The IT security pros tasked with building and manning the nation's cyberdefenses are a motley bunch. Across IT organizations, security pros work with assorted skill sets, varied levels of educational and a rainbow of titles, roles and responsibilities.
Now, a federal initiative has declared that patchwork of a profession a threat to the nation's security and, last week, released a draft of professional standards to enforce consistency across the profession.
The Cybersecurity Workforce Framework, released for public comment Nov. 9, 2011, by the National Initiative on Cybersecurity Education (NICE), an interagency program coordinated by the National Institute of Standards and Technology, organizes security jobs into specific areas and includes the responsibilities and required skills for each.
"Other professions have organized their specialties, and now it is time for a common set of definitions for the cybersecurity workforce," NICE Lead Ernest McDuffie said in a prepared statement.
According to the framework:
Today, there is little consistency in how cybersecurity work is defined or described throughout the federal government and the nation. The absence of a common language to discuss and understand the work and skill requirements of cybersecurity professionals hinders our nation's ability to baseline capabilities, identify skill gaps, develop cybersecurity talent in the current work force and prepare the pipeline of future talent. ...
The framework organizes jobs into seven categories based on roles and work that share common functions:
(Government Computer News offers more on the security specialties included in each category.)
The framework was established with a particular interest in defining and labeling the IT security pros in the federal workforce. "Cybersecurity professionals previously have not fit into the standard occupations, job titles, position descriptions and the federal job classification and job grading system managed by the Office of Personnel Management (OPM)," said the statement from NICE. But it was designed to be easily applied to the private sector, said NextGov's Wired Workplace.
The comment and feedback period for the federal framework runs through Dec. 16.
If the framework proliferates, it could flatten the world for IT security pros and help it flourish across verticals. The current situation, where a security analyst in one organization looks very different from the security analyst in another, or the same job goes by different names, makes lateral hires difficult to make, especially across industries.
Creating a standard of skills, roles and titles will free security pros from their employers and verticals and give them more employee leverage and job security.
As for the organizations, all will benefit from the professionalization of specialities, where standards can be applied and employee performance can be measured.
As a tangential benefit, formalizing a system of specialists may decrease the reliance on security generalists, which is likely to expand the security workforce and encourage best practices in each specialty.