Topics In Demand
Notification
New

No notification found.

Blog
NIST Unveils New Cybersecurity Workforce Framework

December 12, 2016

436

0

One of the more persistent challenges associated with addressing industrial automation systems cybersecurity is the shortage of people with appropriate skills and experience. It is generally accepted that the shortage of cybersecurity talent has led to it becoming one of the fastest growing fields for job  opportunities. This challenge is not unique to industrial cybersecurity. The problem is much larger, applying to all aspects of information security.

While important aspects of industrial cybersecurity are unique to the domain, many of the fundamentals are similar or identical to those associated with general-purpose information systems security. Any efforts to address the broader skill shortage will have some positive impact on industrial automation.

The National Institute of Standards and Technology (NIST) announced one such effort on November 2, 2016 at the NICE Conference and Expo in Kansas City. The NICE Cybersecurity Workforce Framework (NCWF) is a tool to help employers more effectively identify, recruit, develop, and maintain cybersecurity talent. It provides a common language to describe cybersecurity work regardless of organizational structures or job titles.

Organizations can use the framework to organize roles and responsibilities through the following components:

  • Categories – A high-level grouping of common cybersecurity functions.
  • Specialty Areas – Distinct areas of cybersecurity work.
  • Work Roles – The most detailed groupings of IT, cybersecurity, or cyber-related work, which include specific knowledge, skills, and abilities required to perform a set of tasks.
  • Tasks – Specific work activities that could be assigned to a professional working in one of the NCWF’s Work Roles.
  • Knowledge, Skills, and Abilities (KSAs) – Attributes required to perform tasks, generally demonstrated through relevant experience or performance-based education and training.

The first of these components defines seven high-level categories that group the work and workers that share common functions,  as shown in this figure:

boxes

Each of these categories are in turn made up of more than 30 specialty areas such as “Incident Response” and “Legal Advice and Advocacy.” Some specialty areas map to a single work role and others are contained in more than one work role.

Although this framework does not specifically address industrial systems cybersecurity, it is still a useful tool for those securing these systems. The categories, specialty areas, and roles identified are relevant to effective security, regardless of the scope of application. Consistent definitions in these areas will be helpful in constructing a comprehensive cybersecurity program that addresses all systems in a consistent manner. Common concepts and terms are essential for defining and sharing information in a consistent, and descriptive way.  Organizations can use the NCWF as a building block to develop training, development, and staffing programs.

NIST Special Publication 800-181 provides a detailed description of the framework. This draft is now available for public review and comment, with a response deadline of January 6, 2017. Feedback can be sent via email to ncwf@nist.gov. The authors are particularly interested in suggestions for new tasks and KSAs, to help ensure the final version fully addresses cybersecurity workforce needs.

“Reprinted with permission, original blog was posted here. You may also visit here for more such insights on the digital transformation of industry.

About ARC Advisory Group (www.arcweb.com): Founded in 1986, ARC Advisory Group is a Boston based leading technology research and advisory firm for industry and infrastructure.

For further information or to provide feedback on this article, please contact sgandhi@arcweb.com

About the Author:

Eric Cosman

Contributing Consultant, ARC Advisory Group

Eric provides advisory and consulting services to ARC analysts and clients in all aspects of operations and project management. Eric has over 35 years of experience in the development, delivery, management, and support of operations information technology solutions in the process industries.


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


© Copyright nasscom. All Rights Reserved.