Podcasts
Special Editions
Ep 59
Special Editions 3.17.24
Ep 59 | 3.17.24

Unveiling the updated NICE Framework & cybersecurity education’s future.

Show Notes
Transcript

Dave Bittner: Hello everyone, and welcome to this special edition N2K CyberWire podcast. Today we're peeling back the layers on something that's become the cornerstone of cybersecurity workforce development - the NICE Framework. It's more than just a guideline; it's the foundation for building a skilled, knowledgeable cybersecurity workforce, ready to tackle the challenges of today and tomorrow. I'm your host, Dave Bittner. Today we've got a lineup that's as informative as it is inspiring. To kick things off, Brian Fonseca from the Jack D. Gordon Institute for Public Policy will give us a primer on what the NICE Framework is all about. Following that, Karen Wetzel, the NICE Framework manager, will take us through the latest updates and what they signify for the industry. And to bring it all home, Rodney Petersen, director of NICE, will share insights on how these changes are shaping the future of cybersecurity education. The NICE Framework isn't just about tasks, knowledge, and skills essential for cybersecurity work. It's about paving the way for individuals and organizations to elevate their capabilities in this ever-evolving field. So, whether you're part of an organization looking to bolster your cybersecurity defenses, or an aspiring cyber professional eager to carve out your path, this episode is for you. Let's get started. [ Music ] For someone who is not at all familiar with the NICE Framework, with the interaction with NIST and all that kind of stuff, how do you explain it to someone who's really not up to speed on what it is?

Brian Fonseca: Right, so, I mean, think about the NICE Framework, the National Initiative for Cyber Education Framework. We refer to it as the NICE Cybersecurity Workforce Framework, which is essentially a comprehensive guide that helps lay the foundation for how we define and standardize, codify, the cybersecurity workforce. The spirit of the Framework is to categorize and describe cybersecurity work into categories, specialty areas, work roles, knowledge, skills, and abilities, also known as KSAs, for each of the required roles. This is a Framework that's designed to bring a variety of sectors together. By sect -- when I say sector, I mean bring academic institutions, industry, government, and try to align them towards improving the cybersecurity workforce and reducing what has become a really pronounced gap in terms of the number of cybersecurity positions available and the workforce that we have to fill those roles.

Dave Bittner: Can you take us through a little bit of the history here? I mean, what led us to this point where we find ourselves today?

Brian Fonseca: So, I mean, first and foremost the rapid, you know, rise of tech and the proliferation of tech and the growing insecurity in cyberspace has led to a huge, you know, demand for cybersecurity professionals. And I think at some point, you know, in the last two decades, we realized that, you know, universities and educational institutions weren't spitting out enough workforce to fill the demand. And so what was happening was the delta between the growing demand for cyber professionals and the number of cyber professionals going into the workforce was continuing to sort of become more pronounced. And so this was an initiative by the US government. It's led through NIST, which is the National Institute of Standards and Technology. It was an initiative back in roughly 2008-2009 by the federal government to improve the nation's ability to educate cyber professionals, train workforce by skilling, upskilling, reskilling workforce in an effort entirely to mitigate the growing workforce gap that we saw in cyber.

Dave Bittner: Can you give us some insights as to what the process has been like of bringing all these different stakeholders to the table to make sure that you end up with a balanced approach here in the Framework?

Brian Fonseca: That's a great question. And so at FIU, I help lead the National Initiative for Cyber Education Annual University convening. It's something we've been doing now -- this is going to be our sixth year in which we've been organizing this annual convening that is designed to bring academic institutions, industry, government, civil society into one space. And be thoughtful about where the cybersecurity workforce is going, and how we need to pivot or evolve to ensure that we're producing workforce that can meet the demands. This is about alignment, ensuring that what universities are doing in terms of curriculum aligns with what the industry needs. We've seen that iteratively over time, is that universities were not necessarily aligning their curriculum with industry in a sort of rapidly evolving, you know, workforce landscape. And so this NIST, NICE, and our annual convening that we lead underneath NICE is designed to create that sort of alignment. To ensure that, again, universities are producing the talent that is needed by the workforce and is evolving as rapidly as the workforce demands are evolving. So that's the, you know, that's sort of the origin and background of this. We do it through a series of convenings. There's iterative processes by which we continue to -- I mean, first the Framework itself was developed and then it's, you know, constantly sort of evaluated and refined to ensure that the, you know, what's codified in the Framework does, in fact, map to where the cybersecurity workforce is going, or where it is and where it's going, of course. And so that's really, you know, it's this multi-stakeholder approach of bringing these organizations together, bringing these communities together, and building, you know, sort of, you know, thoughtfulness into how we prepare the workforce of, you know, of the future.

