Introduction

More and more organizations are turning to the NICE Framework to help develop structure, streamline language, and create continuity on their cybersecurity teams. In fact, a 2021 study found that 81% of companies were considering aligning job descriptions to the framework.

Fast forward four years. Just this month, NIST released an updated version of NICE, and soon Government IT and cybersecurity contracts will be required to align with the framework. There is a lot of buzz around NICE, and it’s bringing up big questions for government agencies and private companies alike—namely, how do you apply NICE to real-world jobs? 

This article breaks down the framework, helping you demystify its structure, tailor it to actual jobs, and build a stronger, more effective cybersecurity team. Whether facing a new compliance requirement or simply interested in using the framework, you need a strategic approach that aligns with your specific workforce needs. We’re here to help.

What is the NICE Framework?

The NICE Framework (National Initiative for Cybersecurity Education Workforce Framework) is a set of standards developed by NIST (National Institute of Standards and Technology) to define and categorize cybersecurity roles, skills, and competencies. Its goal is to provide a common language for organizations, educators, and professionals to discuss and develop cybersecurity skills and work responsibilities.

Components of the NICE Framework 

The NICE Framework is organized into TKSs (Tasks, Knowledge, and Skills), Work Roles Categories, Work Roles, and Competency Areas. 

• ‍2111 Tasks, Knowledge, and Skills (TKSs): The detailed components that define what a cybersecurity professional needs to do (Tasks), what they need to know (Knowledge), and what they need to be able to do (Skills) within a specific Work Role. These statements aim to guide training, education, and workforce development. Examples: Knowledge of encryption algorithms, Knowledge of data mining principles and practices, Skill in identifying vulnerabilities, Skill in constructing networks, Decrypt seized data, Define project scope and objectives.‍
• 5 Work Role Categories:  High-level groupings of cybersecurity work that align with major cybersecurity functions. The NICE Framework defines five broad categories: Oversight and Governance (OG), Design and Development (DD), Implementation and Operation (IO), Protection and Defense (PD), Investigation (IN)
• ‍41 Work Roles: Specific job functions within the cybersecurity workforce that describe a particular set of responsibilities. Work Roles are nested within Categories and define the tasks, knowledge, and skills associated with a specific cybersecurity position. Examples: Communications Security (COMSEC) Management, Digital Forensics, Cyber Intelligence Planning‍
• 11 Competency Areas: Broad groupings of related knowledge and skills that are foundational to performing cybersecurity tasks. Competency Areas help assess and develop workforce capabilities without being tied to specific job roles. The 11 Competency Areas are Access Controls, Artificial Intelligence (AI) Security, Asset Management, Cloud Security, Communications Security, Cryptography, Cyber Resiliency, DevSecOps, Operating Systems (OS) Security, Operational Technology (OT) Security, Supply Chain Security

History of the NICE Framework

The genesis of the framework makes total sense—cybersecurity is a complex, high-stakes industry that varies widely across government agencies and private companies. Organizing the industry started as an ad-hoc reaction, moved to cybersecurity controls, and then to a framework-based approach. Early standards focused on technical outcomes, and while this was a significant step forward, it also exposed the need to address the human component of cybersecurity.

So, in 2007, the Department of Homeland Security created the IT Security Essential Body of Knowledge (EBK) to standardize federal jobs. In 2009, the Comprehensive National Cybersecurity Initiative expanded to include private organizations. Over the next decade, the framework continued to develop, and last year, NICE released the NICE Framework Components as an excel spreadsheet and in JSON format. 

Just this month, NIST released a second version of the framework. It removed the Categories Cyberspace Effects and Cyberspace Intelligence (and the subsequent Work Roles). NIST also updated the Work Roles Digital Evidence Analysis (IN-WRL-002) and Insider Threat Analysis (PD-WRL-005), added a new one, Operational Technology (OT) Cybersecurity Engineering (DD-WRL-009), and updated the Competency Area Cyber Resiliency (NF-COM-007). And, while also fixing typos, NIST removed redundant TKS statements, bringing the total down from 2280 TKS to a mere 2111.

