National Initiative for Cyber Education (NICE) and the Cybersecurity Workforce Framework: Attract and Retain the Best in InfoSec.

Similar documents
Build Your Cybersecurity Team: Create a Strong Cybersecurity Workforce Using Best Practices in Development

The National Initiative for Cybersecurity Education (NICE) The NICE Workforce Framework, NIST SP , Overview October 4, 2017

Developing the Next Generation Cyber Army VINCENT NESTLER, PH. D., CALIFORNIA STATE UNIVERSITY, SAN BERNARDINO

National Initiative for Cybersecurity Education

Which Side Are You On?

Breaking Out the Cybersecurity Workforce Framework

Defense Security Service. Strategic Plan Addendum, April Our Agency, Our Mission, Our Responsibility

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

NISTCSF.COM. NIST Cybersecurity Framework (NCSF) Workforce Development Solutions

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Cyber Security Program

THE NATIONAL CYBERSECURITY WORKFORCE FRAMEWORK INTERACTIVE HOW-TO AND IMPLEMENTATION GUIDE

Competency Definition

Cybersecurity Workshop: Critical Cybersecurity Education & Professional Development

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

NISTCSF.COM. NIST Cybersecurity Framework (NCSF) Workforce Development Solutions

ITU CBS. Digital Security Capacity Building: Role of the University GLOBAL ICT CAPACITY BUILDING SYMPOSIUM SANTO DOMINGO 2018

State Governments at Risk: State CIOs and Cybersecurity. CSG Cybersecurity and Privacy Policy Academy November 2, 2017

Shaping the Future of Cybersecurity Education

THE ISACA CURACAO CHAPTER IS ORGANIZING FOLLOWING INFORMATION SECURITY AND TECHNOLOGY SESSIONS ON MAY 15-MAY :

Cybersecurity Job Seekers

Building the Cybersecurity Workforce. November 2017

THE POWER OF TECH-SAVVY BOARDS:

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

CISM - Certified Information Security Manager. Course Outline. CISM - Certified Information Security Manager.

FPM-IT-420B: FAC-P/PM-IT Planning & Acquiring Operations of IT Systems Course Details

NCSF Foundation Certification

POSITION DESCRIPTION

NICE Curriculum and Certification Mapping

TEL2813/IS2820 Security Management

WINNING THE WAR FOR CYBER TALENT

BRING EXPERT TRAINING TO YOUR WORKPLACE.

Standard Course Outline IS 656 Information Systems Security and Assurance

Post-Secondary Institution Data-Security Overview and Requirements

HPH SCC CYBERSECURITY WORKING GROUP

State of South Carolina Interim Security Assessment

Position Description IT Auditor

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

Hearing Voices: The Cybersecurity Pro s View of the Profession

RISK MANAGEMENT FRAMEWORK COURSE

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

POSITION DESCRIPTION

Position Description. Engagement Manager UNCLASSIFIED. Outreach & Engagement Information Assurance and Cyber Security Directorate.

The Deloitte-NASCIO Cybersecurity Study Insights from

STUDENT LEARNING OUTCOMES Beacom College of Computer and Cyber Sciences

itsm003 v.3.0 NISTCSF.COM NICE Training Curriculum & Workforce Planning Program

STRATEGIC PLAN

IS305 Managing Risk in Information Systems [Onsite and Online]

ROLE DESCRIPTION IT SPECIALIST

Security Management Models And Practices Feb 5, 2008

Angela McKay Director, Government Security Policy and Strategy Microsoft

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

National Cyber Security Strategy - Qatar. Michael Lewis, Deputy Director

CISM - Certified Information Security Manager. Course Outline. CISM - Certified Information Security Manager. 22 Mar

CyberSecurity Internships The Path to Meeting Industry Need

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

Certified Information Security Manager (CISM) Course Overview

Shon Harris s Newly Updated CISSP Materials

Security in Today s Insecure World for SecureTokyo

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

Course Outline. CISSP - Certified Information Systems Security Professional

ITT Technical Institute. IT360 Networking Security I Onsite Course SYLLABUS

Cybersecurity Risk Management:

