Should You Be Using a Cybersecurity Careers Framework?

One of the biggest issues within the cybersecurity sector is the way roles and associated skill sets have evolved organically over time in response to technological innovation. This often can see different skill sets allocated to the same job role by different employers in job descriptions, and it's a situation that is now further exacerbated by current skills shortages.

Such discrepancies make it both very difficult for businesses to plan their workforce and for candidates to determine how they should build their career. To help resolve this, career frameworks have been developed to bring some much-needed transparency. These frameworks should help to improve hiring practices and retention by more accurately matching candidates to roles — which makes them an asset security and HR teams should be exploiting.

NICE in the US

A number of frameworks have now been developed, each at different stages of maturity. The US leads the pack with the National Initiative for Cybersecurity Education (NICE) from the National Institute of Standards and Technology (NIST), which was initially developed for federal departments but is beginning to see widespread commercial adoption since it was revised in 2020. NICE comprises Task, Knowledge, and Skill (TKS) statements that describe what is needed, and candidates can achieve competencies related to these. It's these competencies that an employer would then refer to and list within a job description. There are seven categories covering 33 specialty areas and 52 work roles, although confusingly more than one work role may be encompassed within one job.

NICE can appear daunting because it has so many facets. So the National Initiative for Cybersecurity Careers and Studies (NICCS) has developed the Cyber Career Pathways Tool to help users navigate the framework. It can be used to determine what skills relate to what roles, and any related roles that the candidate might want to move into.

The CCF in the UK

In the UK, the Cyber Security Council has developed the Cyber Career Framework. This covers 16 specialisms and provides details on working life, responsibilities, salary, knowledge, skills, moving on (either up the ladder or laterally), and qualifications.

In addition, the council rolled out its interactive Career Mapping Tool earlier this year. This allows candidates to explore whether they have transferable skill sets and which roles these skills would be compatible with, in a bid to entice those from outside the sector to explore a career in cybersecurity.

The framework isn't yet complete and is being rolled out alongside the Cyber Security Profession Chartered Standards (CSPCS), which aims to offer three certification standards (Associate, Principal, and the coveted Chartered status) within each of the 16 specialisms. It's therefore an ambitious overhaul of the sector, which is expected to be completed by 2025.

The ECSF in the EU

The newest framework out of the three is the European Cybersecurity Skills Framework (ECSF), which was rolled out by Enisa last September. This profiles 12 different cyber job titles in a Roles document with possible alternative titles, a job summary, a mission, deliverables, main tasks, key skills, knowledge, and competencies. Alongside this is a manual that provides guidance for employers, learning providers, and candidates, dovetailing to each of their requirements. It also includes use cases, three of which have been contributed by ISACA, (ISC)², and ECSO (European Cyber Security Organisation).

The hope is that these frameworks will now be more widely adopted in their respective geographic areas, helping to make the sector much less confusing for employers and less daunting to potential recruits.

What Do They Add?

From the employer's perspective, these frameworks can help identify which skill sets go with which roles and help list the relevant ones in each job descriptions. But they can also help with workforce planning and with developing the skills of the staff they already have. The guides provide a clear, linear path of progression, helping to form career plans and thereby improve retention rates.

From a candidate's point of view, the frameworks allow them to see for the first time how different roles are related and what salary they can expect, and enable them to plan their own career development. Those who may have transferable skills can also explore where they might be able to utilize them and find out more about specific roles.

But the frameworks are also relevant to the recruitment sector. Recruiters will no longer need to spend their time rewriting job descriptions that put together unrelated skills or make unrealistic demands. They'll be able to refer to these matrices to source candidates that are more suited to the job and use the information as part of the interview process. These small changes will then increase the likelihood of a hire, helping to drive down the cybersecurity gap.

Casting the net wider still, the frameworks will help guide education providers who are teaching tomorrow's cybersecurity professionals and give them insight into what needs to be on their university courses. And vendors, too, will be able to use the competencies to show what level or skill sets are needed to operate their solutions.

My guess is that in a few years' time, we'll be wondering how on earth the sector functioned without them.