The Network and Information (NIS) II Directive is an update to the existing mandate for the European Union. This will help to encourage a common cyber security language across a broader range of sectors of the economy and will require sharing of information between member states and cross sectors. Directives like this one have increasing importance in establishing guardrails for cyber activities. To protect shareholder value, the Security and Exchange Commission (SEC) is considering a cyber report for publicly traded companies requiring reporting on how their security teams will manage risk, incidents, and the cyber expertise of the board of the directors. The security risk mitigation report will tie back to job roles skill sets.
Frameworks are helping to articulate these job roles.Most job openings until recently were generic listings seeking cyber security professionals without well-defined tasks, skills, or the knowledge of what is needed to protect the organizations assets. Workforce frameworks such as the ECSF European Cybersecurity Skills Framework (ECSF) are starting to standardize the talent needed for positions as a Cyber Incident Responder, Digital Forensics Investigator, and Chief Information Security Officer.Standardization enables organizations to identify the right talent to handle future threats.This is in-line with other professions. For example, doctors have specialized areas such as radiologists, pediatricians, and brain surgeons who have the expertise needed in their area to provide proper treatment.
Certification plays an important part in readying people for specific job roles.Certification validates the individual by utilizing best practices and guidelines for educational and psychological testing such as ISO/IEC 17024 International Standards. An example of a certification considered the global standard is a Certified Public Accountant (CPA). Work experience can make someone an expert, but the CPA is the well-respected baseline of a certified professional and can even be a requirement for compliance on specific projects or audits.
Some examples where workforce frameworks have helped advance the cyber security industry include:
- Large tech and financial firms often have multiple security teams that are standardizing their work roles and requirements through the framework to reposition and rotate workers quickly based on the mission.
- Organizations can map their workforce’s experience and certification to quickly match staff skills with project requirements. This is especially important for consulting firms, tech firms, and contractors.
- Frameworks provide a common language in the workforce across industries like technology, financial, healthcare, retail, and utilities, allowing teams to work together to protect cyber and physical security threats.
- Frameworks provide a template for academic institutions to bridge the gap between their educational offerings and the current cyber security skills needed across industries, preparing their students for jobs.
SANS and GIAC understand the importance of frameworks and have aligned courses and certifications to these frameworks. Frameworks are a template for organizations to standardize job requirements even though every organization and mission will need some customization tied to their specific mission. We have helped design and implement workforce development programs using frameworks as a template for Fortune 500 companies, government agencies, and organizations of all sizes. SANS | GIAC will utilize the ECSF workforce framework for the EU as we work together to help the industry become better prepared for future threats and the ever-changing needs for talent.