How to Align Training With the NIST NICE Framework
The talent gap in the cybersecurity workforce has been widening every year. In 2018, (ISC)2 estimated the shortage at 2.93 million cybersecurity professionals globally, with more than 60 percent of organizations needing more staff. It’s a significant increase from previous (ISC)2 security workforce studies — the 2017 report forecast a 1.8 million gap by 2022, which was a 20 percent increase since 2015.
Despite this growing need, employers are struggling to find qualified candidates and link job candidates’ skills with operational needs. The National Initiative for Cybersecurity Education (NICE) Framework aims to provide a common lexicon to help U.S. employees assess the workforce, while at the same time helping cybersecurity workers understand the knowledge, skills and abilities they need to launch and further their careers.
If you’re seeking cybersecurity training, it’s a good idea to familiarize yourself with NICE and understand how your training aligns with it. While NICE is still new as of 2019, government agencies outside of the federal government have started to adopt this framework. And since the private sector and academia helped develop it, it’s likely that many private employers will also start using it as a workforce recruitment and retention tool.
What Is the NIST NICE Framework?
Developed by the National Institute of Standards and Technology (NIST), the NICE Cybersecurity Workforce Framework was the result of a 2017 presidential executive order on strengthening the cybersecurity of federal networks and critical infrastructure. The massive 2014 breach of the U.S. Office of Personnel Management underscored the need for federal cybersecurity improvements. The idea behind the NICE national initiative, however, is to strengthen security not only within the government but also in the private sector.
The NICE Framework is similar to another set of guidelines whose goal is to help address cybersecurity risks: the NIST cybersecurity framework, which provides a set of best practices across all industries. Although the NIST cybersecurity framework is voluntary outside of the federal government, many organizations in the private sector have implemented it at least partially. Expect to see similar adoption patterns for NICE.
The NIST NICE Framework focuses on seven category groups:
- Securely provision
- Operate and maintain
- Oversee and govern
- Protect and defend
- Collect and operate
What Training Is Needed for the NIST NICE Framework?
Cybersecurity education and training varies broadly depending on what technical standards you’re trying to learn. The NICE Framework is comprehensive and breaks down the seven focus categories listed above into 33 specialty areas. These specialties range from threat analysis, cyber-operations and systems administration to risk management, incident response and software development. Additionally, the framework describes the knowledge, skills and abilities required to perform 52 different security roles.
Each specialty category will impact what kind of training is needed. Organizations offering cybersecurity education that aligns with NICE should provide you with a map to help navigate specific courses and certifications available.
How to Find Training for the NIST NICE Framework
The NICE Framework provides a reference for cybersecurity educators to develop academic degrees, training programs and certifications. Many programs that cybersecurity education organizations have in their curriculum already align with different areas of NICE. Those that have adopted NICE offer a roadmap showing how their training supports the specific NICE categories or specialties.
As an example for how the framework roadmapping works, you can download a spreadsheet from NIST that matches certifications from a variety of vendors to each of the 33 specialty areas. The list includes nearly 120 different certifications.
Another example is from CompTIA, which offers popular certifications like Network+ and CASP+ (CompTIA Advanced Security Practitioner). The Network+ cert fits 10 NICE specialties, including digital forensics, network services and system administration. Security+ fits 11 specialties that range from computer network defense analysis to information assurance compliance.
Certifications vs. Skills and Knowledge for NIST NICE Framework
Is a NICE Framework-aligned certification worth the investment? It depends on your objectives. You need education or training to enter the cybersecurity industry and you typically need professional certifications to advance. You can acquire much of the knowledge, skills and abilities (KSAs) outlined in the NIST NICE Framework by working in the field. But while field experience may be the best way to develop your career, employers usually want some other kind of concrete proof.
Professional certifications from well-known, accredited institutions that are respected in the cybersecurity field have several advantages by:
- Giving you hands-on training or at least performance-based assessments
- Validating your KSAs to prospective employers
- Keeping you abreast of the latest best practices and trends via a credential renewal requirement
According to stats compiled by NIST:
- There’s nearly a 12 percent salary difference between certified and noncertified IT staff; those with an advanced certification like CISSP (Certified Information Systems Security Professional) earn 26 percent more, and those with an expert-level cert like CISM (Certified Information Security Manager), 45 percent more
- IT practitioners hold an average of three certifications
- In 2018, there were more than 200,000 job openings that required certs like Security+, GIAC and CISM
How to Find Training for Uncommon Cybersecurity Skills
Certification programs often focus on highly technical KSAs, which, of course, are critical to every role. Cybersecurity professionals looking to advance to high-level roles such as information systems security manager — or all the way to the top as a chief information security officer — will also need nontechnical, or soft, skills, along with a more comprehensive understanding of the industry.
At this level, you will most likely need a bachelor’s degree or even master’s degree from an accredited college or university. The NICE Framework also applies to higher education institutions, and if you pursue a degree from one that has adopted NICE, you’ll get a consistent pathway. While you don’t necessarily need a college degree before you enter the field, if your end goal is to go as high as you can, you may want to consider starting there first and then adding certifications. Professional certs (except for the entry-level ones) typically require some experience in the field, so keep that in mind as you’re creating your roadmap.
- Global Cybersecurity Workforce Shortage to Reach 1.8 Million as Threats Loom Larger and Stakes Rise Higher, (ISC)2
- Report Finds Cybersecurity Workforce Gap Has Increased to More Than 2.9 Million Globally, (ISC)2
- The Bleak State of Federal Government Cybersecurity, Wired
- Virginia Adopts Cybersecurity Framework to Get Everyone Speaking the Same Language, StateScoop
- Cybersecurity Certification and NICE Framework Mapping Matrix, NIST
- NICE Map Online, CompTIA
- NICE Cybersecurity Workforce Framework, NIST