With the arrival of an updated NICE Framework, it’s the perfect time to reassess your current job mappings, check in on compliance, and revisit training needs.  

Now, maybe we’ll be able to make better use of the framework. Unfortunately, not quite yet. 

Why is It So Hard to Figure Out How to Use NICE?

The problem: with all its good intentions, the framework misses real-world needs. At the Work Role level, it uses its own unique terminology, making it impossible to align cybersecurity job titles to it. And then, at the TKS level, it goes into such granular detail (there are still 2,111 of them!) that it becomes overwhelming and unhelpful.

Let’s dig a little bit deeper into why the NICE Framework is so tricky.

1. Lack of Direct Mapping to Real-World Job Titles

A single cybersecurity job requires skills from multiple NICE Categories. A SOC Analyst, for example, needs both Incident Response (PR-RPR) and Threat Analyst (AN-TWA) skills, making it hard to choose the correct NICE mapping. And even if you use their tools, like the NICE Framework Mapping Tool, you are still limited to their language and framing.

2. One Size Does Not Fit All

Organizations have unique security needs depending on their industry, size, and maturity. A Security Analyst at a small startup likely handles multiple NICE Work Roles, while the same title at a large organization may align with only one.

3. Difficult-to-Translate Technical Roles for HR & Recruiters

It’s hard enough for a cybersecurity manager to translate the NICE Framework. Most HR professionals and hiring managers don’t have cybersecurity expertise, making it much more challenging to translate the framework into practical job descriptions. That’s why it’s critical for HR and security teams to work together to figure this out.

4. Lack of Customization Guidance

The NICE Framework is not a plug-and-play system. Employers must tailor it to their specific needs. But there’s little guidance on how to break down or modify the framework to fit industry, company size, or security maturity levels. 

How then are you supposed to know what falls under which job? And how are you to ensure your organization properly complies when you can’t even make sense of the framework?

Why Use NICE At All?

Even with its complexity, NICE can still be helpful. Defining job roles and career paths in this industry is incredibly challenging. But a study found that organizations who simply intended to align with the NICE Framework reported a 57% increase in recruiting satisfaction.

Organizations who simply intended to align with the NICE Framework reported a 57% increase in recruiting satisfaction.

The framework is a great starting point for tasks like writing job descriptions and creating skill gap assessments. But it needs to be used creatively and thoughtfully. Let’s take a look at several ways you could use the NICE Framework:

1. Write job descriptions: The NICE Framework provides a structure for defining cybersecurity job roles and responsibilities. You can use it to create or refine job descriptions, ensuring that roles like SOC Analyst, Incident Responder, and Penetration Tester are defined with the right skill sets.

2. Map team roles: The framework helps CISOs identify gaps in their team’s skills and responsibilities. By mapping existing roles to the NICE Categories and TKSs, you can see where you need to hire or train.

3. Targeted skills development: The NICE Framework outlines the competencies required for specific cybersecurity roles. You can use this to design targeted training programs that ensure your team is skilled in the most relevant areas.

4. Recruitment strategy: By understanding the competencies and tasks required for different jobs, you can better define recruitment strategies to ensure you attract the right candidates.

5. Compliance and governance: Many industries require compliance with cybersecurity standards and frameworks (e.g., NIST, ISO 27001). The NICE Framework provides a recognized standard for defining and aligning security roles, ensuring your organization meets both internal and regulatory compliance requirements.

Prioritize, Prioritize, Prioritize

The trick with all of this is prioritization. You need a cybersecurity expert to look through the list of TKSs and rank them. Sure, everyone needs “K0683 Knowledge of cybersecurity threats.” But a Penetration Tester's depth of such knowledge needs to be much more extensive than a Technical Support Specialist. The first step in applying the NICE Framework is prioritizing which TKSs are the most important for each role on your team.

What About Other Cybersecurity Frameworks?

Good question. The NIST Cybersecurity Framework (CSF) and Department of Defense (DOD) 8140 Cybersecurity Workforce Framework (DCWF) are compatible with—and complement—the NICE Framework. 