Dave Bittner: You mentioned academic institutions. And I'm curious - how does the release of the Framework affect those institutions? What is the interaction and how does it align with where they find themselves today?

Brian Fonseca: Yeah, that's a great question. And I think the most impact that the Framework and sort of the evolution of the Framework is having on institutions is it's helping inform institutions of the skills needed to meet the demands of the workforce. And so that translates back to evolving curriculum, evolving experiential learning opportunities to ensure students are getting the skills that they need through formal classes, through experiential opportunities, professionalization, programming to, again, align with what industry needs in order to address what has been, you know, a fairly large gap between number of cybersecurity jobs out there and the amount of workforce that is in play to help address those, you know, those vacancies. And so universities rely on the Framework, again, to make sure that there's alignment on their end, that the things that they're doing in higher ed is producing meaningful talent that's going off into the workforce.

Dave Bittner: It strikes me that it really is important to have something like this as a standard to kind of, you know, calibrate across the various universities and colleges and, you know, even boot camps, things like that that are trying to get people up to speed here for these jobs to have a ground truth, a North Star that everyone can point to and say, Okay, here's -- you know, here's the basis for which -- this is where we begin.

Brian Fonseca: Yeah, that's absolutely right, and I think that's the spirit of this, is to help inform that conversation of what that point of departure is in terms of preparation of workforce. And again, you know, NICE itself has been sort of an evolution. As I mentioned, it, you know, it launched in 2008, roughly, initiative under, you know, a sort of federal charge of improving the national security -- the nation's national security or cybersecurity workforce. And then sort of, you know, the development and release of the first actual Framework occurred, you know, at the turn of the last, you know, of the last decade, the 2010-'12 period is when the first NICE Framework was published. And again, universities, you know, quickly started to gravitate towards pulling that Framework in to drive, you know, how, you know, academia was positioning to help produce what was this, you know, growing demand. I mean, at the end of the day, that's what universities charge is, is to produce workforce in part, which is the large part. And so this Framework has been so vital for institutions like ours to help inform, you know, how we, you know, how we align with what the workforce needs are.

Dave Bittner: Yeah, I'm curious. We have this explosion of interest in AI. And I think it's fair to say that it's really captured both the public's imagination and also professionals as well. There's a huge demand for people with knowledge and expertise in this area. How does something like that play into the Framework, when you have, you know, this big shiny object right now that is AI? What's the interplay between that and the Framework itself?

Brian Fonseca: That's a great question. And, you know, in fact, many have sort of suggested that much of, you know, much of our success in addressing the workforce gap is going to come through the use of AI, right? AI, in many ways, is automating some of the work roles. And so those that are pursuing careers in cybersecurity, I think it's a must at this point, must be familiar with, you know, the tools and capabilities that AI brings to securing cyberspace. You know, securing physical systems, networks, software, and applications. And so that's where I think, you know, where I think this goes, is that, you know, the Framework is going to have to, you know, build, you know, into the Framework. You know, maybe AI-specific roles and competencies, or at least helps ensure that those that are being trained, you know, also understand sort of the limits and opportunities of leveraging AI in pursuit of their respective cybersecurity roles. And so that's where I see this sort of evolving. And I think that's going to be part of our, you know, a big part of our conversation going forward, is how does the cybersecurity workforce better incorporate, you know, machines in meaningful ways to help address the threat landscape and help, you know, create efficiencies and, you know, and make impact on their respective roles as they, again, try to safeguard and protect, you know, cyberspace. And so I think, again, that Framework is going to evolve rapidly, you know, to absorb this. I made comments at the last NICE Annual Convening in Seattle to the effect that, you know, that we as a community need to pivot and embrace, you know, AI, automation, in ways that help us become more effective in our ability to secure cyberspace. I know at our next convening that's going to take place in June in Dallas is also going to touch on, if not heavily, you know, address the growing demand for AI in the cybersecurity space. And then how do we -- and that's where our conversation is going to go, how do we incorporate AI meaningfully into the Framework so that we're producing talent that is both, you know, capable of securing cyberspace, but leveraging, you know, what automation and AI can help provide.

