• Home
  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Related Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact Us
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Login / Register

CSIAC

Cyber Security and Information Systems Information Analysis Center

  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Cybersecurity
  • Modeling & Simulation
  • Knowledge Management
  • Software Engineering
/ CSIAC Reports / Cultivating Cybersecurity Talent Internally

Cultivating Cybersecurity Talent Internally

Posted: 10/08/2018 | Leave a Comment

As the number of unprecedented cyberthreats continues to rise, correspondingly the demand for cybersecurity professionals continues to surge in both public and private sectors. Unfortunately, the supply of cybersecurity professionals is NOT in equilibrium with the demand of cybersecurity professionals.  If you were to view any ‘top 10’ jobs, most likely ‘cybersecurity’ will rank high on the list of jobs.  It may even rank in the top 5 on the list.  But why is cybersecurity so hot?  What makes any job hot?  High salary?  Great benefits?  How about incredible opportunities for career growth and world-wide job stability requirement?  In a growing industry with a rapidly increasing job market, the cybersecurity field offers a diverse range of job prospects with considerably above normal salaries.  However, despite these intrinsic career benefits and ever-expanding scope of cybersecurity, headlines repeatedly report a shortage of qualified job candidates, which ultimately results in a lack of resources to face an evolving cyber threat landscape.  In response, more and more universities and colleges are doing their part, providing a variety of new cybersecurity degrees from coast to coast – both traditional and online programs.  But it’s not enough.  The candidate shortage continues, leaving resourceful organizations to consider recruiting and training potential ‘untapped’ talent pools within their own organizations.

Cultivating Cybersecurity Talent Internally

The cybersecurity workforce is the focus of a recent Forbes study that reports 40,000 information security analyst positions and 200,000 other cybersecurity roles go unfilled every year in the US.  With current talent deficits like these, the likelihood of employers adequately staffing a cybersecurity workforce into the near future appears bleak.1

In fact, data aggregator, Cybersecurity Ventures, which synthesizes dozens of employment and industry sources globally, predicts 3.5 million cybersecurity positions will go unfilled by 2021.  This figure is even more riveting when compared to their accompanying estimate that cybercrime in 2021 will cost businesses globally more than $6 trillion annually (a 100% increase from $3 trillion in 2015).2

“New collar” internal candidates

Some forward-thinking organizations are answering this immense need for current and future qualified cybersecurity talent by cultivating cybersecurity talent internally.  For instance, IBM focuses on capabilities not degrees, reports one IBM spokesperson. “If you’ve got the right skills, there’s a career for you at today’s IBM.”  Indeed, candidates that fit this new perspective are termed, “new collar” candidates.  The spokesperson explains, “New collar candidates who lack four-year degrees accounted for 15% of the company’s US hiring in 2017.  That has allowed the company to pick from a diverse pool of candidates, many of whom would not be considered by other companies.” 3

Taking matters internally could be a strategic move for other companies as well.  In fact, doing so could give employers who already boast diverse employee training resources – such as onsite classrooms, computer-based training, and job shadowing programs, a real advantage.  According to a 2007 study published by Human Resources Development Quarterly which examined the relationship between job satisfaction and workplace training, training conducted using methods most preferred by employees led to greater overall job satisfaction.   As a significant finding, employees in the study had a variety of training preferences, indicating diversity in training delivery methods is a desirable feature for workplace training.4

Cybersecurity training – no lack of offerings

Making the most of existing internal training resources is a great idea for many reasons.  However, cybersecurity training content is highly specialized and the quickest route to such specialized content may be through third party training providers.  Although the field of cybersecurity is relatively new and evolving, there is no lack of so-called “gurus,” and “qualified training providers,” hawking a multitude of certifications and other expensive training programs to an eager corporate community.

So how does an employer sift through a sea of such offerings to ensure their training dollars are wisely invested?  How do they identify the best internal candidates to develop? And how do they develop training roadmaps to ensure the right skills are developed, and career development paths exist?

NICE answers for developing a cybersecurity workforce

The answers to identifying and developing a cybersecurity workforce can be found within the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NICE Framework).  This Framework emerged as a special initiative of the Comprehensive National Cybersecurity Initiative (CNCI), to develop a skilled cyber workforce of people with necessary knowledge and skills.

