A NICE Retrospective on Shaping Cybersecurity’s Future

The NICE program, led by the National Institute of Standards and Technology (NIST) in the U.S. Department of Commerce, has its origins in the Comprehensive National Cybersecurity Initiative (CNCI) established by President George W. Bush in January 2008. CNCI Initiative 8 was aimed at making the Federal cybersecurity workforce better prepared to handle cybersecurity challenges and launched the establishment of the National Initiative for Cybersecurity Education (NICE) to provide for a “unity of effort” across the Federal government. Subsequently, Congress passed the Cybersecurity Enhancement Act of 2014, that established a “national cybersecurity awareness and education program”, now known as NICE. For the past decade and a half, the NICE program has contributed to the evolution and growth of cybersecurity education and workforce programs in both the public and private sectors – domestically and abroad.

Central to the NICE strategy over the past several years has been the nurturing of a comprehensive and diverse community of stakeholders, including representatives from government, industry, and academia, to promote and energize a coordinated and integrated approach to cybersecurity education and workforce development. The first NICE Strategic Plan focused on coalescing the efforts of the Federal government to raise national awareness about risks in cyberspace, broaden the pool of individuals prepared to enter the cybersecurity workforce, and cultivate a globally competitive cybersecurity workforce. A subsequent strategic plan extended that coordination to include academia and industry with the aim to accelerate learning and skills development, nurture a diverse learning community, and guide career development and workforce planning. The current strategic plan emphasizes “a robust community working together” to address strategic priorities such as promoting the discovery of cybersecurity careers and multiple pathways, transforming learning to build and sustain a skilled and diverse workforce, and modernizing the talent management process to address cybersecurity skills gaps. The evolution of these strategic plans, and subsequent ones to follow, inspire a community committed to the advancement of cybersecurity education and workforce development for the benefit of the Nation.

Over the past several years, cybersecurity education and workforce programs have been driven by a series of principles that have provided a strong foundation for success:

• Employer-led: employer participation and leadership is critical to identifying skills requirements to meet the workforce needs of both public and private sector employers and establishing learning pathways to attract a broad range of future cybersecurity professionals.
• Learner-centered: the personal and professional development of learners, including students, job-seekers, and employees, is tailored to their aptitude and capabilities to maximize their ability to immediately contribute to the cybersecurity needs of organizations.
• Community-based: local and regional economies often have different needs or capabilities, necessitating coordination, cooperation, organization, and implementation at the community level through local and regional stakeholder engagement.
• Standards-driven: the scale and sustainability of programs is best facilitated by consistent education and workforce standards that contribute to quality and stability across organizations and supports a workforce that is increasingly mobile across organizations and different sectors of the economy.
• Results-oriented: program managers should document the demonstrated learning outcomes that result from hand-on learning, performance-based assessments, and work-based learning experiences that contribute to developing a workforce who will impact the management of cybersecurity risks to organizations.

Although the scope of the workforce addressed by NICE has largely been focused on the cybersecurity community (i.e., those who seek to secure cyberspace), we have seen a necessary overlap and inclusion of other related career fields such as information technology, operational technology, computer science, engineering, and other technical disciplines and fields. In some cases, organizations such as the Department of Defense have been focused on the broader “cyber” (or cyberspace) workforce that is inclusive of all operations in cyberspace, not just cybersecurity. Currently, we are seeing advances in artificial intelligence, data science, quantum information science, and other emerging technologies demanding a renewed and broadening focus on the workforce needs of organizations. Consequently, whether the NICE community’s focus is as broad as STEM (Science, Technology, Engineering, and Mathematics) or as specific as Cybersecurity, a lot of the same principles and approaches apply.

One interesting area of evolution in the history of NICE has been the shifting of emphasis on “education pipelines” (e.g., K12 schools to colleges to universities) of traditional-aged students towards the “reskilling or upskilling” of the incumbent workforce that is often facilitated by community colleges or training providers. Initially, reskilling workers into cybersecurity careers was largely regarded as a strategic opportunity to expand the available cybersecurity workforce. Today, reskilling or upskilling workers is increasingly vital – both to meet cybersecurity workforce demand of organizations and to provide opportunities for career-changers whose skills are becoming increasingly obsolete, or their work is being replaced through automation by machines. One constant requirement for cybersecurity or technology work roles is that employees must pursue continuous learning, and we should expect the future of work to continually change. Flexibility and agility are attributes that you can expect to be of increasing value to employers.

Another point of emphasis has been Skills-Based Approaches to Cybersecurity Talent Management. The NICE Workforce Framework for Cybersecurity (NICE Framework) has a longstanding tradition of emphasizing knowledge (what people know) and skills (what people can do) – which when put together measure the “competencies” of learners. Based on employer input, the historical emphasis on “knowledge” (see reference to “education pipeline” above) has shifted to a greater priority placed on “skills” in recognition that students and job-seekers need to be “job-ready” upon completion of a learning program. That means that our strategic plans over the years have increasingly emphasized the importance of “hands-on learning”, “performance-based assessments”, and the development of job descriptions that prioritize qualification requirements based on the NICE Framework. Additionally, “work-based learning experiences” resulting from apprenticeships, internships, project-based learning, and other learning experiences supported by employers are also of high value and can empower learners with a substitute for the “experience” often expected by employers.

Perhaps the most significant path to ongoing and future success is effective ecosystem development. As previously stated, education and workforce strategies should be “community-based”. That not only means that they are “employer-led” to meet local, regional, or state workforce needs, but that they are coordinated among a variety of community stakeholders to include K-12 schools, colleges and universities, training organizations, local and regional governments, economic development entities, workforce developers, and others. We are proud to have created the RAMPS program (for Regional Alliances and Multistakeholder Partnerships to Stimulate Cybersecurity Education and Workforce Development) to encourage and facilitate ecosystem development. The RAMPS formula draws upon successes from other local workforce development programs and promises to be repeatable for new and emerging workforce needs.

As the NICE program celebrates 18 years of progress, transitions leadership roles, and prepares to announce its next strategic plan, I am mindful that cybersecurity education and workforce development is “a journey and not a destination” and that it “takes a village” to keep us moving in the right direction. The community effort is something for which I will be eternally grateful and proud of. As you embark upon the future, remember that “Together is Better.”