In early August, the National Initiative for Cybersecurity Education, which is led by the National Institute of Standards and Technology, released a new version of its Cybersecurity Workforce Framework, NIST Special Publication 800-181. Weighing in at 114 pages, the publication is informed by stakeholders from government, academia and the private sector to promote an ecosystem of cybersecurity and privacy education and training.
"A user of the NICE Framework will reference it for different aspects of workforce development, education, and/or training purposes, and when that material is used at organizational levels, the user should customize what is pulled from the NICE Framework to standards, regulations, needs and mission of the user's organization," the frameworks executive summary notes, adding, it "is a reference starting point for the content of guidance and guidelines on career paths, education, training, and credentialing programs."
Perhaps the release flew under the radar for some, but privacy pros should take note as this in-depth text contains valuable information on the interdisciplinary nature of cybersecurity and privacy work. It includes extensive information on the knowledge, skills and abilities (referred to henceforth as KSAs) needed to complete the many tasks required of privacy pros, and it maintains a consistent lexicon to describe the nature of cybersecurity and privacy work. It's important to note, too, that it's not just for those working for government agencies. This is a framework that can be applied to virtually any organization, public or private. Further, it can also be used to inform curricula for academic institutions training the next generation of privacy and security pros.
Though not the first time a workforce framework has been published by NICE (it's the third version), it is the first time it was released as a Special Publication by NIST, which indicates the growing significance of this field.
In a phone conversation with Privacy Perspectives, two of the framework's authors, Information Technology Laboratory Applied Cybersecurity Division's William Newhouse and G2 Inc.'s Greg Witte, explained the amount of work and broad spectrum of expertise that went into this latest iteration. Newhouse pointed out that the second version was essentially a spreadsheet, much of which was informed by the Office of the Secretary of Defense. This latest edition takes that further, refines it more, considers the latest job needs with technological innovations, seeking more expertise from a wide range of fields.
"This had never been a NIST Special Publication before this," Newhouse explained. "Our challenge was to say, 'OK, can we turn a document (version two) that makes little sense to the nation, and turn it into something that does?' We all agreed there was something here. It takes a lot of collaboration and listening to do this," he said. "We have 52 work roles with 33 specialty areas and applied KSAs to each of those. We reached out to academia and industry, explored specialty areas, and made more refinements. After all that, we then we felt this should be turned into a Special Publication."
He also said new technological innovations were considered, as well, including the rise of internet-of-things devices and the privacy and security risks that go along with their growing use.
Significantly, the growing needs related to the KSAs involving privacy is on a sharp upward curve. The first version of this framework, dating back to 2012, mentions the word privacy 22 times. Fast forward to 2017, and you'll find privacy mentioned 103 times.
"We here at NIST have been watching and helping with this evolution," Witte said. "We heard from some outside groups that privacy and security are the same thing, but they're really complementary. You need both, and I'm glad we can provide guidance on that."
Witte and Newhouse both hope this framework will be applied to the private sector and academia in addition to federal agencies. "We're going to need to keep up with 800-53," Witte said. NIST SP 800-53, which also received a revision in August, is an ongoing effort to apply a privacy and security framework for information systems, and in this latest iteration, the IoT.
There are plenty of excellent nuggets in this latest NICE workforce framework from which privacy pros can take advantage. A look at some of these KSAs can help organizations and employers identify gaps in their privacy and cybersecurity posture, which can then be filled by competent employees. In turn, this can also help employees or job hunters demonstrate their own KSAs to make the case for promotion or hiring. It also provides a consistent and repeatable approach to select privacy and cybersecurity positions in public and private organizations. Not to be left out, the framework also applies a standardized lexicon that can be used by academic institutions to develop curricula to help prepare students entering the workforce.
Considering the influence of the NICE workforce framework, Witte says he's excited to see it in action. "As the things in this framework become more of a recipe for organizations, these are the things people will be trained on and hired for," he predicted. He also enjoys knowing that his daughter, who is starting school soon, will be learning through a curriculum that has been influenced by NIST.
Newhouse was equally optimistic: "If privacy is in your realm, and you have a question about how it's being expressed in KSAs, come to this framework, then you'll have something to build from." He also said there will be more room for privacy to grow in the next version of the workforce framework.
In the meantime, check out this latest release; it may make a big difference for your career or organization.