Dave Bittner: Can you give us some examples of some of the ways that the NICE Framework is used within industry?

Brian Fonseca: Yeah, I mean, absolutely. So you can imagine that, you know, part of the NICE Framework kind of lays out these work roles, but also starts to touch on mapping of what skill sets are required to be effective in a particular position. And so what we're seeing is that employers are looking at the Framework, one, to better understand the capabilities needed to address that particular function in the organization. Like, this is a huge gap going forward, is that most HR managers are not versed in hiring in tech, but every organization has a requirement to hire some type of technical capability, either in-house or on contract. And so what the NICE Framework does for those organizations is help lay out what that landscape looks like and what skills they should be looking for in candidates to fill technical roles within their organizations. And part of that also is inclusive of, Well, what certifications and what type of credentials should we be looking for that validate that that person has a skills set that's needed to do the position that I need in our organization? It's really helpful in educating non-technical personnel on sort of the left, right, lateral limits of what these positions are designed to do, and then what's their pathway in terms of progression within an organization. And so it becomes a really useful map as you're mapping out the technical growth of human capital within your organization. [ Music ]

Dave Bittner: Up next, we are joined by Karen Wetzel, manager of the workforce Framework for cybersecurity NICE Framework at NIST, discussing updates to the NICE Framework. So let's start off with some high-level stuff here. I mean, can you give us a little bit of the background of what led up to this release of version 1.0.0 of the NICE Framework components?

Karen Wetzel: Sure. We're very excited about this release and what it means for supporting the cybersecurity workforce. In 2020, we updated the NIST Special Publication 800-181, the Workforce Framework for Cybersecurity, otherwise known as the NICE Framework. And we made some updates to that Framework structure at that time. It's essentially been since then that we've been working on updating all of the components that are the NICE Framework in order to match up with that structure. And it's given us an opportunity to take a look at that content and make sure that we're addressing things like redundancy and duplication and lack of clarity at the same time.

Dave Bittner: Well, let's go through some of the details together here. I mean, what are some of the key elements here that you want folks to know about?

Karen Wetzel: Essentially, what we've put out is a great step forward to be able to improve the usability of the NICE Framework. And we've really been working on making sure that we are engaging with the community throughout, through calls for comments on every one of these different components and updates that we've made for them. So it includes everything from looking at our work role categories and making sure that there are updates there, make sure that they're clearer and more easily used, as well as looking at our work rules themselves. And really importantly, we've also introduced new competency areas that will extend the capabilities that we have with the NICE Framework. And updated all of our task, knowledge, and skill statements, the building blocks of the Framework.

Dave Bittner: Can you share with us some insights as to what goes into the process of doing an update like this? What was it like coming up with these new standards?

Karen Wetzler: We had essentially been engaged with the community throughout this entire process. We had -- when we released the NIST Special Publication Revision at the end of 2020, we had asked prior to that for feedback from our community about things that they would want to see changed in that. During that process, we also got additional feedback about what kinds of changes would be necessary for the components to make them more useful. As we went through and reviewed all these components, we engaged with subject matter experts and stakeholders in that entire process through workshops, meetings, and individual calls in order to understand what we would want to do in order to address these. We came up with a TKS Authoring Guide, a Task, Knowledge, and Skill Statement Authoring Guide, to guide us in this process as well. And for every stage of the process, we put these out for comment to make sure that we were heading down the right path.

Dave Bittner: You've also updated the NICE Framework Resource Center, which is the online resource. Can you tell us about that?

