Since 2004, October has been designated Cybersecurity Awareness Month. This year, under the theme “Secure our World,” the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) have continued their work to raise awareness of cybersecurity issues, both nationally and internationally.
In keeping with this year’s theme, I want to address the current state of the cybersecurity workforce, including the challenges employers face in fulfilling open positions and how graduates can be workforce ready to meet these challenges. Let’s dive in.
Cybersecurity Professionals are in High Demand
Cybersecurity talent gaps exist across the country, with more than 700,000 job openings nationally and 13,000+ openings in New Jersey (as of October 2023). With demand significantly out pacing supply, a 2020 ESG / ISSA survey of 327 cybersecurity professionals, found that 70 percent felt that their organization has been impacted significantly or somewhat by the lack of cybersecurity professionals.
Unfortunately, just earning a degree in cybersecurity will not necessarily land a job for graduates. In 2020, an Information Systems Audit and Control Association (ISACA) report found that 70 percent of organizations believe that fewer than half of all applicants for open cybersecurity positions are actually qualified for the job; this is up 9 percent from their 2018 report. Additionally, organizations are dissatisfied because they see that many graduates of cybersecurity programs lack a demonstration of essential hands-on cybersecurity skills. In general, it’s difficult for hiring managers to gauge if the graduates are workforce ready. Further, the ISACA 2020 State of Cybersecurity survey found that prior hands-on cybersecurity experience was the most important factor in determining if a cybersecurity candidate was qualified for a position, followed by the candidate having the proper industry certifications and then hands-on training.
So, let’s consider these factors that are used in determining if a cybersecurity candidate is workforce ready and how a cybersecurity degree program can help students demonstrate this readiness to employers.
Cybersecurity Courses and the NICE Framework
Programs with hands-on training provided through the use of customized labs and third party content providers, such as InfoSec Learning, TestOut and CompTIA, help students develop the knowledge, skills and abilities (KSA’s) that meet the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. This framework was developed by National Institute of Standards and Technology (NIST) to improve communication about how to identify, recruit, develop and retain cybersecurity talent. Essentially, the framework categorizes, organizes and describes cybersecurity work.
The NICE Framework consists of seven categories, which are a high-level grouping of common cybersecurity functions. Under each category there are multiple specialty areas, 33 in total:
- Investigate
- Cyber Investigation
- Digital Forensics
- Collect and Operate
- Collection Operations
- Cyber Operational Planning
- Cyber Operations
- Protect and Defend
- Cyber Defense Analysis
- Cyber Defense Infrastructure Support
- Incident Response
- Vulnerability Assessment and Management
- Analyze
- All Source Analysis
- Exploitation Analysis
- Language Analysis
- Targets
- Threat Analysis
- Operate and Maintain
- Customer Service and Technical Support
- Data Administration
- Knowledge Management
- Network Services
- Systems Administration
- Systems Analysis
- Operate and Maintain
- Customer Service and Technical Support
- Data Administration
- Knowledge Management
- Network Services
- Systems Administration
- Systems Analysis
- Oversee and Govern
- Cybersecurity Management
- Executive Cyber Leadership
- Legal Advice and Advocacy
- Program/Project Management and Acquisition
- Strategic Planning and Policy
- Training, Education and Awareness
- Securely Provision
- Risk Management
- Software Development
- Systems Architecture
- Systems Development
- Systems Requirements Planning
- Technology R&D
- Test and Evaluation
These specialty areas represent distinct areas of cybersecurity work. And within each specialty area there are work roles, currently numbering 52, which have specific cybersecurity jobs and the knowledge, skills and abilities (KSAs) required to perform tasks in the role. Increasingly, employers are using NICE Framework categories, specialty areas and KSAs in their job postings.
NICE Framework in Practice
Let’s look at an example that will show how a lab assignment in a course at TESU might map into specific work role. Consider a lab covering Firewall and Intrusion Detection Systems. The goal of this lab is for students to learn how to use an application called Snort to detect and prevent network attacks. During the development of the assignment, our course development team and Subject Matter Experts (SMEs) would use the NICE Framework to assign a category, specialty area, work role and the associated KSAs of the work role.