Challenges and Opportunities in Cyber Physical System Research

High School Course Guide Business Management & Administration

School of Engineering & Built Environment

EC-Council Certified Incident Handler v2. Prepare to Handle and Respond to Security Incidents EC-COUNCIL CERTIFIED INCIDENT HANDLER 1

Security and Privacy Governance Program Guidelines

GEORGIA CYBERSECURITY WORKFORCE ACADEMY. NASCIO 2018 State IT Recognition Awards

Opening Doors to Cyber and Homeland Security Careers

CyberSecurity Training and Capacity Building: A Starting Point for Collaboration and Partnerships. from the most trusted name in information security

Computing Accreditation Commission Version 2.0 CRITERIA FOR ACCREDITING COMPUTING PROGRAMS

Department of Management Services REQUEST FOR INFORMATION

CYBER RESILIENCE & INCIDENT RESPONSE

UAE National Space Policy Agenda Item 11; LSC April By: Space Policy and Regulations Directory

What It Takes to be a CISO in 2017

Career Paths In Cybersecurity

M.S. IN INFORMATION ASSURANCE MAJOR: CYBERSECURITY. Graduate Program

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Information Technology Branch Organization of Cyber Security Technical Standard

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Dr. Stephanie Carter CISM, CISSP, CISA

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

ISAO SO Product Outline

Background FAST FACTS

securely provision analyze

Blending Information Systems Security and Forensics Curricula

CYBERSECURITY HOW IT IS TRANSFORMING THE IT ASSURANCE FIELD

Legal and Regulatory Developments for Privacy and Security

itsm003 v.3.0 DxCERTS IT & NIST Cybersecurity Digital Transformation (Dx) Enterprise Training Curriculum

Presented by National CyberWatch Center March 31, April 1 & 2, 2016 Johns Hopkins University Applied Physics Lab Laurel, Maryland

Aligning Academic Supply and Industry Demand

Rethinking Cybersecurity from the Inside Out

Application for Certification

THE LIFE AND TIMES OF CYBERSECURITY PROFESSIONALS

NCSF Foundation Certification

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

GRADUATE CERTIFICATE IN INFORMATION SECURITY MANAGEMENT

BOARD OF REGENTS ACADEMIC AFFAIRS COMMITTEE 4 STATE OF IOWA SEPTEMBER 12-13, 2018

Cyber Security School

Transcription:

National Initiative for Cyber Education (NICE) and the Cybersecurity Workforce Framework: Attract and Retain the Best in InfoSec April 12, 2018

1 Introduction to NICE - The National Initiative for Cybersecurity Education 2

NICE Vision & Mission Vision: A digital economy enabled by a knowledgeable and skilled cybersecurity workforce. Mission: To energize and promote a robust network and an ecosystem of cybersecurity education, training, and workforce development. 3

NICE Origin & Purpose Established in 2009 in support of the 2009 Cyberspace Policy Expands on Initiative of the 2008 Comprehensive National Cybersecurity Initiative Cybersecurity Enhancement Act of 2014 (Act) Led by the National Institute of Standards and Technology (NIST) A partnership between government, academia, and the private sector Focused on cybersecurity education, training, and workforce development Intent is to guide action on addressing the critical shortage of a skilled cybersecurity workforce 4

NICE - 3 Primary Cyber Workforce Development Goals Accelerate Learning and Skills Development Nurture a Diverse Learning Community Guide Career Development and Workforce Planning 5

NICE Resources Strategic Plan - https://www.nist.gov/itl/applied-cybersecurity/nice/about/strategic-plan enews Letter - https://www.nist.gov/https%3a/www.nist.gov/news-events/newsupdates/search%3fcombine%3d%26term_node_tid_depth%3dall%26field_campus One Pagers - https://www.nist.gov/itl/applied-cybersecurity/national-initiativecybersecurity-education-nice/nice-one-pagers Get engaged! - https://www.nist.gov/itl/applied-cybersecurity/nice 6

2 Framework The NICE Cybersecurity Workforce (CWF) 7

Who has been asked How do I get started in Cybersecurity? or How do I become a CISO? had to write a job description but you were not sure what to include in the description? had someone on their team say that their job description does not match what they re asked to do? 8