The NICE Framework and the NIST Cybersecurity Framework (CSF)

The NICE Framework provides a structured way to define cybersecurity roles, skills, and competencies, while the NIST Cybersecurity Framework focuses on risk management and cybersecurity best practices. 

Organizations can use The NICE Framework to identify which jobs are responsible for implementing CSF’s five core functions (Identify, Protect, Detect, Respond, and Recover). For example, a Security Analyst (NICE Work Role: PR-CDA-001) directly supports the Detect function of CSF by analyzing logs and monitoring security events.‍

The NICE Framework and the Department of Defense (DOD) 8140 Cybersecurity Workforce Framework (DCWF)

DoD 8140 uses the NICE Framework as its foundation but further customizes it to meet specific military and federal government needs. For example, a Cyber Defense Analyst (DoD 8140 role 511) maps to the NICE Work Role Cyber Defense Analyst (PR-CDA-001). This ensures consistency in skills and certification requirements across the U.S. Department of Defense.

How to Align Your Organization to NICE

1. Identify the cybersecurity and cybersecurity-adjacent positions at your organization.
This should include dedicated security jobs, such as Security Analyst, but also positions such as Technical Support Specialist, Software Engineer, and Systems Engineer. Include all jobs that play a role in maintaining your organization’s security posture.

2. Determine if you have job descriptions for these positions.
These will be helpful references as you understand what skills and responsibilities each job is purported to have.

Pro tip: Interview employees to determine how accurate and complete the job descriptions are.

3. Choose one job. Look at the list of the seven NICE Categories. Try (key word) to determine which one or two Categories best describe the job at your organization.

Some examples:

• A Security Analyst belongs under Protect and Defend.
• A Software Engineer aligns best with Design and Development. 
• A Security Engineer, however, is tricky. It belongs under Design and Development, but may also be responsible for Implementation and Operation or Protection and Defense. As you go through each role, acknowledge and document the grey areas.

Pro tip: work with your technical and/or cybersecurity leaders to ensure accuracy as you map jobs to Categories. 

4. Next, drill down from the NICE Category (or Categories) into the Work Roles under it. Identify each Work Role that reasonably aligns to the job. 

Again, this is tricky. In practice, real jobs may encompass elements of several Work Roles. 

For example, Security Analyst aligns to Defensive Cybersecurity. But your organization may have multiple tiers of Security Analysts. Higher tiers could also align to Incident Response and Digital Forensics. They could even be responsible for Threat Analysis. Embrace the grey areas and note the overlaps. This isn’t meant to be an easy plug-and-play exercise. 

5. Let’s say you chose three Work Roles for the job you are mapping. Open each Work Role. Review and prioritize the TKS statements associated with it. 

The 2280 TKS statements vary in size, often overlap or are duplicates, and, by design, recur across many NICE Work Roles. It’s a lot to sort through. Decide how you want to go about it: as a maximalist or a realist.  

• Maximalist: Identify every TKS statement that describes each job.
• Realist: Identify 15-20 TKS statements that best describe each job. 

Consider whether the job currently aligns or should align to each TKS statement. This will give you a sense of how to reconfigure your current positions and/or upskill your employees.

6. Repeat steps 3-5 for every cybersecurity position at your organization. 

How to Demystify the NICE Framework

Sound complicated? That’s because it is. 

It’s an incredibly subjective and nuanced process. You could spend days mapping each of your jobs to Categories and Work Roles, and then several more assessing knowledge and skill gaps. 

No one likes busy work, and this sounds like a whole lot of busy work. We promise, it’s not. You can use NICE effectively, conduct a substantive exercise, and determine real-world action steps for your team. Here’s what we suggest:

1. Identify the cybersecurity and cybersecurity-adjacent positions at your organization.
2. List the 5-10 top responsibilities for each job.
3. Have each security personnel write out what they think are their top 5-10 responsibilities.
4. Compare the two lists. Where are they aligned and where are they different? Use this to show you what might be missing from your team.
5. ‍Take the gaps and match them to relevant TKS statements.