In this example, we have selected the category of Protect and Defend since the lab requires students to learn how to identify, analyze and mitigate threats to internal information technology systems and networks. The specialty area is “Cyber Defense Analysis” since the lab will require students to learn how to apply defensive measures to protect a network. The associated work role for this specialty area is a Cyber Defense Analyst; under this work role there are numerous knowledge units associated with each KSA. In this example we have selected, K0177, S0025 and A0128.
Lab: Firewall & Intrusion Detection Systems
- NICE Framework Mapping
- Category: Protect and Defend
- Specialty Area: Cyber Defense Analysis
- Work Role: Cyber Defense Analyst
- Knowledge: K0177
- Knowledge of cyber-attack stages
- Skills: S0025
- Skill in detecting host and network-based intrusions via intrusion detection technologies
- Abilities: A0128
- Ability to apply techniques for detecting host and network-based intrusions using intrusion detection technologies
- Knowledge: K0177
- Work Role: Cyber Defense Analyst
So, with this mapping, if a student completes the lab successfully, they are gaining relevant hands-on experience what will help them become proficient for the NICE KSAs under the Protect and Defend Category for the specialty area of Cyber Defense Analysis and role of Cyber Defense Analyst with those specific knowledge units. This exercise provides the necessary skills to help graduates become a cybersecurity professional and ensure that employers are getting candidates that can fulfill their open positions.
In fact, according to CyberSeek.org, in October 2023, there were a number of cybersecurity job openings per the NICE Framework:
Operate and Maintain: 378,207
Securely Provision: 328,362
Oversee and Govern: 253,592
Analyze: 103,664
Protect and Defend: 177,223
Collect and Operate: 181,387
Investigate: 18,712
Cybersecurity Courses and Certifications
Recall that ISACA 2020 State of Cybersecurity survey also listed industry recognized certifications as another essential factor in determining if a cybersecurity candidate was qualified for a position. Here’s a breakdown of the most current in-demand certifications being requested in job openings:
Certified Information Systems Security Professional (CISSP): 91,765
CompTIA Security+: 265,992
Certified Information Systems Auditor (CISA): 35,812
Global Information Assurance Certification (GIAC): 46,318
Certified Information Security Manager (CISM): 20,300
While cumulatively required courses will certainly help students prepare for the broader certifications, such as (ISC)²’s Certified Information Systems Security Professional (CISSP), CompTIA’s Security+, ISACA’s Certified Information Systems Auditor (CISA) and others; several of TESU’s required and elective courses have been developed to help students prepare for more specific certification exams from CISCO, CompTIA, EC-Council and TestOut:
|
Course |
Helps Prepare For |
|
ITS-140 Introduction to Networking |
CISCO CCNA |
|
ITS-261 Linux |
CompTIA Linux+ |
|
CMP-202 Intro to Information Technology |
CompTIA ITF+, TestOut IT Fundamentals |
|
CYB-220 Defensive Security |
CompTIA Security+ |
|
CYB-320 Ethical Hacking |
Certified Ethical Hacker (CEH) |
|
CLD-110 Intro to Cloud Computing |
CompTIA Cloud Essentials+ |
|
CLD-210 Operation and Management of Cloud Computing Systems |
CompTIA Cloud+ |
In regard to the curriculum, programs and courses that are taught by leading scholar-practitioner faculty who are experts in the field of cybersecurity/information technology can assure students gain the hands-on experience relevant to the human, legal, policy and ethical aspects of cybersecurity needed to protect cyber infrastructure and information assets today and tomorrow.
If you would like more information or have questions about TESU’s cybersecurity degree programs, please reach out to heavin@tesu.edu.
Written by Stuart Adam Eisenstadt, Assistant Dean, Heavin School of Arts, Sciences, and Technology