According to the report issued this week by the National Institute of Standards and Technology (NIST), the average IT security professional is doing the work of roughly seven people, which may account for why so many of them generally feel overwhelmed.
While most organizations don’t really appreciate the challenges IT security professionals face every day there is some cold comfort in the cybersecurity professional in The National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework report published this week by NIST, an arm of the U.S. Department of Commerce tasked with among other things defining best practices for government agencies.
The report seeks to define roles within a cybersecurity team as part of an effort to help government agencies standardize on a common vernacular to be used when hiring cybersecurity professionals. While that’s undoubtedly a noble goal, the document also goes a long way to highlighting why IT security teams are always chronically understaffed.Did You Know: The average IT security professional is doing the work of roughly seven people, via @usnistgov and @mvizardClick To Tweet
The seven primary job roles are defined as follows:
Security Provision: Conceptualizes, designs, procures, and/or builds secure IT systems, with responsibility for aspects of system and/or network development.
Operate and Maintain: Provides the support, administration, and maintenance necessary to ensure effective and efficient IT system performance and security.
Oversee and Govern: Provides leadership, management, direction, or development and advocacy so the organization may effectively conduct cybersecurity work.
Protect and Defend: Identifies, analyzes, and mitigates threats to internal information technology (IT) systems and/or networks.
Analyze: Performs highly-specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence
Collect and Operate: Provides specialized denial and deception operations and collection of cybersecurity information that may be used to develop intelligence
Investigate: Investigates cybersecurity events or crimes related to information technology (IT) systems, networks, and digital evidence.
The NIST report then goes on to define 370 skills an IT security team should have and no less than 1,007 tasks that team should regularly accomplish. There’s also 63 bodies of knowledge they should have mastered as well. Naturally, most of the cybersecurity professionals working in the private sector are going to be bemused by the NIST report. After all, most of them are tasked with fulfilling all those roles every day.
But the NIST report is also instructive in that it details the scope of the IT security task at hand. To be fair the report does distribute many of these tasks across an entire IT staff. But even then, the cybersecurity tasks that need be accomplished are clearly overwhelming. It’s little wonder then why cybersecurity professionals feel like they are losing the war for cybersecurity, especially when their cries for additional staff are largely unheeded.
Cybersecurity professionals would do well to share a copy of the NIST report with senior managers if for no other reason than to justify the value they provide. Hopefully, it might even lead to some additional allocation of funding for cybersecurity staff or, at the very least, a raise or bonus or two for members of the existing staff.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.