Karen Wetzler: Sure. The NICE Framework Resource Center is our website that is all things NICE Framework. It's where we have guidance and tools and point to other uses of the NICE Framework. And it was really important for us to make sure that we had updates there to make it easier for people to understand this transition with this new release of the NICE Framework components. So we've updated our FAQs. We have a quick start guide for people who are just getting started with using the NICE Framework. We made sure that there's a mapping of the original 2017 components to this new version. We've also included in there change logs, as well as other kinds of summaries of this -- of the updates that we've made. So essentially, really making sure that if there's a question, we're trying to answer it there. And it's also going to help us in the future as we start to develop new resources about how to use the NICE Framework, developing out resources for employers, for learners, for academia, and training organizations, for example.

Dave Bittner: Can you share with us some examples of how the NICE Framework is being used by folks across the industry?

Karen Wetzler: Yeah, it's -- the NICE Framework has broad usage, which is great. It means that what we're really doing is making sure that that common language that the NICE Framework establishes is being used in all portions of the ecosystem. So that includes being used when you're talking to K-12 and thinking about career discovery, looking at those NICE Framework work role categories and being able to explain the different kinds of work that happen in cybersecurity. And then looking at the work roles, and really showing how much variety there is in this profession. It's also used in education, and that includes both at K-12 level as well as in higher education. And then in training and ongoing education where the NICE Framework is used when developing curriculum to align courses so that we can see that connection between what is being taught and what work someone might do. And then of course it's being used by employers. That includes both assessing their workforce, being able to gauge their capabilities and understand what kinds of needs an organization might need -- or have. And then it also includes during the hiring processes. It could be used to help develop job descriptions, and we have a resource on our website that explains how to do that. It could be used during assessment, as we're seeing more skills-based assessments happening. It really is at all stages of one's career.

Dave Bittner: For that person who is in a mode of learning, who's trying to up their skill level, or perhaps someone who's looking to enter this workforce, what part can the NICE Framework play for them?

Karen Wetzler: It's a really great resource for them. If you're looking to enter into the cybersecurity profession, it gives you a great point of entry in terms of understanding the kinds of work that might happen and the kinds of opportunities that you might have. If you're looking at coming in from a mid-career transition, you could see how your skills and capabilities can evolve and transition over into cybersecurity, how you can put those into play in different kinds of work roles. It also will help you identify gaps, and then be able to see what kinds of learning that you might want to pursue in order to help fill those gaps. So that you're really doing the work that's specific to what your goals are, versus maybe taking a shot in the dark and hoping you get the right skill set that you need.

Dave Bittner: You know, we see a lot of complaints from folks who are out there looking for jobs, that some of the job descriptions are all over the place, or, you know, making unrealistic asks. You know, we want 10 years of experience for a technology that's only existed for five years, things like that. From an employer's point of view, can the Framework provide some clarity in putting together these job role descriptions?

Karen Wetzler: Absolutely, and that's I think one of the really important things to understand, is that this could be used not just by the practitioners or by the hiring managers, but by HR as well. We don't expect HR - human resources staff - to understand everything there is to know about cybersecurity. That's not their area of expertise. Their area of expertise is about making sure that they are creating effective job descriptions, working with the hiring managers, and understanding what their needs are, and being able to assess and be able to bring in the employees that are going to be useful for that organization. So what we do with the NICE Framework is provide guidance around what kind of work someone in a work role might do, and what knowledge and skills they might need to have in order to do that work. And so by looking at those, you can go ahead and create a job description that's more realistic. You could go through a work role and say, Yes, for our organization, this person would need to do these tasks, all of them, or maybe a subset of them, or we may need to add some in that aren't there because of our unique organizational needs. And so by giving them that starting place, it can help make sure that that process is a lot more effective.

Dave Bittner: This is version 1.0 of the Framework here. What are you looking forward to in the future? How is this going to evolve and grow over time?

