A Holistic Approach to Cybersecurity: Mapping the NICE Workforce Framework to the Critical Infrastructure Cybersecurity Framework

Abstract

The need for a high degree of interconnectivity poses many challenges to organizations to adequately protect and defend their infrastructure from sophisticated cyber-attacks. External and internal attackers have caused substantial losses to organizations, not only in exposing embarrassing emails and incurring financial costs, but to the reputations that never recover. Hackers employ a variety of techniques and strategies to steal financial data, intellectual property, and expose sensitive information. They range from individual attackers, to activist groups, to teams of well-funded criminal enterprises, to full-time attackers employed on behalf of nation-states. If an organization does not have an IT cybersecurity program and security controls in place to handle threats, they will pay the price in costly data breaches and inevitable legal issues. However, cybersecurity is a relatively new discipline that is often referred to by a variety of names such as information assurance, information security management, and risk management activities. The demand for cybersecurity professionals to address the increased level of threats is being hindered by the absence of a common language or lexicon to understand the work and skill requirements for IT security positions. It is critical that organizations of all sizes have an understanding of the tasks, knowledge, skills, and abilities to develop an effective security program. This study evaluated two cybersecurity frameworks created by NIST, namely the National Initiative on Cybersecurity Education (NICE) Cybersecurity Workforce Framework 2.0 and the Cybersecurity Workforce Framework issued by Presidential Executive Order 13636. We provide an in-depth mapping and discussion of the NICE Cybersecurity Workforce Framework 2.0 tasks to the CSF Framework functions and categories to provide a comprehensive understanding for cybersecurity professionals to develop and implement an effective IT security program.