Leading by Example on the Cybersecurity Workforce

This is the second post in a series on the Executive Order on America’s Cybersecurity Workforce. The first post in the series is available here.

One of the biggest challenges in cybersecurity workforce development is that policymakers cannot simply order, legislate, or regulate a stronger workforce ecosystem into existence. Many of the forces that shape the workforce sit outside policymakers’ direct control. However, that does not mean that federal policymakers are powerless to steer positive change.

One of the tools in the federal policy kit is leading by example, and the new Executive Order on the cybersecurity workforce shines in this regard. The EO initiates a number of new programs that could stand as proof of concept (and benefit) to encourage the rest of the cybersecurity community to think innovatively about their own workforce.

Several of these individual programs are promising. For example, a new rotational program offers a chance for federal employees to gain experience outside their usual area while infusing agencies with new talent and ideas. For this rotational program—and for all the programs initiated by the executive order—success hinges on thoughtful implementation. As ever, the devil will be in the details. It has not escaped notice that such a program could result in agencies “passing their poorer-performing cybersecurity workers” to other offices. But overall, it is encouraging to see federal leaders setting an example by implementing emerging ideas in their own workplaces.

On a similarly encouraging note, the EO promotes much wider implementation of the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, a resource that makes the amorphous idea of “cybersecurity jobs” much more concrete. Not only does it explicitly list the work roles that fall under that heading, it also describes the specific knowledge, skills, abilities, and tasks that are characteristic of each different work role. For good reasons, the NICE Framework itself is voluntary and non-prescriptive. Employers can choose whether or not to align their job descriptions and cybersecurity workforce taxonomy with the Framework.

The EO directs government leaders to incorporate this otherwise voluntary Framework in their own workforce and in the reporting requirements for contracts for information technology and cybersecurity services. Government contractors make up a big part of the cybersecurity community, so this provision will likely have a very widespread impact in implementing the NICE framework in both the public and private sector.

At first glance, the Framework may come across as a bit academic, but its utility is very real, which is why widespread implementation is such a big deal. For example, the Framework connects work roles with the tasks expected in those jobs and the knowledge, skills, and abilities needed to execute those tasks. Apart from the fact that this essentially creates ready-made job postings, it also helps educators, employers, and jobseekers get on the same page in discussing available jobs and what applicants will need to be successful in those jobs.

There is also an indirect benefit to the whole cybersecurity ecosystem in enabling data collection on workforce trends. Establishing a more standardized way of understanding what falls into the category of “cybersecurity jobs” allows researchers to measure that workforce according to a consistent definition. It is the first step to generating data on workforce trends. That data will be crucial for helping craft better policies to build the cybersecurity workforce.

In short, the Executive Order on America’s Cybersecurity Workforce is a positive development. With that said, we still have some questions about the EO, which will be discussed in subsequent posts. The next post in this series discusses aptitude assessments and diversity, and is available here. These questions, however, do not detract from the overall value in wider implementation of the NICE Framework and leading by example on workforce programs.