Talking About Jobs in “The Tech Industry” or in “The Cybersecurity Industry” Is Just Silly

I was listening to BBC Radio 5 this morning — yes, I do get up early — and they outlined that there were over two million tech jobs…
Photo by ThisisEngineering RAEng on Unsplash

Talking About Jobs in “The Tech Industry” or in “The Cybersecurity Industry” Is Just Silly

I was listening to BBC Radio 5 this morning — yes, I do get up early — and they outlined that there were over two million tech jobs advertised in the UK last year, and which is more than any other sector. Overall, it is growing 6% per year.

But, the term “The Tech Industry” is a silly term, as it doesn’t actually mean anything. Mainly it is just a simple way to define a disparate set of jobs, such as for AI, Software Development, Cybersecurity, Cloud, … and so many more areas. In Cybersecurity, alone, NIST has defined there are 1,007 tasks, 374 skills, 630 knowledge areas, and 176 abilities. This leads to 33 speciality areas and 52 job roles. And this is one part of the “Tech industry”!

Overall, there are hundreds — if not thousands — of different types of jobs that relate to technology, and which have completely different skills, knowledge areas and job roles. Are we including IC designers, along with AI Developers and Cloud Architectures? In most areas, you can define a core of the specialism that you work in, such as that every electrical engineer will know Ohm’s Law, but what is the common knowledge area for the “Tech Industry”?

The use of the “Tech Industry” thus falls into the same trap of defining that there is such a thing as the Cybersecurity industry. To call someone a “Cybersecurity specialist” — as I have been called in the media — is a meaningless term. When I once said to a BBC editor that I was a Professor of Cryptography, and he just said, “Well, that’s a mouthful, so we’ll just say you are a “Cyber Security Expert”:

Using Technology and Understanding It

At the core of this, is that we need to create a workforce that doesn’t just use technology — as there are many kids that can do that — but actually understand how it works. That’s properly digital skills. If someone can explain how a data packet moves from one piece of software to another is a foundation level of understanding how the Internet actually works. These days “to use” the Internet or a computer, should not be seen as advanced digital skills.

So, we need to start to teach our next generation: how to code; how to understand how digital systems really work; and how we can overcome many of our existing problems with the Internet. Only then will we have a “Tech-enabled” workforce.

Cybersecurity is a silly term …

I posed the question of “Who Are We?” at an invited talk hosted by ISACA a couple of years ago, as I felt that we call someone a “Cyber Security” professional, but what shared knowledge do we really have? The event covered Pen Testing and Risk Analysis, and I think there can be a wide gulf in knowledge between the two.

Well I spend a good deal of time crawling over NIST documents related to cryptography and other areas, and now they have truly excelled with their NICE framework for the Cybersecurity workforce. Within it they define: seven categories; 33 speciality areas; and 52 work roles [here], and then map these to 1,007 tasks, 374 skills, 630 knowledge areas and 176 abilities.

The break-down starts with seven categories and then works these into into speciality areas for the category. Next we break the speciality areas into work roles and then into tasks (T) knowledge areas (K), subject areas (S), and ability (A), that are defined for the work role. The T, K, S and A can then be mapped to specific work roles. With categories and specialist areas they define:

  • Securely Provision (SP). Risk Management (RSK); Software Development (DEV); Systems Architecture (ARC); Technology R&D (TRD); Systems Requirements Planning (SRP); Test and Evaluation (TST)
  • Operate and Maintain (OM). Data Administration (DTA). Knowledge Management (KMG). Customer Service and Technical Support (STS); Network Services (NET); Systems Administration (ADM); Systems Analysis (ANA)
  • Oversee and Govern (OV). Legal Advice and Advocacy (LGA); Training, Education, and Awareness (TEA); Cybersecurity Management (MGT); Strategic Planning and Policy (SPP); Executive Cyber Leadership (EXL); Program/Project Management (PMA) and Acquisition;
  • Protect and Defend (PR). Cybersecurity Defense Analysis (CDA); Cybersecurity Defense Infrastructure Support (INF); Incident Response (CIR); Vulnerability Assessment and Management (VAM)
  • Analyze (AN). Threat Analysis (TWA); Exploitation Analysis (EXP); All-Source Analysis (ASA); Targets (TGT); Language Analysis (LNG).
  • Collect and Operate (CO). Collection Operations (CLO); Cyber Operational Planning (OPL); Cyber Operations (OPS).
  • Investigate (IN). Cyber Investigation (INV); Digital Forensics (FOR).

Within the job function, we obviously mix and match to the role. For example, an Incident Responder would be involved within the categories of Investigate (IN), Analyze (AN), and Collect and Operate (CO), and have specialist areas for Cyber Investigation (INV), Digital Forensics (FOR), and Cyber Operations (OPS).