Are You at Risk to Losing Cybersecurity Talent? (ISC) 2 2018 Report: Hiring and Retaining Top Cybersecurity Talent Frequency of Contact by Recruiters A few times a week 11% Many times a day 19% Once a week 22% ~ Once per day 8% Less than once a month 14% A couple times per month 27% 9

What is Important to Cybersecurity Professionals? (ISC) 2 2018 Report: Hiring and Retaining Top Cybersecurity Talent 68% 62% 59% want their opinions to be taken seriously prefer clearly defined cybersecurity responsibilities prioritize employee training and tech investment 10

NICE Cybersecurity Workforce Framework (CWF) Background 2002 2008 National Research Council Identifies Concern Comprehensive National Cybersecurity Initiative (CNCI) established Initiative #8: Expand Cyber Education 2010 NICE formed 2013 2017 Version 1.0 of CWF Published Version 2.0 of CWF Published as NIST Special Publication 800-181 11

CWF Categories and Specialty Areas 7 Categories SECURELY PROVISION OVERSEE & GOVERN OPERATE & MAINTAIN Risk Management INVESTIGATE Cyber Investigation Digital Forensics COLLECT & OPERATE Collection Operations Cyber Operational Planning Cyber Operations PROTECT & DEFEND Cybersecurity Defense Analysis Cybersecurity Defense Infrastructure Support Incident Response Vulnerability Assessment & Management ANALYZE Threat Analysis Exploitation Analysis All Source Analysis Targets Language Analysis Legal Advice & Advocacy Training, Education & Awareness Cybersecurity Management Strategic Planning & Policy Executive Cyber Leadership Program/Project Management & Acquisition Data Administration Knowledge Management Customer Service & Technical Support Network Services Systems Administration Systems Analysis Software Development Systems Architecture Technology R&D Systems Requirements Planning Test & Evaluation Systems Development 33 Specialty Areas 12

CWF Sample Specialty Areas and Work Roles Oversee and Govern (OV) Legal Advice and Advocacy (LGA) Provides legally sound advice and recommendations to leadership and staff on a variety of relevant topics within the pertinent subject domain. Advocates legal and policy changes, and makes a case on behalf of client via a wide range of written and oral work products, including legal briefs and proceedings. Cyber Legal Advisor Privacy Officer/Privacy Compliance Manager Provides legal advice and recommendations on relevant topics related to cyber law. Develops and oversees privacy compliance program and privacy program staff, supporting privacy compliance, governance/policy, and incident response needs of privacy and security executives and their teams. OV OV Training, Education, and Awareness (TEA) Cybersecurity Management (MGT) Conducts training of personnel within pertinent subject domain. Develops, plans, coordinates, delivers and/or evaluates training courses, methods, and techniques as appropriate. Oversees the cybersecurity program of an information system or network, including managing information security implications within the organization, specific program, or other area of responsibility, to include strategic, personnel, infrastructure, requirements, policy enforcement, emergency planning, security awareness, and other resources. Cyber Instructional Curriculum Developer Cyber Instructor Information Systems Security Manager Communications Security (COMSEC) Manager Develops, plans, coordinates, and evaluates cyber training/education courses, methods, and techniques based on instructional needs. Develops and conducts training or education of personnel within cyber domain. Responsible for the cybersecurity of a program, organization, system, or enclave. Individual who manages the Communications Security (COMSEC) resources of an organization (CNSSI 4009) or key custodian for a Crypto Key Management System (CKMS). OV OV OV- OV- 13

