of any of the formal training,” he told SecurityWeek. “I came out of a different era, not quite the novice/apprenticeship time, but not far after it. I learned on the job and was fortunate to have some amazing mentors and a thirst for knowledge. That path does not work for everyone. We need to accommodate that in a better manner than I see here. I do not subscribe to ‘you can only be a professional if you have a degree’. That’s bullshit logic that is broken by so many people in the world that it needs to be banned. I do subscribe to the fact we are all individuals and this industry has been good at accommodating that and understanding that many in this field don’t subscribe to mainstream education.”

He may be fighting a losing battle. As any system matures, control becomes centralized. Individual bank managers can no longer decide on loans — the decision is controlled by the central office algorithm. Chain store managers can rarely choose what they stock — again it is controlled centrally. Political control invariably moves to the center. The National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework may be another example of that centralization, currently in the form of guidance and assistance, but ultimately in the form of insistence. It will work for some, but not for others.

Steve Durbin has few doubts. “Some might say the Framework is too simplistic or too little too late but faced with the levels of shortage that many are predicting, this will at least provide organizations with guidance through what can be a very daunting process to attract and retain the right level of cyber skills.”

Written By

Click to comment

Expert Insights

Related Content

Management & Strategy

Tips for making a presentation that will help improve the state of security programs and reflect favorably on the presenters and their companies

Application Security

Hack The Box Raises $55 Million in Funding Round Led by Carlyle

Application Security

The infamous North Korean Lazarus hacking group is the prime suspect in the $100 million hack of Harmony’s Horizon Bridge, according to new data...

Management & Strategy

Neurodivergence, by its name, implies a different way of thinking. The question we wish to examine is whether the inclusion of this neurodiversity can...

Black Hat

LAS VEGAS – The security industry makes its annual pilgrimage to the hot Sonoran desert this week for skills training, hacking demos, research presentations...

M&A Tracker

Security awareness training company KnowBe4 will go private after being acquired by Vista Equity Partners for roughly $4.6 billion in cash.KnowBe4 first announced receiving...


Faced with the daily barrage of reports on new security threats, it is important to keep in mind that while some are potentially disastrous,...

Cybersecurity Funding

Human risk management startup OutThink today announced that it has raised $10 million in seed funding, bringing the total investment in the company to...