Changing threats require changing cybersecurity roles
There was a time when the title "cybersecurity expert" meant something. But as the ecosystem of cybersecurity careers has expanded, that term could mean just about anything. Today, that expert could be a jack-of-all trades or specialize in one of the growing number of newer cyber specialties, such as threat hunter, penetration tester, or incident responder.
Federal agencies, like commercial companies, clearly understand that the field of cybersecurity has changed and expanded, and are doing their best to change with it. The Federal Cybersecurity Workforce Assessment Act aims to reclassify cybersecurity roles, while the DoD Cyber Workforce Framework focuses on doing the same for Defense agencies.
For example, the Department of Homeland Security's Cybersecurity Strategy breaks down its approach to five pillars:
- Risk Identification
- Vulnerability Reduction
- Threat Reduction
- Consequence Mitigation
- Cybersecurity Outcomes
Each of those areas require staff with different skills, playing different roles.
NICE Cybersecurity Workforce Framework
To help create a common language for describing different types of cybersecurity workers and work, the National Institute of Standards and Technology (NIST) has published the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. NICE splits work roles into several categories, including:
- Collect and Operate
- Operate and Maintain
- Oversee and Govern
- Protect and Defend
- Securely Provision
Each of those categories are then broken down further. For example, Protect and Defend includes:
- Cyber Defense Analysis
- Cyber Defense Infrastructure Support
- Incident Response
- Vulnerability Assessment and Management
NICE at Leidos
Leidos, which employs 1,100 cyber professionals, used the NICE Cybersecurity Workforce Framework to redefine cyber roles within the company. As a result, we identified 27 different work roles grouped into five domains:
- Cyber operations
- Information assurance
- Cyber research and development
- Security architecture
Those domains and work roles were then divided further into more than 1,300 definitions of knowledge, skills, and abilities in the cyber arena. We then went even further, defining more than 7,200 proficiency levels. "That allows us, at a very atomic level for each person, to define both skill capabilities and gaps. With that information, we can then align them to individualized training plans and help them achieve both horizontal and vertical career growth," explains Bill Brennan, senior director for cyber business enablement at Leidos, Corporate Information Security.
Before undertaking this effort, the idea of horizontal movement or transitioning skills between work roles was very nebulous, he adds. "At a very discrete level, we can now say, 'If you have this level of proficiency or these skills, you are 70 percent qualified already, and there are multiple paths to get to 100 percent – including, mentoring, on-the-job training and independent or facilitated learning.”
No Degree Required
In addition to recategorizing cyber roles and skills, we also changed the requirements for getting hired for cybersecurity roles. One of the most significant changes was removing degree requirements from the entire cyber workforce. While it may seem radical, Brennan says that it allows Leidos to attract skilled workers who may be transitioning out of the military, or who have skill sets that can be applied to the cyber domain.
"What we are looking for are employees who understand the way we do cyber and will stick around for the long term," Brennan explains.
Iterate on Roles and Workforce Plans
While implementing a framework like NICE can help organizations more effectively define cyber domains and roles, putting those changes into practice can be challenging. Meghan Good, a Solution Architect and Technical Fellow for Leidos' cyber operations and threat analysis efforts, recommends narrowing the universe of cyber roles defined by the framework down to the most important, at least at first.
"Starting with the areas where your agency expects to grow or roles that will make the biggest impact can help you direct your energy," Good says. "You'll eventually get to the other roles, but that's a way to start without feeling overwhelmed."
From that point, it is important to continually evaluate your performance in recruiting and retaining your workforce. Set aside training dollars so your staff are continually growing as the market demands. Use a job architecture to demonstrate ability for both vertical and horizontal growth to the staff. Create opportunities for staff to shadow someone in their next-intended role and learn if it is the right fit.
Finally, use your staff to help anticipate future needs and changes in the workforce. One example at Leidos is our increasing reliance on cyber operations staff for automation and machine-aided investigations.
"Knowing where technology will lead you and having a workforce plan to meet or beat that journey is critical," Brennan says.