Industry insights

Close Your Skills Gap: Putting the NICE Workforce Framework for Cybersecurity to Work

January 14, 2021 by Ian Palmer

If you’re looking for a blueprint that classifies, manages and explains cybersecurity work, the National Initiative for Cybersecurity Education (NICE) has the answer you’re looking for.

As demand for skilled cybersecurity professionals continues growing, the ability to better identify, recruit, develop and retain your employees is a critical advantage. One way for your organization to accomplish this is through NICE’s Workforce Framework for Cybersecurity.

In a recent podcast entitled “Close Your Skills Gap: Putting the NICE Workforce Framework for Cybersecurity to Work”, moderator Megan Sawle was joined by two infosec professionals. Danielle Santos, program manager for NICE, and Leo Van Duyn, cybersecurity and technology workforce development strategist for JPMorgan Chase & Co., weighed in on the issue and explained how to provide role-based training and develop custom role profiles to match your company’s needs.

How JPMorgan Chase uses the NICE framework to build custom work roles

NICE Framework goals

According to Santos, one of the objectives of the NICE Framework is to assist organizations in hiring, training and holding onto their cybersecurity staff.

“But it also helps learners, and when we talk about learners, we’re referring to anyone who’s in that learning life cycle, whether it be students or job seekers or even current employees,” says Santos, who adds that the four attributes of a NICE Framework are agility, flexibility, interoperability and modularity.

“Every day, there’s a new threat vulnerability tool introduced, and so the framework really takes an agile approach and creates these building blocks that can be flexible enough to address that ever-changing ecosystem. And that’s actually the second attribute is flexibility, depending on an organization’s size, scope, what sector they’re in, their workforces are going to differ.

Van Duyn acknowledges that the NICE Framework is relatively new. In fact, he says JPMorgan Chase & Co has been using it for, at most, a year and a half. He says one of the things his organization liked about the blueprint right away was that it provided a solid starting point for figuring out what was required as per specific cybersecurity roles.

“What that allowed us to do was then expand upon that and describe the different functions that we had within our organization and align them with the expectations for that particular role,” he says. “By doing that, we were then able to collect the employee data to better understand where they fit within their current position.

“Once we have that profile, it really then allows you to start doing a gap analysis as to where people are proficient within their current job function and where they need assistance or development efforts. It’s a really unique way of looking at data, to start coming up with different learning plans and projecting your learning budget for your organization, whether it’s a particular business unit, or an entire company. So, it really gives you a unique, data-driven perspective to understand your human capital.” 

Difference between tasks, knowledge and skills

Asked by the moderator to explain the relationship among task, knowledge and skills in the context of the NICE Framework, Santos points to a graphic that was created by one of the co-authors of the NICE Framework.

“On the right-hand side, we have knowledge and skills,” she says. “And knowledge and skill statements are probably the lowest-level building blocks. They’re the start. And this is what describes the learner. Describing the learner, we have knowledge, which we define as a retrievable set of concepts within memory. So think, for instance, knowledge of penetrating tools and techniques. In addition to knowledge, we have skills. And skills are the capacity to perform an observable action. So think, for instance, a skill in using social engineering techniques. Together these knowledge and skills make up tasks.” 

Tasks, she adds, describe the work being completed rather than the person doing the work. As well, tasks are activities designed to accomplish a specific objective or outcome.

“This is what the workplace managers will build depending on their needs or the objectives for their organization … So together knowledge and skills build tasks which then get into work roles and work roles describe the work being done. The work roles are not job titles but rather can be [used to] to create job roles, job functions.”

JPMorgan Chase first adopted the NICE Framework prior to the rollout of the blueprint’s 52 identified work roles. So the company worked with competencies allowing them to focus on logical modular parts that made sense for a position.

“The strength of the framework is the ability to manipulate it until you see the use case that describes what you’re trying to accomplish,” says Van Duyn. “The competencies are great pivot points. They’re a good anchor point into learning systems, into certifications, into your work role. So they allow you a good way to pivot from one resource to another, while still maintaining interconnectivity between systems.

Creating custom role profiles

So how can businesses actually use this resource to, for example, structure their own cybersecurity rules and teams?

Van Duyn has actually constructed a pivot table tool that he uses to build out custom roles. And he also has some advice for organizations that are pondering whether to use one of the existing work roles within the NICE Framework or to start from scratch and build their own.

“At the end of the day, if you create roles that use a common taxonomy approach, and you establish your baselines for proficiency expectations, you can begin gathering your employee input,” he says. “And that allows for a lot of creative and interesting ways to deal with that data. The first thing is how do you create learning plans based on that date, and the second thing is can you use it to express mobility options to your employees based on their profile.

Those two things right there are extremely interesting to companies as they try and keep employees around and have them have second, third, and fourth careers within the company, so that they can continue to develop and continue educating themselves. Then, once you have those profiles established, you can use that to start informing your learning strategy goals for a particular role, or even an organization, if you need to.

You can hear more about changes to the NICE Cybersecurity Workforce Framework in 2021 and other topics in the full video

Posted: January 14, 2021
Ian Palmer
View Profile

A Canadian currently based in Ontario, Canada, Ian is a researcher for InfoSec Institute. Over the years, he has written for a number of IT-related sites such as, and