Using Cyber Security Frameworks to Identify Training Needs

2020-04-07

graphic showing screen and lock overlays

Like most of you, I am working from home. I've been doing it for 25 years or so. Working from home provides a good opportunity to take classes without the usual work distractions. This is a great time for government agencies and private companies to bring employees up to speed in cyber security. Both cyber security professionals and other employees can benefit from at-home training.

To make the most of training time for employees working from home, organizations need to decide what Knowledge, Skills, Abilities, and Tasks (KSATs) employees in specific positions or with specific responsibilities need. There are two sources for that information: the US NICE (National Initiative for Cybersecurity Education a part of the National Institute of Standards and Technology) created the Cybersecurity Workforce Framework detailed in the NIST 800-181 document, and SFIA the Skills Framework for the Information Age. Each framework addresses the KSATs a bit differently, but they serve the same core purpose.

The way the frameworks function is to identify and provide names for responsibilities cyber security professionals have and the knowledge and abilities people need to perform those roles. In the real world, an individual may perform multiple roles, and one role may be performed by multiple individuals. That's part of why these documents are called "frameworks".

The SFIA framework specifically looks at levels of performance in the roles. That means the framework identifies the responsibilities and abilities of someone just beginning to work in a role, as well as those of someone with advanced experience (and various levels in-between).

The NICE framework explains up-front the role of the framework for Employers, "Current and Future Cybersecurity Workers", "Educators/Trainers", and Technology Providers. These sections show how the remainder of the document can assist each of these sectors.

Here is one part of the NICE Framework:

This identifies the Speciality Area of Threat Analysis from the Analyze category. Later on, it describes the Work Role(s) associated with each Specialty Area. TWA has only one Role, but some have multiple Roles:

It is important to note that these are roles and not job titles! As I noted earlier, an individual may serve in multiple roles, and these may be in different areas of the Framework.

The NICE Framework and SFIA also include basic instructions for using the framework, as well as additional information.

As an employer and employees work together (potentially with outside assistance) to identify roles and individuals filling those roles, they can look at training to help both novice and experienced employees better fulfill those responsibilities. For those new to cyber security, I, of course, recommend Learning Tree's System and Network Security Introduction that I co-wrote. Learning Tree also has an extensive collection of additional cyber security courses and certifications.

In a subsequent post, I will talk about the specifics of taking an online course and about some specific tools to help employees receive maximum benefit from learning in an online environment.

Written by John McDermott

John McDermott, CPTD, started his work in computer security in 1981 when he caught an intruder in a system he was managing. In recent years his consulting has included security consulting for small businesses. He is Security+ and CCP certified. In his 30 years with Learning Tree John has written and taught courses in programming, networking and computer security. He is the co-author of Learning Tree’s course System and Network Security: A Comprehensive Introduction. John is currently a learning and development consultant in northern New Mexico. He lives in a house made of earth with his wife, who is an artist.