A proposed cybersecurity workforce framework by NICE represents a consensus of government thought on how best to define IT jobs, skills and tasks. While these definitions don't need to be agreed upon and followed by all, NICE's Ernest McDuffie says, the framework can serve as a helpful tool for organizations that may need assistance deciding what competencies are relevant for their enterprise.
"The goal here is for this to be a living document that ... would help the entire field as a whole to have these well-defined competencies laid out to have as many people as possible mapped to them in terms of training and curriculum development and academia," McDuffie, lead of the interagency National Initiative for Cybersecurity Education, says in an interviewwith Information Security Media Group's Eric Chabrow (transcript below).
Ultimately, McDuffie says, the framework is intended to be a guideline to aid organizations that are trying to make decisions on how to invest in cybersecurity (see 7 Key Infosec Occupation Categories).
"How do you measure the amount of money and funds that are being spent on this kind of nebulous enterprise of security in cyberspace," he says. "What all goes into that, and how do you make some kind of return-on-investment calculation?"
McDuffie, in the interview, discusses how the framework:
- Can serve as a guideline to measure IT security investments.
- Will evolve over the years as cybersecurity challenges evolve.
- Could be used by individuals to map out their IT security careers.
Before being tapped last year to lead NICE, McDuffie served as associate director of the National Coordination Office for Networking and Information Technology Research and Development, a federal agency that supports the planning, budget and assessment activities for advanced information technologies such as computing, networking and software.
McDuffie received his Ph.D. and master degree in computer science from the Florida Institute of Technology.
NICE: Fed's Cyber Education Initiative
ERIC CHABROW: First off, please take a few moments to tell us a bit about NICE?
ERNEST MCDUFFIE: The previous administration started a thing called CNCI, Comprehensive National Cybersecurity Initiative. That was a federally focused, mostly classified, internally looking activity that was looking at all things cyber across the federal government. When the new administration came on board, it looked at that program and liked what it saw. They liked it so much in fact that it felt it needed to be expanded. It turned into a national initiative instead of an internal, federally focused one. Certainly all the things that we were doing internally we continue. Now we're just broadening them to take in the rest of country as well. There were 12 initiatives under CNCI. Initiative eight was the education initiative. NICE has inherited all things that were under CNCI 8, and the name reflects that it's turned it into a national initiative now for cybersecurity education. You want to take the word education very broadly because in fact we're interested in more than just formal education. We're also interested in cybersecurity awareness, the workforce structure, training and the professionalization of the workforce as well.
Cybersecurity Workforce Framework
CHABROW: I looked over the framework and it's quite impressive. I haven't seen such a detailed description of IT security job skills and responsibilities almost anywhere. What is the objective of the draft document and what should it lead to?
MCDUFFIE: There were a couple of objectives. Those listeners who are familiar with what's been happening inside federal government for the past few years ... have been aware that there has been a number of surveys, workshops, study groups that are focused on the workforce, trying to define what the workforce is for specific agents. There have been efforts headed up by the Office of Personnel Management, the Federal CIO Council and the Department of Defense, just to name a few. Those three groups were probably the major efforts that have gone on over the last couple of years.
What we discovered when we stood up NICE and started looking at all these different activities was that there was a certain amount of confusion among the federal workforce as to just how all these different studies would play off each other and work together. Fortunately for us, because of our broad mandate, we thought it was appropriate to take a look at all the relative studies and try to bring them together under one rubric if you will to capture the essence of what was happening in all those different works. Fortunately also, the leadership team underneath me that worked on the different component areas actually represented individuals that were part of each of those different studies that had hands-on experience with what actually went on. So it was very easy for us to contact the relevant groups and agencies and tell them what we were about and what we were trying to do, and have their buy-in on us bringing all those documents and information together under one rubric, if you will. This is the result of that.
In a sense, every study that you've seen before, every survey that a federal employee has taken before, your responses and the work that went on is reflected within this document. Now the purpose moving forward then, the intent is [for it] to be a living document that not only captures the Department of Defense flavor or the intelligence community flavor, or the federal government flavor in general, but is also responsive to outside the federal government workforce issues. Everybody knows the private sector represents 85 percent of the critical infrastructure in this country and they certainly have a key role to play in terms of cybersecurity. We want to make sure that anybody looking at this framework can see themselves or our people that work for them in their organization reflected in the work here. That's why we've got the document up for public review right now and are encouraging feedback from the public.
CHABROW: There is a link on our site that will provide a link to your site where they can put their comments in, and I believe the deadline is Dec. 16, 2011.
MCDUFFIE: Very true, very good, excellent.
IT Security Staffing Changing
CHABROW: You look at the document and one of the things that it suggests is that IT security tasks and responsibilities exist among many jobs, many you don't normally think of as IT security. Is the way we think about IT security staffing changing?
