Cybersecurity roles, tasks, and skills are seen by many organizations as nonessential, abstract, or complicated. Although standards are in place, such as the National Institute of Standards and Technology (NIST) 800-181 document titled “Workforce Framework for Cybersecurity (NICE Framework)” available since September 2012, companies are still showing security vulnerabilities in their cyber networks (Hatzes, 2020). Barriers towards creating a cyber-ready workforce are not always due to a lack of resources, but often caused by organizational structure. The need for cyber-cognizant job postings, improved communication between Operational Technology (OT) and Information Technology (IT) employees, increases in staffing and funding for cyber teams, and better communication of standards and training can all contribute to increasing an organization’s cyber resilience. Cybersecurity Competency Health and Maturity Progression model (CYBER-CHAMP) is a model aimed at evaluating an organization’s structure and individual employee’s cyber knowledge and helps develop a plan to reach competency. This model was used to engage with organizations to promote proper cyber protocols and policies. The aim of this paper is to answer if it is possible for an organization to build a cyber-ready workforce by providing education and training options for current employees and prepare the future workforce to be ready on day one of employment. Both open source and firsthand interviews with organizations were used to conduct the research contained in this document. Further research may include additional development to the CYBER-CHAMP model and its delivery platform.

If there is anything we can learn from the media, it is the frequency and severity of cyber-attacks is increasing and there are not enough qualified people to combat the risk organizations are facing. Current estimates say there are 3.5 million available cybersecurity related jobs globally and there has been a 350% growth in cybersecurity jobs since 2013 (Group, 2020). The Idaho Cyber Research Project (ICRP) is focused on finding an implementing solution to the problems in the workforce development pipeline. Our team consists of Cohort 2 of the ICRP, we are tasked with solving issues faced by organizations hiring new cyber personnel. To provide solutions to these issues we focused our research on four components of workforce availability and competency: resume and transcript analysis, apprenticeships, cyber incident response plan development, and adversarial mindset training. From this research we have produced the following focus areas and subsequent steps for each component of workforce capability: transcript and knowledge skills abilities (KSA) focused analysis, cybersecurity apprenticeships programs, the value of an adversarial mindset, and a guide to setting up cyber incident response plans for underprepared organizations. These solutions can be further developed and implemented to reduce the gap in workforce demand and talent.

In 2019, there was a shortage of 3.5 million qualified cybersecurity professionals. Cyberattacks are ever on the rise, making it increasingly important these positions be filled quickly. The purpose of this research, as part of the Idaho Cyber Research Project, was to use information collected from open-source materials to depict the career path issues in cybersecurity for individuals. Interviews with professionals from various industry sectors in Idaho also influenced the course of our research. Early research revealed that one of the main problems is an unclear career path for individuals wanting to enter the cybersecurity workforce. Unclear pathways are defined by of a lack of awareness about a career field, uncertainty surrounding the knowledge and skills taught in college due to a lack of standardization between institutions, high qualification standards in hiring, and a lack of diverse representation in the cybersecurity workforce. Additionally, a platform called CyberKnights was assessed as it applies to the individual and their pathway. However, CyberKnights is not the only solution to this problem, and further research is needed to identify additional solutions.

Cybersecurity is a relatively new and quickly advancing industry, though there is a deficit in industry professionals throughout the world. This deficit is a result of the inability of education to keep up with the continuously changing cyber-threat landscape. A lack of effective, accessible, hands-on training platforms is a barrier for students and professionals who seek to gain the skills and abilities necessary to enter the workforce. Additionally, the lack of adequate training makes it difficult for industry experts to upskill or stay up to date on new advancements within the field of cybersecurity. The goal of this cohort is to discover what makes an effective or ineffective training platform, what platforms are currently available, and to determine the next steps for hands-on learning.
Hands-on experience is necessary to create workforce ready professionals, yet it is underutilized by students and professionals of cybersecurity due to costs, availability, and ease of use. This cohort has uncovered hands-on training solutions, identified many effective training solutions, and explored potential improvement to cybersecurity training. These findings resulted in the cohort moving beyond research to test the resources that currently exist or are in development, and to apply that knowledge to discovering and developing engaging hands-on training.

In the domain of cybersecurity, there are a wide variety of education and training courses offered by a variety of training providers (commercial vendors, governmental, and academic institutions). Unfortunately, a comprehensive cross-provider mapping of the body of course offerings does not currently exist. Furthermore, although individual providers have made efforts, an accepted cross-provider mapping of education and training courses (or categories) to an accepted framework of work-roles by cybersecurity work-role and competency level has not yet been developed. The inability to compare training courses by topic or cybersecurity work-role and the level of difficulty (competency level) affects all organizations in identifying and selecting potential training opportunities for personnel performing cybersecurity duties.

In this work, we report on our application of Machine Learning (ML) Text Classification and Natural Language Processing (NLP) methodologies to begin to create a process to organize an accurate and thorough catalog of course offerings by work-role and competency level. Through the analysis of text-based course attributes (description, learning objectives, prerequisites, etc.), along with the text-based attributes for identified cybersecurity work-roles, our ML efforts examined methods to determine the work-role “best-fit” for each course, as well as the competency level through action-verb text comparison.