The NIST NICE Framework (SP800-181) is a formalized approach to defining the cybersecurity workforce. The purpose of the framework is to enable organizations to effectively identify, hire, track, train, and develop a qualified cybersecurity workforce. The framework also enables those who wish to enter the cybersecurity workforce to better understand their options, while also helping those already in the workforce better define and develop their career path.
The framework achieves this by creating a common lexicon, comprised of the following components:
- 7 Categories: Broad grouping of cybersecurity functions.
- 33 Specialty Areas: Specific areas of cybersecurity work.
- 52 Work Roles: The comprehensive grouping of work, essentially what you or I would refer to as job descriptions.
NIST NICE then defines each work role with a title and description, tasks expected for that work role, and the knowledge, skills, and abilities (KSAs) that the respective work role is expected to have.
By creating this specific lexicon, it ensures that everyone is speaking the same language. For example, if you need to hire someone for your incident response team, you can provide the exact requirements for an incident responder to your human resources team based on the framework. Similarly, people looking to be hired in such a position know exactly what is expected of them.
Such a framework is great until you run into a role that is not well defined by the framework. After reviewing the NICE Framework, we could not locate what we felt was an adequate description for what we would call a security awareness and communications officer. This is someone who is specifically responsible for selling the concept of cybersecurity to the workforce. In this role, their goal is to create secure behaviors throughout the organization, and ultimately enable a security driven culture. The closest three work roles we could find were:
- Cyber Instructional Curriculum Developer (OV-TEA-001)
- Cyber Instructor (OV-TEA-002)
- Cyber Workforce Developer and Manager (OV-SPP-001)
While all three of these had elements that could represent security awareness, none of them were a sufficient fit. The first two work roles are primarily focused on identifying the need for, creating, and implementing technical, skills-based training for specialized roles. In addition, the NICE Framework required these work roles to have highly technical skills and abilities. A security awareness officer rarely needs to know how to conduct vulnerability scanning or display a proficiency in mobile device forensics. That is why security awareness officers partner with their security team to leverage their technical expertise.
While instructional design and learning theory is one part of security awareness, other tasks and KSAs include communicating to and engaging the workforce, partnering with different business units and stakeholders, promoting secure behaviors across the organization, and ultimately helping take a change management approach to security. After cross-referencing various work roles on the framework, we came up with what we feel is a better description for someone involved in security awareness, communication and culture related activities.
Work Role Name | Security Awareness & Communications Officer |
Work Role ID | OV-TEA-003 |
Specialty Area | Training, Education and Awareness (TEA) |
Category | Oversee and Govern (OV) |
Work Role Description | Builds, maintains and measures the organizations security awareness and communications program with the goal of securing the workforce’s behaviors and ultimately creating a secure culture. |
T0001, T0025, T0030, T0073, T0094, T0101, T0224, T0248, T0316, T0320, T0321, T0322, T0323, T0341, T0345, T0352, T0357, T0365, T0367, T0380, T0382, T0384, T0425, T0437, T0442, T0443, T0450, T0451, T0467, T0519, T0520, T0534, T0535, T0926 | |
K0002, K0004, K0115, K0124, K0204, K0208, K0213, K0215, K0216, K0217, K0218, K0220, K0226, K0239, K0243, K0245, K0250, K0252, K0628, | |
S0052, S0070, S0100, S0101, S0296, S0301, S0356 | |
A0004, A0006, A0011, A0012, A0013, A0014, A0016, A0017, A0018, A0020, A0022, A0057, A0070, A0083, A0089, A0105, A0106, A0114, A0119, A0171 |
You will notice we removed most of the tasks and KSAs that are highly technically focused, with an emphasis on softer skills, such as communications, partnering, behavior modeling, and project management. Ultimately, an awareness manager’s focus is less on technical skills-based training and more on organizational wide behavior change, which is the bottom tier of the learning continuum.
Many security awareness professionals leverage the BJ Fogg Behavior Model, which indicates the easier we make a behavior, and the more motivated people are to change that behavior, the more likely they will exhibit secure behaviors. We have often found that some of the best security awareness managers come from soft-skills backgrounds, such as marketing, communications, public relations or journalism. By partnering and working with members of the technical security team, security awareness professionals can then leverage their expertise and ‘translate’ that expertise into content and materials the workforce can readily consume and act on.
In the past four years we’ve released our annual Security Awareness Report, we have repeatedly identified that less than 30% of security awareness professionals dedicate more than half of their time to awareness activities. Less than 10% have the words ‘awareness’, ‘training’ or ‘education’ in their job titles. This indicates that for most organizations, awareness and behavior change is considered a part time job, simply dumped on someone within the technical security team to handle.
At the same time, reports like the Verizon DBIR continue to identify the human as one of the primary attack vectors and top risk for organizations. We hope by adopting this work role, NIST NICE Framework will encourage more organizations to invest in a dedicated role responsible for organization-wide awareness and behavior change. In addition, this new work role is ultimately defined by the community for the community. We welcome and encourage any feedback or recommendations on how to improve this work role.