Karen Wetzler: Well, there's a lot to do. There's -- and we are working with the community at all points in order to make sure that we move forward in its ongoing development. We know that cybersecurity is not an area that is static by any means, and so we need to go ahead and reflect that in our workforce Framework. So this includes looking at developing out those 11 new competency areas. We have this week the very first meeting of folks who are going to help us to do that, develop out knowledge and skill statements to help support those new competency areas. We're also looking at updating some of our existing work rules, and we're doing that right now to be able to make sure that what we have with this new content is meeting current needs and that we aren't missing anything. We're looking at how things like automation and AI are having an impact. So not only looking at how do we secure AI, but how AI could be used in the workforce to make sure -- to do these kinds of work. So it involves a number of new work roles that we're looking at developing. It involves looking at existing work roles and going ahead and addressing those competency areas. That's with the Framework itself, but we also are looking at developing guidance outside of the Framework, too. So whether that's a profiles for specific industries or specific jobs or just other kinds of resources to help people along the way.

Dave Bittner: Now, it really strikes me that this has been a deliberately collaborative process here, that you've -- beyond the work that you and your colleagues are doing there, that there really has been an intentionality about working with industry and the various stakeholders.

Karen Wetzler: Absolutely. It's essential that we engage all of the players in our development of those Framework. It is them who are the ones -- it's the employers who are telling us what the needs are, it's the academics who need to understand that to be able to translate that into training and education to be able to bring those learners forward. It's about working with the learner community to understand what kinds of resources they might need and how they might understand this to use this for career pathways, for example. So it really is essential that we are reflecting what is happening in the workforce, rather than telling the workforce what it should be doing. It's about listening and about incorporating that. And that's at all stages. It also includes working with our federal agencies and departments who are in this area as well as in private industry, too. [ Music ]

Voiceover: We'll be right back. [ Music ]

Dave Bittner: Next we have Rodney Petersen, Director of NICE at NIST in the US Department of Commerce discussing cybersecurity education's future. I would love to hear, in your own words, kind of the significance of this recent release of this new version of the NICE Framework.

Rodney Petersen: Yeah, so the NICE Framework exists to create a common taxonomy or lexicon to describe cybersecurity work, but we all know that cybersecurity work is evolving and rapidly changing. So the NICE Framework needs to be able to keep up with those changes and provide periodic updates accordingly. So, a lot of the updates that came out in the recent revision are not only an attempt to update some language from the 2017 publication, but to really reflect some of the modern needs. Particularly in the areas of competency areas, which we're introducing or reintroducing for the first time, and they address some emerging and important areas that didn't exist or weren't as important in 2017 as they are today in 2024.

Dave Bittner: Can we dig into some of the details here? I mean, what are some of the highlights of the changes and updates?

Rodney Petersen: So, starting with kind of the component structure, it's organized around seven categories and we made some minor but important modification to the category name. So for example, the first one was previously called Securely Provisioned, which was both a confusing term and maybe not a very accurate term to describe what the category included. And it's now called Design and Develop. And when you think about the design and development of not only cybersecurity solutions but technology solutions in general, this is a pretty critically important part of cybersecurity. In other words, making things secure by design. So whether it is Internet of Things or artificial intelligence or software, hardware, the Design and Develop category was renamed to reflect that that really applies across all products and services and technology. Another example was just changing the descriptions to be more consistent so they follow the same kind of nomenclature to operate and implement, oversee and govern, protect and defend, etc. That at the category level was done similarly at the work role level, which is kind of the next level of components. Renaming for consistency but also removing things that may have sounded like job title. A simple example is a system administrator, a previous work role, is now called system administration. And even though it may directly correspond to the job title or the job of system administrator, we know in small organizations you might be doing multiple roles and you may not actually go by that title. And then finally, the most significant and intensive changes were made to the actual statements themselves, the thousands of task, knowledge, and skill statements that were updated to address a variety of grammatical redundancies and other just corrections that need to be made to modernize the Framework.

Dave Bittner: You know, I think it's fair to say that the NICE Framework has really come a long way since you all originally launched it. What do you think some of the ways are that this latest update is going to impact the future of cybersecurity education and workforce development?

Rodney Petersen: Yes, I think in the beginning -- in fact, we even changed the name in 2020 to reflect that it was a, you know, Framework for cybersecurity, not just for the workforce or not just for employers to use. So in our 2020 revision, we really stress the fact that this is for education and training providers, those that are providing credentials, as well as the learners themselves. And for us, learners not only include students or maybe job or career seekers. But include employees who are trying to develop themselves and perhaps, you know, increase their own credentials or their own knowledge and skills. So, changing the language to be more inclusive of the entire ecosystem was critically important. And I think the more recent updates by trying to, again, standardize around some of the language and the details helps address that kind of comprehensive set of stakeholders.

Dave Bittner: Can we talk a little bit about partnerships here and the organization's efforts to promote that? I'm thinking between, like, academia and industry and government. I know partnerships between those groups is something that's important to you and your colleagues.

Rodney Petersen: Yeah, so we often talk about NICE being a partnership of government, industry, and academia. And so starting at the federal government, we certainly work closely with our interagency partners, including organizations like the National Science Foundation or the Department of Education, which are mostly supporting education and research. But we also work with organizations like the Cybersecurity Infrastructure Security Agency, Department of Defense, and others who have the workforce needs that the NICE Framework can help to build upon. And then there are other partners, whether they be at the White House, the Office of Management and Budget, Office of Personnel Management, that are helping to bring in the federal workforce that is needed in cybersecurity. But we don't limit our engagement to the federal government. We also work closely with state governments, especially through associations and organizations like the National Governors Association or the National Association of State CIOs, or even the multi-state information sharing and analysis center. At the industry level, it's a little more complicated because there's so many players, and again, so many industries both by sector, the economy, as well as companies to work with. So once again, we try to leverage relationships with organizations like the Small Business Administration or the Business Roundtable that represents 250 of the largest employers in the country. And then just naturally, the Department of Commerce has lots of relationships with small and medium businesses, minority businesses, and others. And so we try to make sure we're inclusive in that industry engagement. And at the academic level, it's a continuum from K -12 education to community colleges to universities. And we have relationships, in fact, we do events that target those populations. But specifically at the high school level, you know, we work closely, again, with the Department of Education and its career technical education programs of study. Many of those are also in partnership with community colleges resulting in dual enrollment where students might receive a degree when they graduate from high school that's both a high school diploma and a community college degree. And then at the university and community college level, a very close partnership with both NSA and CISA's National Centers of Academic Excellence in Cybersecurity.

Dave Bittner: Staying with, you know, academia, industry and government here for the moment, I'm curious as this goes out in the world, you know, what are your expectations in terms of, like, those different groups using this, putting it to use, the differences between those verticals and the similarities and the ways that they will approach this and put it to good use?

Rodney Petersen: Yeah, so the value of a standard is that it becomes a standard by which other organizations use it, but we also have a set of principles and attributes that we talk about in the NICE Framework that talks about flexibility and agility. So we certainly expect other sectors and maybe even individual organizations, companies, or nonprofit organizations to have unique needs, either work that doesn't exist elsewhere, or maybe their own nuanced way of doing things. We would hope that the NICE Framework could be, you know, the North Star by which organizations are oriented on themselves. And if they have improvements or ways that the NICE Framework is more effective, maybe in their environment or maybe their sector, that we would benefit from knowing about. We're very open and receptive to that type of feedback. Because ultimately, this is meant to be a national, and I might add international, resource that's being used pretty heavily. And anything we can do to improve it on behalf of the user community, we're more than welcome to learn about.

Dave Bittner: Can you share with us some of the specific ways that the NICE Framework is being used in industry?

Rodney Petersen: Yes, so -- and I think this is true of both industry and government or any enterprise, but one basic way it can be used is a way to assess your workforce, to identify those in your organization who are performing cybersecurity work roles. And that allows you to take an inventory of what you currently have. And then secondly, it leads to your ability to do a gap analysis, to identify maybe areas where you need more workers or where you have gaps that the NICE Framework can help you fill. So that cybersecurity workforce assessment is a really important first step. Secondly is with respect to existing employees and their own professional development, the NICE Framework can allow you to take them from where they are and increase their proficiency level. Either within their current work role, or maybe for a new work role or area that they want to advance into as part of their career advancement. And then finally, certainly as a way to use it for recruitment and hiring, to make sure as they're writing job descriptions and position descriptions, they're really emphasizing the work to be done, what we refer to as the task statements, and then the knowledge and skills, or what might be thought of as the qualifications to do the work. And if we can begin to standardize around job and position descriptions, not only does that help employers to have a better fit for the candidates they're looking for, it actually helps the workers to be able to be more mobile. And I know that may be controversial to some employers that don't want their employees to leave, but the reality is employees are moving from one organization to another, even within the federal government, from one department and agency to another. And having more standardized approaches to job descriptions, position descriptions, helps with that mobility as well.

Dave Bittner: Rodney, I'm curious, you know, as you and your colleagues have seen this through and to the point of, you know, publishing this, this 1.0 version here, what does it feel like to have gone through this process and then send it out into the world?

Rodney Petersen: Well, of course, we're holding our breath and waiting for the feedback, even though we've done a pretty comprehensive job of requesting comments to draft versions of this. We recognize that sometimes it's when the rubber meets the road that people start to test out and realize that there may be some things that we could further refine and improve. So we're looking forward to that additional feedback as people start to test drive the new information. But secondly, it's exciting because it puts behind us a very important kind of cleanup activity we've been working on for several years. So we can focus more not only on the work that's needed here and now, but what's around the corner. And we know, again, in technology, there's going to be a lot of new work roles, a lot of new tasks that need to be done, and certainly knowledge and skills that need to be developed. And we're excited to be able to turn our attention to the future as much as cleaning up what we needed to correct from the past.

Dave Bittner: To wrap things up, we've got closing remarks from each of our guests.

Karen Wetzler: One of the things that we are working with in order to be able to figure out how do we do that better. A lot of it does come down to how do we get the data about who's using this and what kind of impact we're seeing. We are partnering with organizations like CyberSeek.org, which is showing us data about hiring in the United States and what kinds of positions are open and how -- what kinds of gaps there are in cybersecurity profession. And we're seeing a little bit of a positive movement there. We're looking though as well at how do we align this with other kinds of data resources. So for instance, in the end of last year we worked with the Office of the National Cyber Director to hold a workshop around how to measure cybersecurity workforce and using the NICE Framework as part of that. And so we're looking at how do we improve those and continue to do this. But a lot of it is also building up community. We have a NIST Framework users' group where we hope to hear about what does work and what doesn't work.

Brian Fonseca: One thing I would add is that it's not just about the workforce Framework that NIST and NICE is known for, but it's the other work, the other body of work that NIST does regularly in cybersecurity. For example, just a couple of weeks ago we announced a new version and update to the NIST Cybersecurity Framework. And quite frankly, that is probably more well known and more widely adopted by enterprises. But if enterprises are using the NIST Cybersecurity Framework to address cybersecurity at their enterprises, they might be addressing the what -- the why, but now they need to go to the who. Who is the workforce we need? What knowledge and skills do they need? How do we need to prepare them? And how do we need to recruit and hire to address what the NIST Cybersecurity Framework might require us to do? And that's just the tip of the iceberg. We certainly have a Risk Management Framework, we have a Secure Software Development Framework, and many other resources that NIST produces. So part of our aspiration is to more closely align with existing NIST guidance and publications, as well as guidance and publications that exist outside of our own department and agency, or that the private sector produces.

Rodney Petersen: I think organizations could probably, you know, will probably find, or will certainly find value by going to the NICE -- the NICE website. And at the NICE website, you can actually start to pull a variety of resources that can help you do a range of things. Training your organization so they have a lot of free tools that, you know, that are designed to help improve your respective workforce as well as the actual Framework where you can begin to explore the Framework in an interactive way to understand where the gaps are in your organization and what capacity you need to help fill those gaps to create sort of, you know, sort of -- sort of strengthen the resilience of your organization to operate in sort of the cyberspace realm. [ Music ]

Dave Bittner: That is our special edition N2K CyberWire program. Thank you all for joining us and thanks to our special guests, Brian Fonseca, Karen Wetzel, and Rodney Peterson for sharing their expertise and insights. Remember, N2K Strategic Workforce Intelligence optimizes the value of your biggest investment - your people. We make you smarter about your team while making your team smarter. Learn more at N2K.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music by Elliot Peltzman. Our executive producers are Jennifer Eiban and Brandon Karpf. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here soon. [ Music ]

Special Editions
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Creator: CyberWire, Inc.