Knowledge, Skills & Abilities: Example KSA ID K0246 K0250 K0252 K0287 K0313 K0319 K0628 S0281 S0293 S0301 S0356 S0358 A0006 A0011 A0012 A0013 A0014 A0015 KSA Knowledge Knowledge of relevant concepts, procedures, software, equipment, and technology applications. Knowledge of Test & Evaluation processes for learners. Knowledge of training and education principles and methods for curriculum design, teaching and instruction for individuals and groups, and the measurement of training and education effects. Knowledge of an organization's information classification program and procedures for information compromise. Knowledge of external organizations and academic institutions with cyber focus (e.g., cyber curriculum/training and Research & Development). Knowledge of technical delivery capabilities and their limitations. Knowledge of cyber competitions as a way of developing skills by providing hands-on experience in simulated, real-world situations. Skills Skill in technical writing. Skill in using tools, techniques, and procedures to remotely exploit and establish persistence on a target. Skill in writing about facts and ideas in a clear, convincing, and organized manner. Skill in communicating with all levels of management including Board members (e.g., interpersonal skills, approachability, effective listening skills, appropriate use of style and language for the audience). Skill to remain aware of evolving technical infrastructures. Abilities Ability to prepare and deliver education and awareness briefings to ensure that systems, network, and data users are aware of and adhere to systems security policies and procedures. Ability to answer questions in a clear and concise manner. Ability to ask clarifying questions. Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means. Ability to communicate effectively when writing. Ability to conduct vulnerability scans and recognize vulnerabilities in security systems. 14

Tasks: Example Task ID T0030 T0073 T0101 T0224 T0230 T0247 T0316 T0317 T0318 T0319 Task Conduct interactive training exercises to create an effective learning environment. Develop new or identify existing awareness and training materials that are appropriate for intended audiences. Evaluate the effectiveness and comprehensiveness of existing training programs. Review training documentation (e.g., Course Content Documents [CCD], lesson plans, student texts, examinations, Schedules of Instruction [SOI], and course descriptions). Support the design and execution of exercise scenarios. Write instructional materials (e.g., standard operating procedures, production manual) to provide detailed guidance to relevant portion of the workforce. Develop or assist in the development of computer based training modules or classes. Develop or assist in the development of course assignments. Develop or assist in the development of course evaluations. Develop or assist in the development of grading and proficiency standards. 15

NISTIR 8193: NICE CWF Work Role Capability Indicators Draft published November 2017 Aims to Describe the Qualities or Accomplishments to Perform a Particular Role Describes Recommended Education, Training Topics, Certifications at various levels (Entry, Intermediate, Advanced) 16

NICE CWF Work Role Capability Example 17

Cyberseek.org: Identifying Career Paths 18

Cyberseek.org: Role Drilldown 19

If You Are a Manager Remember: It s a Framework Modify as You See Fit Write Job Descriptions: Utilize the Knowledge, Skills, Abilities, and Tasks Supplement with Organizational-specific Competencies Conduct an Organization Assessment: Identify Core Competencies Identify Key Competencies Conduct Reassessment as Appropriate Establish a Career Path for Employees using Work Role Capability Indicators: Identify Early-, Mid-, and Late-career paths Identify Training and Education 20

If You Are a Job Seeker Understand the Knowledge, Skills, and Abilities as Well as Tasks Required for Roles Utilize the Work Role Capability Indicators to Progress in Your Career Think About Where you Want to Be Use the Cyberseek Web Site Will Help Identify Common Career Paths Shows Where the Jobs Are 21

If You Are a Cybersecurity Trainer Identify Core Competencies Identify Role-Specific Competencies Design Curriculum at the Appropriate Level (Entry, Intermediate, Advanced) Using Work Role Indicators Match Curriculum to KSAs and Tasks 22

NICE CWF Resources NIST Cybersecurity Workforce Framework Main Page: https://www.nist.gov/itl/applied-cybersecurity/nice/resources/nice-cybersecurity-workforce-framework NIST SP 800-181 NICE Cybersecurity Framework: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-181.pdf NICE CWF 2.0 Spreadsheet: https://www.nist.gov/file/359261 NISTIR 8193 (Draft) Work Role Capability Indicators: https://csrc.nist.gov/csrc/media/publications/nistir/8193/draft/documents/nistir8193-draft.pdf CyberSeek: http://cyberseek.org/ 23

Contact Us Dave Zaras CISSP, CRISC, CAHIMS Lead Consultant dzaras@impactmakers.com Eddie McAndrew CISSP, PMP, ITIL, MSIS Lead Consultant emcandrew@impactmakers.com Slide Deck Posted at: http://www.impactmakers.com/insights/cov-presentations/ 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback