Becoming proficient, employable and promotable in cybersecurity takes a lot of skill and knowledge. Notwithstanding the demand for good cyber people, it’s not easy. Now the Cybersecurity and Infrastructure Security Agency has created an interactive application people can use to design and navigate a cyber career. Nancy Limauro is CISA’s cybersecurity awareness lead, she told Federal Drive with Tom Temin all about the new tool.
Insight by Kodak Alaris: Practitioners provide insight into how states and the IT industry are dealing with Real ID in this exclusive executive briefing.
Tom Temin: So tell us exactly what you have created here. Interactive tool, I guess that’s something online, correct?
Nancy Limauro: That is correct. The cyber career pathways tool is basically a visual and interactive representation of the NICE cybersecurity workforce framework.
Tom Temin: NICE meaning?
Nancy Limauro: The national initiative for cybersecurity education. The NICE framework is basically the fundamental reference for describing all cybersecurity work. So our goal with the tool was really to demystify the framework, we designed the tool to allow users to not only access framework, but to show them how they can progress from one position to another. The audience for the tool, it’s really everyone, anyone in the cybersecurity workforce or anyone trying to get into the field. So by showing the common and different aspects of each work role in the framework, users can quickly identify what knowledge skills and abilities they will need to acquire, and to not only get into the workforce, but then also move from position to position.
Tom Temin: Got it. So they might also know what types of certifications they might need for various parts.
Nancy Limauro: Exactly, exactly.
Tom Temin: Cybersecurity is a pretty broad field, you have management functions and oversight functions, and then you have people that sit there and tap away at things and monitor monitors. And so is it both the technology and the managerial side of cybersecurity?
Nancy Limauro: Exactly, exactly. The framework covers all of that and all of that is depicted in the tool.
Tom Temin: Because some people may want to change from technology to management and they know how to do the technology., but this would help them say make that bridge to a management type of slot.
Nancy Limauro: Most definitely, most definitely. So the tool just depicts everything in the framework. So everything from the technical work to the more policy oriented work. And what we do in the tool is we use a galaxy display. And it’s combined with a specialty area map in a venn diagram to, again, visually depict all of the different communities and all of the work roles that are in the framework. So everything from technical to policy. And so basically, that venn diagram in the tool when you pull it up on our next website, it shows how all the 52 work roles in the framework are interrelated and overlapping so users can quickly locate what work role they’re in or maybe what work role they want to be in, and they can use compare and contrast features to quickly determine to see what skill sets that they need to be in one work role or they may perhaps move to another work role.
Tom Temin: Got it. With 52 work roles, no wonder you need a galaxy map to show them all. But there are five distinct yet complementary skill communities. I’m reading from the site here. What are those?
Nancy Limauro: They basically depict the five main areas in which all the different communities within the framework fall across. And I do want to make the point to that. I don’t want to gloss too much over this that the workers framework covers all cybersecurity work, not just in the federal government it’s all cybersecurity work. But however, we worked with an interagency group chaired by CISA, DoD and Veterans Affairs to identify those tasks the most important from a federal government perspective. So you can do a little toggle on the tool to go from all to federal corps. Those are the ones that are most important from a government perspective. So there’s two different ways to look at it, which is pretty cool we thought. So anyway, back to the communities. As I said, there’s five main areas these skill communities: IT, cybersecurity, cyber effects, cyber Intel, and cross functional. So IT those are the programmers, the network administrators, testing, analysis, everything from building websites to data analysis. Cybersecurity covers IT system defense and security, testing and analysis of the protection of the data systems and information. Cyber effects that covers threat warning and analysis, partner integration and target analysis to ensure for conducting cyber operations. Cyber Intel is what it sounds like. It’s the cyber information collection and analysis in support of operations.
Tom Temin: So that could be people inside a security operation center, or even a network operation center.
Nancy Limauro: Most definitely. And then the last one that’s cross functional. And these are the roles and is to really get into all the policy work. It’s not the technical, these are the roles that aren’t the hands on keyboards, let’s support and enable effective cyber operations. So think things like legal planning, development, acquisitions, all those other policy roles. Me, I’m here talking to you I’m not back in the skiff computer.
Tom Temin: Got it. Well, we let people out of the skiff occasionally if they want to come on the show. And can this tool be used in reverse? That is to say, can agency management and every agency has a need for cybersecurity workforce, can they use it to help plan the workforce they’ll need based on the framework and the 52 work areas and so on?
Nancy Limauro: Most definitely. So again, this tool is really for everyone, as I said, it’s not for only for end users, those are the people seeking the information to plan the careers, but it’s also for management, as you said, to determine what skills they might need in their workforce, what positions that they need to fill, what improvements can be made by their business or their organization, and what improvements can be made by their individuals in their workforce to make sure that all of their needs are me.
Tom Temin: And what about keeping it up to date because these things change as technology changes, as the threat environment changes — and how will you keep this tool up to date?
Nancy Limauro: Great question. First off, the next version of the workforce framework is actually do out end of 2020. At that point, we will make whatever updates are necessary to ensure that the tool reflects the most recent version of the framework. In addition, we will continue to work with that interagency group that I mentioned earlier, just ensure that we have the most up to date information for workforce planners across all the federal government about what they’re seeing out there. And as always, we also encourage feedback and on the tool and any input from people that are using it and ways we can improve it in future versions. Anyone who wants to give us feedback, you can always contact us at email@example.com.
Tom Temin: And they can do that from within the tool, they can contact you?
Nancy Limauro: Yes, there is a button within the tool to contact our support team.
Tom Temin: Now that nice framework is actually the work of NIST over at the Commerce Department, is that also kind of a closed loop back type of situation where you can let them know what you’re seeing on this tool, and maybe that can affect how they update the framework.
Nancy Limauro: Most definitely, yes, we’re in close contact with them all the time. They run a variety of different working group meetings of interested parties across the federal government and outside partners as well. Just on a call with them yesterday. So definitely a constant feedback loop. And they’re happy to see the tool and they’re excited to see what feedback we get from people.
Tom Temin: They’re the only ones that can say we’re nice people, even if they’re not, I suppose. What is the take up been? Have you seen visitors and numbers coming to the site so far?
Nancy Limauro: The first week that the tool was released, we saw some of our biggest numbers to our website that we’ve seen ever. It was something like a 200% increase or something ridiculous. So it’s been great.
Tom Temin: Like hundreds of people say, would that be fair? Or maybe 1000?
Nancy Limauro: No, thousands.
Tom Temin: And they don’t again, just to be clear, anyone from the public or a federal employee can use this for whatever purpose they see fit for their own career.
Nancy Limauro: Exactly. It is on our NICCS website, which is accessible by anyone, anywhere on any type of device, one of our next efforts will probably be to make it a little Bit more usable on mobile devices. definitely encourage anyone to access it from anywhere.