At this point, you have buy-in from your cybersecurity team, as you’ve involved them in the process and honored their perspectives. And you know how your jobs align (or don’t) to NICE.

6. Research training options to upskill your team.
7. Determine whether you need to hire missing skills—and write accurate job descriptions with the knowledge you now have.

Practical Tips for HR Managers

The NICE Framework’s technical terminology can be overwhelming when crafting job descriptions or hiring cybersecurity professionals. Here are some practical tips to simplify the process:

1. Proactively partner with your cybersecurity team. 

We can’t recommend this enough. Effective communication between you and your cybersecurity leaders is crucial for hiring, workforce development, and aligning cybersecurity roles with business goals. Set up a time to meet regularly to discuss workforce needs.

2. Minimize jargon (on both sides).

Cybersecurity leaders often use technical jargon that you may not understand. And you

may use business-focused terms that don’t fully capture cybersecurity needs. Instead, use language that’s helpful for both of you.

3. Develop structured hiring & interview processes.

Collaborate with your cybersecurity leaders on interview questions and evaluation criteria. You can even have them help review resumes and conduct interviews. 

It might be easy to rely on certifications as validation of a candidate’s skills and knowledge. But cybersecurity leaders will help you assess their practical skills. That might look like having them complete a hands-on challenge or asking if they can explain how to investigate a suspected phishing attack.

Practical Tips for CISOs

Writing job descriptions might feel like the last thing on your priority list. But your insight and expertise are incredibly valuable as HR tries to find the right candidate for your team. Take the time to work closely and collaboratively with your HR personnel—it will make a huge difference.

1. Start with business needs, not just technical requirements.
Your HR manager likely will not fully understand which cybersecurity risks or gaps the company faces. It’s critical then for you to tie cybersecurity jobs to business impact and explain your needs in business terms. 

For example, “We need an incident responder to reduce breach response time, which minimizes financial risk.”

2. Translate the NICE Framework into standard job descriptions.

Help HR map job descriptions to NICE Work Roles for clarity. As you well know, it’s a complicated process, and they genuinely need your expertise. Even something as simple as this will help translate NICE:

3. Keep job descriptions clear and practical.

HR may add vague or unrealistic requirements (e.g., requiring CISSP for entry-level roles) simply because they do not fully understand the industry. Edit each job description to ensure it reflects realistic skills and expectations. 

How Cybrary Can Help

Cybrary has years of experience utilizing NICE. In fact, we’ve taken the time to map our entire catalog to every single applicable TKS statement. Yes, you read that right. 

That means for every course and virtual lab your team completes, Cybrary can confirm which relevant TKSs were covered and which Work Roles those map to. For example, our Defensive Security Operations course covers the following TKSs:

• K0691 - Knowledge of cyber defense tools and techniques
• K0824 - Knowledge of incident response roles and responsibilities
• K0990 - Knowledge of cyber operations principles and practices
• K1123 - Knowledge of continuous monitoring principles and practices
• K1131 - Knowledge of cyber defense monitoring tools

You can also always assess our training through the veil of NICE. You can search for courses, labs, and certification prep by NICE Categories and Work Roles. And, with a Cybrary for Business account, you can see how your team is progressing against the NICE Framework. 

Beyond that, we can create custom training paths to meet your team’s unique needs. By working with Cybrary, you gain tailored training and access to cybersecurity experts to help you further utilize the framework. 

Conclusion

You likely found this article because you are trying to figure out NICE. And that’s excellent. Remember, simply having the intention to use NICE produces greater satisfaction. But, as you’ve dug into the framework, try as you might, you’ve likely gotten lost, overwhelmed, confused, or all of the above. 

Take a step back, ask the fundamental question of why, and involve your cybersecurity team in the process. Follow our steps to demystify the framework and see if you can make better sense of it all.

And if not, we’re always here to help. Contact Cybrary today for support in utilizing the NICE Framework and developing a stronger, more focused cybersecurity team.