21
Nov

Federal Framework Tries to Define, Standardize Security Specialties

Posted by John Hazard
John Hazard
John Hazard is a reporter and editor covering technology and legal issues. He is
User is currently offline
in General


The IT security pros tasked with building and manning the nation's cyberdefenses are a motley bunch. Across IT organizations, security pros work with assorted skill sets, varied levels of educational and a rainbow of titles, roles and responsibilities.

Now, a federal initiative has declared that patchwork of a profession a threat to the nation's security and, last week, released a draft of professional standards to enforce consistency across the profession.

The Cybersecurity Workforce Framework, released for public comment Nov. 9, 2011, by the National Initiative on Cybersecurity Education (NICE), an interagency program coordinated by the National Institute of Standards and Technology, organizes security jobs into specific areas and includes the responsibilities and required skills for each.

"Other professions have organized their specialties, and now it is time for a common set of definitions for the cybersecurity workforce," NICE Lead Ernest McDuffie said in a prepared statement.

According to the framework:

Today, there is little consistency in how cybersecurity work is defined or described throughout the federal government and the nation. The absence of a common language to discuss and understand the work and skill requirements of cybersecurity professionals hinders our nation's ability to baseline capabilities, identify skill gaps, develop cybersecurity talent in the current work force and prepare the pipeline of future talent. ... 

Fingerlink-General
 

Specialties

The framework organizes jobs into seven categories based on roles and work that share common functions:

  • Securely provision — workers who conceptualize, design and build secure IT systems.
  • Operate and maintain — workers who provide support, administration and maintenance necessary to ensure effective and efficient IT system performance and security.
  • Protect and defend — workers who identify, analyze and mitigate threats to internal IT systems or networks.
  • Investigate — workers who investigate cyber events and/or crimes of IT systems, networks and digital evidence.
  • Operate and collect — workers who collect cyber security information to be used in developing intelligence.
  • Analyze — those workers responsible for specialized review and evaluation of incoming cyber security information to determine its usefulness for intelligence.
  • Support — workers who provide support so that others may effectively conduct cyber security work.

(Government Computer News offers more on the security specialties included in each category.)

The framework was established with a particular interest in defining and labeling the IT security pros in the federal workforce. "Cybersecurity professionals previously have not fit into the standard occupations, job titles, position descriptions and the federal job classification and job grading system managed by the Office of Personnel Management (OPM)," said the statement from NICE. But it was designed to be easily applied to the private sector, said NextGov's Wired Workplace.

In August, NICE issued a roadmap to develop a national cyber security work force.

The comment and feedback period for the federal framework runs through Dec. 16.

A Flatter, Safer World

If the framework proliferates, it could flatten the world for IT security pros and help it flourish across verticals. The current situation, where a security analyst in one organization looks very different from the security analyst in another, or the same job goes by different names, makes lateral hires difficult to make, especially across industries.

Creating a standard of skills, roles and titles will free security pros from their employers and verticals and give them more employee leverage and job security.

As for the organizations, all will benefit from the professionalization of specialities, where standards can be applied and employee performance can be measured.

As a tangential benefit, formalizing a system of specialists may decrease the reliance on security generalists, which is likely to expand the security workforce and encourage best practices in each specialty.

Tags: Cybersecurity Workforce Framework, Federal Regulations, National Initiative on Cybersecurity Education, National Institute of Standards and Technology, Security Jobs

Comments

No comments made yet. Be the first to submit a comment

Leave your comment

Guest
Guest Thursday, 23 May 2013