NIST Report Helps Explain Why Most Cybersecurity Professionals Are So Insecure

Print Friendly, PDF & Email

According to the report issued this week by the National Institute of Standards and Technology (NIST), the average IT security professional is doing the work of roughly seven people, which may account for why so many of them generally feel overwhelmed.

While most organizations don’t really appreciate the challenges IT security professionals face every day there is some cold comfort in the cybersecurity professional in The National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework report published this week by NIST, an arm of the U.S. Department of Commerce tasked with among other things defining best practices for government agencies.

From @mvizard and @usnistgov -- the seven primary roles that IT security pros are expected to fulfill Click To Tweet

The report seeks to define roles within a cybersecurity team as part of an effort to help government agencies standardize on a common vernacular to be used when hiring cybersecurity professionals. While that’s undoubtedly a noble goal, the document also goes a long way to highlighting why IT security teams are always chronically understaffed.

The seven primary job roles are defined as follows:

Security Provision: Conceptualizes, designs, procures, and/or builds secure IT systems, with responsibility for aspects of system and/or network development.

Operate and Maintain: Provides the support, administration, and maintenance necessary to ensure effective and efficient IT system performance and security.

Oversee and Govern: Provides leadership, management, direction, or development and advocacy so the organization may effectively conduct cybersecurity work.

Protect and Defend: Identifies, analyzes, and mitigates threats to internal information technology (IT) systems and/or networks.

Analyze: Performs highly-specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence

Collect and Operate: Provides specialized denial and deception operations and collection of cybersecurity information that may be used to develop intelligence

Investigate: Investigates cybersecurity events or crimes related to information technology (IT) systems, networks, and digital evidence.

Did You Know: The average IT security professional is doing the work of roughly seven people, via @usnistgov and @mvizardClick To Tweet

The NIST report then goes on to define 370 skills an IT security team should have and no less than 1,007 tasks that team should regularly accomplish. There’s also 63 bodies of knowledge they should have mastered as well. Naturally, most of the cybersecurity professionals working in the private sector are going to be bemused by the NIST report. After all, most of them are tasked with fulfilling all those roles every day.

But the NIST report is also instructive in that it details the scope of the IT security task at hand. To be fair the report does distribute many of these tasks across an entire IT staff. But even then, the cybersecurity tasks that need be accomplished are clearly overwhelming. It’s little wonder then why cybersecurity professionals feel like they are losing the war for cybersecurity, especially when their cries for additional staff are largely unheeded.

Cybersecurity professionals would do well to share a copy of the NIST report with senior managers if for no other reason than to justify the value they provide. Hopefully, it might even lead to some additional allocation of funding for cybersecurity staff or, at the very least, a raise or bonus or two for members of the existing staff.

Scroll to top