Measuring Proficiency: NICE Framework Work Role Levels of Responsibility

Proficiency can be measured in many ways, with a wide variety of scales and assessment methods. It can look very different depending on the context, and there are numerous examples of existing models to pull from.

The NICE Workforce Framework for Cybersecurity (NICE Framework) defines a common structure and language to describe cybersecurity work and the knowledge and skills individuals must possess to effectively complete that work. Importantly, the NICE Framework describes cybersecurity work in a workplace context. That is, its content reflects work that is being conducted in real-life cybersecurity jobs. Because of this, it is important to define a proficiency scale in that context.

Workplace Proficiency Scale Characteristics

Key characteristics of a workplace proficiency scale are:

• Demonstrative: Demonstrating capability requires practical application versus theoretical comprehension—something the NICE Framework Task, Knowledge, and Skill statements support. The scale levels should reflect how these might be evidenced in the workplace.
• Supervision: Incorporating levels of supervision—that is, how a supervisor expects an employee to perform at various levels of proficiency—provides great insight into capability.
• Workplace Skills: Different stages of a career and different Work Roles typically require varying levels of workplace (sometimes referred to as “professional” or “soft”) skills. For instance, a leadership position may place greater emphasis on relationship building, whereas a more technical role may require greater teamwork skills. A workplace proficiency scale should take these skills into consideration.

Using the Work Roles & Levels of Responsibility

• Career Discovery: Are you interested in learning more about a Work Role and what a job in that role might look like? NICE Framework Work Role Levels help individuals get a clearer picture about where a Work Role might fit in an organization and how it might shift over time, depending on what level it performs.
• Career Pathways: Are you just starting in your career, or maybe shifting into a role with cybersecurity responsibilities mid-career? Or it could be that you are already working in cybersecurity but want to plan your future. Exploring the NICE Framework Work Role Levels will help you find paths to the role and level you want.
• Workforce Planning and Hiring: Understanding NICE Framework Work Role Levels provides insights into what impact someone might have in an organization. It can help you create better job announcements, assess candidate capabilities, and support workforce training and development.

Credit: SFIA

View the NICE Framework Work Roles to SFIA
Levels of Responsibility PDF

NICE Framework Work Roles

Credit: NICE

NICE Framework Work Roles are grouping of work for which an individual or team is responsible or accountable. Work Roles consist of Tasks that describe the work to be done. Tasks in turn correlate to Knowledge and Skill statements, which describe what someone needs to know and be able to do to complete that work. Work Roles are not synonymous with jobs or position titles, and a single job can include a part of a Work Role or more than one Work Roles. They are used in career exploration, education and training, hiring and career development. Assessment for Work Roles typically occurs at the Task level.

There are five Work Role Categories in the NICE Framework, representing 41 Work Roles.

SFIA Levels of Responsibility

In 2022, NICE published a report to Congress on “Measuring Cybersecurity Workforce Capabilities: Defining a Proficiency Scale for the NICE Framework.” When considering existing models, one stood out as particularly promising—the SFIA Levels of Responsibility. SFIA is an internationally recognized skills framework used by “individuals and organisations wishing to enhance their digital and information technology skills and competencies.” The NICE Framework and SFIA framework are complementary—skills described in SFIA include areas such as cybersecurity, software engineering, enterprise IT, cloud, and data—content that is also represented in the NICE Framework. SFIA and NICE users frequently ask about using SFIA and NICE together, particularly for workforce development needs, and a mapping between the two frameworks is available.

The SFIA levels of responsibility are a type of proficiency scale that represents increasing expertise and responsibility in professional roles at seven levels. The levels focus on the impact required by a role or required by a person in that role in the workplace. It can be used to determine workplace proficiency: to be effective in a role, you must be able to perform that role at the required level of impact. This approach:

• Emphasizes practical skills and work experience rather than solely academic knowledge or time in the field.
• Aligns work roles with present-day cybersecurity demands, ensuring that practitioners at all levels have the necessary expertise to combat cyber threats.
• Supports assessment of both actual capabilities and developmental potential.
• Visualizes career progression through increasing workplace impact.
• Promotes targeted professional development.

Credit: SFIA

Each level is designed to be:

• Progressive: Builds on the previous level’s requirements
• Distinct: Clearly differentiated from adjacent levels
• Consistent: Uses uniform criteria across all Work Roles

The 2022 report recommended that NICE establish a workplace-focused NICE Framework proficiency scale modeled after the SFIA levels, an approach that is supported by the history of collaboration between the two organizations. As a result, NICE and SFIA have engaged together to map the NICE Framework Work Roles to the SFIA Levels of Responsibility to determining what levels each Work Role typically performs.