Where the proposal truly excels is to then map each of the categories and specialist areas to example job titles. With Security Provision (SP) we get:

  • Authorizing Official/Designating Representative. SP-RSK-001
  • Security Control Assessor. SP-RSK-002.
  • Software Developer. SP-DEV-001.
  • Secure Software Assessor. SP-DEV-002.
  • Enterprise Architect. SP-ARC-001.
  • Security Architect. SP-ARC-002.

And then within each of these roles, the define the tasks that might be involved. There are 1,007 different tasks, of which the first 10 are:

  • T0001. Acquire and manage the necessary resources, including leadership support, financial resources, and key security personnel, to support information technology (IT) security goals and objectives and reduce overall organizational risk.
  • T0002. Acquire necessary resources, including financial resources, to conduct an effective enterprise continuity of operations program.
  • T0003. Advise senior management (e.g., Chief Information Officer [CIO]) on risk levels and security posture.
  • T0004. Advise senior management (e.g., CIO) on cost/benefit analysis of information security programs, policies, processes, systems, and elements.
  • T0005. Advise appropriate senior leadership or Authorizing Official of changes affecting the organization’s cybersecurity posture.
  • T0006. Advocate organization’s official position in legal and legislative proceedings.
  • T0007. Analyze and define data requirements and specifications.
  • T0008. Analyze and plan for anticipated changes in data capacity requirements.
  • T0009. Analyze information to determine, recommend, and plan the development of a new application or modification of an existing application.
  • T0010. Analyze organization’s cyber defense policies and configurations and evaluate compliance with regulations and organizational directives.

And to 630 knowledge areas, of which the first 10 are:

  • K0001. Knowledge of computer networking concepts and protocols, and network security methodologies.
  • K0002. Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
  • K0003. Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
  • K0004. Knowledge of cybersecurity and privacy principles.
  • K0005. Knowledge of cyber threats and vulnerabilities.
  • K0006. Knowledge of specific operational impacts of cybersecurity lapses.
  • K0007. Knowledge of authentication, authorization, and access control methods.
  • K0008. Knowledge of applicable business processes and operations of customer organizations.
  • K0009. Knowledge of application vulnerabilities.
  • K0010. Knowledge of communication methods, principles, and concepts that support the network infrastructure.

And to 374 skills, of which the first 10 are:

  • S0001. Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems.
  • S0002. Skill in allocating storage capacity in the design of data management systems.
  • S0003. Skill of identifying, capturing, containing, and reporting malware.
  • S0004. Skill in analyzing network traffic capacity and performance characteristics.
  • S0005. Skill in applying and incorporating information technologies into proposed solutions.
  • S0006. Skill in applying confidentiality, integrity, and availability principles.
  • S0007. Skill in applying host/network access controls (e.g., access control list).
  • S0008. Skill in applying organization-specific systems analysis principles and techniques.
  • S0009. Skill in assessing the robustness of security systems and designs.
  • S0010. Skill in conducting capabilities and requirements analysis.

And to 176 abilities, of which the first 10 are:

  • A0001. Ability to identify systemic security issues based on the analysis of vulnerability and configuration data.
  • A0002. Ability to match the appropriate knowledge repository technology for a given application or environment.
  • A0003. Ability to determine the validity of technology trend data.
  • A0004. Ability to develop curriculum that speaks to the topic at the appropriate level for the target audience.
  • A0005. Ability to decrypt digital data collections.
  • A0006. Ability to prepare and deliver education and awareness briefings to ensure that systems, network, and data users are aware of and adhere to systems security policies and procedures.
  • A0007. Ability to tailor code analysis for application-specific concerns.
  • A0008. Ability to apply the methods, standards, and approaches for describing, analyzing, and documenting an organization’s enterprise information technology (IT) architecture (e.g., Open Group Architecture Framework [TOGAF], Department of Defense Architecture Framework [DoDAF], Federal Enterprise Architecture Framework [FEAF]).
  • A0009. Ability to apply supply chain risk management standards.
  • A0010. Ability to analyze malware.

And then when you think that they just could go any future, they then map these back to roles:

Wow! Finally, someone has mapped the space. So what has 1,007 tasks, 374 skills, 630 knowledge areas, and 176 abilities … that’s how complex an area it is.

Conclusions

We often still live in a 20th Century model of our world, and we must admit we have failed another generation in getting them ready for the jobs market. For the future, we must stop seeing digital skills as just using technology, but where we create a workforce that actually understands how digital technology actually works. A nation that does that, will succeed in the future. So, go code …