According to the National Institute of Standards and Technology (NIST), “NICE,” can help “identify training and qualification requirements to develop critical Knowledge, Skills, and Abilities (KSAs) to perform cybersecurity Tasks” for over fifty common work roles.  To accomplish this comprehensive goal, NICE contains seven cybersecurity categories comprised of a varying number of specialty areas.5

Additionally, as of July 6, 2018, NICE now offers Capability Indicators for entry level, intermediate, and advanced job levels – these are the combination of education, certification, training, experiential learning, and continuous learning attributes that could indicate a greater likelihood of a candidate’s ability to perform a given cybersecurity work role. In fact, Tasks, KSAs, and Capability Indicators for each job role are easily accessed online via an interactive framework tool provided by the organization best known for connecting government employees, military, students, educators, and industry with cybersecurity training providers across the country, the National Initiative for Cybersecurity Careers and Studies (NICCS).6

Impressively, Capability Indicators are the result of many years of extensive analyses validated by the Department of Homeland Security (DHS) and the Office of the Secretary of Defense (OSD), with focus group participation from across the US., including private industry, academia, and government.

For first-hand experience with the interactive components of the online NICE tool provided by NICCS, go to https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework, and select the first category,  ‘Analyze’ from the colorful menu presented (see Figure 1).

Figure 1 – https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework

When selected, the Analyze category displays six specialty areas as a drop-down menu.  Select the last specialty area, ‘Threat Analysis,’ and cybersecurity workforce information for its one related work role, ‘Threat/ Warning Analyst (AN-TWA-001),’ is presented.  The role’s full complement of Tasks, Capability Indicators, and KSAs are presented.  A listing of ‘Related Courses,’ which provide recommended training options is also presented.

Note, Related Courses are aligned to the extensive NICCS Education and Training Catalog which features over 3,000 NICCS-vetted courses from industry-leading training providers.  An extra feature is a US. map search tool which can quickly locate a variety of nearby training offerings (see Figure 2).

Figure 2 https://niccs.us-cert.gov

NICE implementation

In August of last year, Virginia became the first US state to formally adopt NICE for its cybersecurity training and hiring efforts. At that time, former Virginia Governor, Terry McAuliffe, explained, “Adding this framework to our current efforts led by the Secretaries of Technology, Education, Commerce and Trade, and Administration will strengthen the commonwealth’s ability to address the high demand for skilled cyber security professionals and enhance our position as a global leader in cyber security.” He added, “Virginia has one of the highest concentrations of cyber professionals in the country, but we need to continue to evolve our workforce education and training efforts to support Virginia’s businesses as they work to meet the challenges of data security and integrity and thwart compromising cyberattacks.” 7

Summary

So, while leading studies may show demand for cybersecurity job candidates is far out-pacing supply today and into the near future, as Einstein said, “in the middle of difficulty lies opportunity.” Several years in the making, the NICE Framework represents a valuable opportunity for savvy employers – whether in private, public, or academic organizations – to identify capabilities required for internal training candidates and understand qualifications for over fifty cybersecurity job roles at all levels of experience.
Indeed, pairing the NICE Framework with existing internal training resources could bridge the gap between great idea and more immediate, viable solution for employers seeking to cultivate internal cybersecurity talent while leveraging current training investments. (To learn more about the NICE Framework visit the NICCS web link included in the body of this article, or visit: https://www.nist.gov/itl/applied-cybersecurity/nice/resources/nice-cybersecurity-workforce-framework.)

References

  1. J. Kauflin. (2017) The Fast-Growing Job With A Huge Skills Gap: Cyber Security. Forbes Staff. Online. Available: https://www.forbes.com/sites/jeffkauflin/2017/03/16/the-fast-growing-job-with-a-huge-skills-gap-cyber-security/#5dcd91035163
  2. S. Morgan. (2017) Cybersecurity Jobs Report 2018-2021. Online. Available: https://cybersecurityventures.com/jobs/
  3. D. Kline. (2018) Tech Giant Follows a Different Path to Filling Open Jobs. Online. Available: https://www.fool.com/careers/2018/07/09/tech-giant-follows-a-different-path-to-filling-ope.aspx
  4. S. Schmidt. (2007) The Relationship Between Satisfaction with Workplace Training and Overall Job Satisfaction. Online. Available: https://scholarworks.iupui.edu/bitstream/handle/1805/276/Schmidt.pdf
  5. National Institute of Standards and Technology (NIST). (2017) National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, SP 800-181. Online. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf
  6. National Initiative for Cybersecurity Careers and Studies (NICCS). Online. Available: https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework
  7. CISO Mag, (2017) Virginia adopts NICE Cybersecurity Workforce Framework. Online. Available: https://www.cisomag.com/virginia-adopts-nice-cybersecurity-workforce-framework/

Author

M. G. Cole
M. G. Cole
M. G. Cole is a cybersecurity analyst (CISSP, CSSLP) specializing in cybersecurity governance, risk, and compliance (GRC). With 22 years of combined experience in information security and technology, she is a committed life-long learner and understands the importance continual education plays in career development.