MCDUFFIE: Yeah, I think so. I think ... for a long time people would equate the term information assurance - that's probably the more generic term that has been used for a longer period of time - and cybersecurity as pretty much the same thing. In reality of this new use of the term cybersecurity, particularly the way we're using it in the NICE initiative, it's meant to be much broader than just the normal types of activities that you see in an information operation. Currently we include all those things, but we go beyond that. If you look at just the seven categories that break down the workforce in our document, we talk about - in addition to protect and defend - investigations; we talk about purely provision, analyzing, operating, collecting and support. All of these things go beyond, in some respect, the general information assurance category.
CHABROW: Is the intent of this publication once it's approved to be used to sort of formally identify IT security jobs and responsibilities?
MCDUFFIE: That's true. In fact, the Department of Homeland Security has already agreed to adopt this framework. What that means by adopt is it's not that you would agree that every one of the 31 different competent areas has to be reviewed in your organization exactly the way it's laid out in this document. To the contrary, the document is intended to be a drop-down menu if you will so that individuals, regardless of size of your organization or how focused you are on the cybersecurity area, should be able to pick and choose specific competencies that are relevant to your enterprise and use those accordingly. The goal here is for this to be a living document that agencies are able to voluntarily agree to map their workforce to, and we would hope that energy would end up causing a streamline affect across federal government and federal contractors, and we believe that it would help the entire field as a whole to have these well-defined competencies laid out and to have as many people as possible mapped to them in terms of training and curriculum development and academia, certifications from the certification world, and HR functions within specific organizations as well.
CHABROW: Why is it important to have such specific definitions for your jobs and skills?
MCDUFFIE: I don't know if the specificity is the key thing. The key is just to have something, a guideline if you will. How do you measure the amount of money and funds that are being spent on this kind of nebulous enterprise of security in cyberspace? What all goes into that, and how do you make some kind of return-on-investment calculation, if I spend "X" amount of dollars it's going to give me "Y" amount of return in terms of a better security posture? Certainly all that calculating has to start with some kind of baseline of what are the competencies that we're looking at and what should be the right mix that we would have at a specific agency. It lays out a guideline if you will to start that process.
Mapping out IT Security Careers
CHABROW: Can this framework be used by individuals to help map out there careers, and if so how?
MCDUFFIE: Absolutely. I don't know if it lends itself directly to individual career planning, but there are efforts I know underway by other types of agencies that are interested in the career planning piece of this to make sure that they're mapping to what we have. For example, in the certification space there is an effort going on by a number of the major certifiers. (ISC)2, CompTIA, SANS, and a number of others have formed a coalition which they are calling C3. I forget what the acronym stands for but it's like the certifying company consortium, and their goal is to map their certifications to these various competencies. There are already federal agencies that mandate if you're going to have a specific job title that you need the specific certification to go with that. So it helps with that process.
It also helps the academic sense if you're deciding to pursue a particular degree in one area or another, what types of jobs would that degree of certification bend itself to. It would be helpful to the students to understand what jobs he or she is training or being educated to fulfill, and then if he or she wants to do progression planning. "Okay, I've got a bachelor's [degree] now. I'm looking at maybe a masters or a PHD later. How is that going to open up the different job categories for me?" I think this will be one tool that would fit in that process.
CHABROW: Once you get these recommendations or suggestions in from the public, what happens next and when will a final report be out? And who actually approves this final report?
MCDUFFIE: That's interesting. What we typically do is first we consider it a living document, so there will be a final version of this iteration. But you should never think of it as really being final. Particularly, in a field like cybersecurity where things are changing so rapidly, this document will be continuously under review and updated on a periodic basis. But for this immediate iteration, after the public comment period closes, we take a committee, a group of people who are responsible for putting the document together to start with, and we'll look at all the comments out of that command and go through a unification process where they decide how we're going to respond to each individual comment. Once all of that is done and reflected in a new draft, all the stakeholders, all the different organizations that had input through the draft will sign off on it, saying that this meets our needs [and] approval; we're okay with it. Then final approval will probably come from the White House. Howard Schmidt's office as the Coordinator for Cybersecurity would be the one that would pass the final muster on anything that comes out of the NICE initiative.
CHABROW: Is there a standing committee or some kind of organization that's consistently looking at it, since you said this would be an iteration of a living document?
MCDUFFIE: NICE itself has a structure to it that encompasses all four different component areas, with standing members from a number of different agencies: DHS, NSA, Department of Defense, Office of Personnel Management, Office of Director of National Intelligence, National Science Foundation and Department of Education. All of those agencies have actual leadership roles within the NICE structure and then there are other agencies that play supporting roles as well, and we welcome the collaboration and input from any federal agency in reality. ... We meet regularly, on a bi-weekly basis, on a number of ongoing topics within the initiative and certainly this framework is one that's at a very high level right now, because it's out in the public and it will remain on our agenda, I believe, for the life of the document. I think the NICE initiative itself will have the responsibility of looking at updates and keeping this document current.
CHABROW: Well, I would recommend people take a look at the draft, even if you're not in government. I think there's a lot of information there about IT security careers and responsibilities that will be very useful for all types of organizations.
MCDUFFIE: Absolutely. In fact, I encourage non-governmental people to give us feedback because certainly that's where we're looking, the different voice or the different lands to look at it. Please, all non-government people should take a look.