Exploring the NICE Framework Q&A

In a recent webinar, Cloud Range CEO Debbie Gordon and VP of Technology Tom Marsland discussed how to use NIST’s National Initiative for Cybersecurity Education (NICE) Framework to hire, train, and retain a robust cyber defense workforce. This post-webinar blog outlines key takeaways from the webinar. 

Now, we want to share a companion piece covering the Q&A session that followed the webinar, during which our audience asked compelling questions about applying the NICE Framework across different sectors, its relevance to different levels of seniority within a role, how organizations can align their training strategies with the Framework, and more.

Q: How can the NICE Framework be applied to sectors with unique cybersecurity requirements, such as healthcare or financial services?

Tom: The NICE Framework establishes common ground. For example, knowledge of computer networking is applicable across every industry in cybersecurity. The NICE Framework was written to fit all computing IT and cyber sectors and can be applied directly to any of those industries.

Debbie:  We understand that industries and organizations have specific criteria, such as tools you're using and how they interoperate – and those can be incorporated. The NICE Framework has outlined a lot of competency statements for knowledge, skills, and abilities (KSAs), but additional KSAs can be created for a job role. That ability to customize – and there are tools, like Cloud Range’s Performance Portal to help you easily do that – allow you to set up the Framework for your specific tools sets, organizational structure, and job requirements. The NICE Framework is the foundation for defining work roles, but it can be tailored to make it unique to your own organization and team.

Q: How often should organizations reassess their alignment with the NICE Framework? 

Tom: I recommend quarterly. Look at your team and the gaps in competencies, and be willing to refine those training plans (which can be automatically generated in Cloud Range’s Performance Portal). Another thing that you might learn by doing this is you need to hire additional help when the number of skills you're adding to a role becomes too much. The NICE Framework can help you recognize, "Hey, we've added so many things to this person's training plan, and now their job role, which started with 80 KSAs, has 120 because of things we've required them to learn and be able to do. It's too much, and we need to hire another person."

Q: Is the NICE Framework connected to the SANS Institute Offensive Security Training?

Tom: The NICE Framework stands alone, though many organizations align with it. It was created by the National Institute for Standards and Technology (NIST), which is charged with standards and technology across many different areas. One of those areas is the government, specifically the Department of Defense. The DoD has an instruction called the 8570, which defines certifications that people must fulfill for different roles, such as information assurance managers, developers, and technicians. NIST built the NICE Framework to expand that from the DoD across all government sectors. And we see a lot of applicability as a foundational tool that you can use to define your work roles in the private sector as well.

Debbie: While I can’t directly speak for SANS, I believe they do map their training to the NICE Framework, as does Cloud Range. But the critical part is being able to customize KSAs for your organization – which is something unique that Cloud Range accommodates. As Tom mentioned earlier, a work role that the NICE Framework outlines doesn't have to be exactly how you'll define it in your company.

Ask yourself what you want. What KSAs are truly important? What do you want to remove that might not apply? And what do you want to add that is important? Those things don't have to exist yet in the NICE Framework. You can actually create those and map content to those, so everything you're doing in terms of tracking is your own. The Framework is a foundation, so you're not starting from scratch. We've never actually seen anyone whose work roles map exactly to it. So, SANS Offensive Operations Training may show which KSAs you mapped to, but that doesn’t mean that a role as a pen tester at XYZ company requires those KSAs. A role may require KSAs from another part of the NICE Framework or have different requirements altogether.

Q: How can training plans be generated? Are they only based on the specific training provided by Cloud Range?

Tom: The Cloud Range Performance Portal enables security leaders to generate training plans based on roles, certification prep, or other objectives. And the Portal accommodates content from outside providers. For example, suppose a trainee is in the Performance Portal and has earned a certification like the CompTIA Security+. They can upload proof of completion of training and request a review of how that aligns with KSAs. Their manager can approve the granting of earned KSAs directly in our Portal, which will then show what they've completed. Training plans outline what KSAs or competencies still need to be achieved to reach their goals. 

As more organizations map content to the NICE Framework KSAs in our Portal, Cloud Range is building an ecosystem that will allow us to help companies to better outline job roles and advance their people. Additionally, the Portal looks at all the knowledge, skills, and abilities (KSAs) of an organization’s cybersecurity workforce – as well as other factors, such as MITRE ATT&CK TTPs, Mean Time to Detection, and other factors – and provides a measurable and actionable rating of readiness across all phases of incident response. That helps all organizations improve their cyber security position.

Debbie: This is a broad overview of how the NICE Framework can be implemented in our Performance Portal. If you would like a demo of the Portal, and better understand how to customize your work roles and generate learning plans, please let us know. We'd love to show you a real-time demonstration and discuss your organization's needs. 

Q: How does the NICE Framework account for the variation in cybersecurity responsibilities across the different levels of seniority within a role? 

Tom: Some of that is accounted for directly in the different 52 work roles that the NICE Framework has outlined. The work roles include senior titles, like an “executive cyber leader.” But the best way to account for different levels of seniority is to customize the Framework to fit your needs. Simplifying the hiring process for junior cyber defense responders involves identifying essential KSAs needed for the initial role and gradually expanding required capabilities as they grow and advance. That’s why it’s critical to understand the NICE Framework and how you can customize it to fit your needs.