Technology Areas: Cybersecurity, Knowledge Management Tags: Cyber Workforce, Cybersecurity Training

Previous CSIAC Report:
« Learning to Win: Making the Case for...
Next CSIAC Report:
Malvertising Explored »

Reader Interactions

Leave a Comment Cancel

You must be logged in to post a comment.

sidebar

Blog Sidebar

Featured Content

The DoD Cybersecurity Policy Chart

The DoD Cybersecurity Policy Chart

This chart captures the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

View the Policy Chart

Featured Subject Matter Expert (SME): Daksha Bhasker

A dynamic CSIAC SME, Senior Principal Cybersecurity Architect, Daksha Bhasker has 20 years of experience in the telecommunications services provider industry. She has worked in systems security design and architecture in production environments of carriers, often leading multidisciplinary teams for cybersecurity integration, from conception to delivery of complex technical solutions. As a CSIAC SME, Daksha's contributions include several published CSIAC Journal articles and a webinar presentation on the sophiscated architectures that phone carriers use to stop robocalls.

View SME's Contributed Content

CSIAC Report - Smart Cities, Smart Bases and Secure Cloud Architecture for Resiliency by Design

Integration of Smart City Technologies to create Smart Bases for DoD will require due diligence with respect to the security of the data produced by Internet of Things (IOT) and Industrial Internet of Things (IIOT). This will increase more so with the rollout of 5G and increased automation "at the edge". Commercially, data will be moving to the cloud first, and then stored for process improvement analysis by end-users. As such, implementation of Secure Cloud Architectures is a must. This report provides some use cases and a description of a risk based approach to cloud data security. Clear understanding, adaptation, and implementation of a secure cloud framework will provide the military the means to make progress in becoming a smart military.

Read the Report

CSIAC Journal - Data-Centric Environment: Rise of Internet-Based Modern Warfare “iWar”

CSIAC Journal Cover Volume 7 Number 4

This journal addresses a collection of modern security concerns that range from social media attacks and internet-connected devices to a hypothetical defense strategy for private sector entities.

Read the Journal

CSIAC Journal M&S Special Edition - M&S Applied Across Broad Spectrum Defense and Federal Endeavors

CSIAC Journal Cover Volume 7 Number 3

This Special Edition of the CSIAC Journal highlights a broad array of modeling and simulation contributions – whether in training, testing, experimentation, research, engineering, or other endeavors.

Read the Journal

CSIAC Journal - Resilient Industrial Control Systems (ICS) & Cyber Physical Systems (CPS)

CSIAC Journal Cover Volume 7 Number 2

This edition of the CSIAC Journal focuses on the topic of cybersecurity of Cyber-Physical Systems (CPS), particularly those that make up Critical Infrastructure (CI).

Read the Journal

Recent Video Podcasts

  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 3 Series: Programming Language Comparisons
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 2 Series: Programming Language Comparisons
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 1 Series: Programming Language Comparisons
  • Digital Engineering Implementation Progress and Plans Series: CSIAC Webinars
  • Assessing the Operational Risk Imposed by the Infrastructure Deployment Pipeline Series: The CSIAC Podcast
View all Podcasts

Upcoming Events

Jan 28

Data Privacy Day

January 28, 2022
Jan 28

Data Privacy Day

January 28, 2023
View all Events

Footer

CSIAC Products & Services

  • Free Technical Inquiry
  • Core Analysis Tasks (CATs)
  • Resources
  • Events Calendar
  • Frequently Asked Questions
  • Product Feedback Form

About CSIAC

The CSIAC is a DoD-sponsored Center of Excellence in the fields of Cybersecurity, Software Engineering, Modeling & Simulation, and Knowledge Management & Information Sharing.Learn More

Contact Us

Phone:800-214-7921
Email:info@csiac.org
Address:   266 Genesee St.
Utica, NY 13502
Send us a Message
US Department of Defense Logo USD(R&E) Logo DTIC Logo DoD IACs Logo

Copyright 2012-2021, Quanterion Solutions Incorporated

Sitemap | Privacy Policy | Terms of Use | Accessibility Information
Accessibility / Section 508 | FOIA | Link Disclaimer | No Fear Act | Policy Memoranda | Privacy, Security & Copyright | Recovery Act | USA.Gov

This website uses cookies to provide our services and to improve your experience. By using this site, you consent to the use of our cookies. To read more about the use of our site, please click "Read More". Otherwise, click "Dismiss" to hide this notice. Dismiss Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

SAVE & ACCEPT