There is consensus agreement that threats that exploit vulnerabilities in the health care cyberinfrastructure grow and evolve at a breakneck pace. Organizations that take a holistic view in developing a flexible approach to understand, manage and reduce its cybersecurity risk will be in a better position to defend their enterprise from attack.
Approaches to developing and implementing programs to safeguard an organization’s information system work best when they manage cybersecurity risk through assessment and mitigation of threats and vulnerabilities, through empowerment of an integrated, multi-disciplinary cybersecurity workforce capable of designing, developing, implementing, and maintaining defensive and offensive cyber strategies. An integrated cybersecurity workforce includes technical and nontechnical roles that are staffed with knowledgeable and experienced people that can address the cybersecurity challenges inherent to preparing their organizations to successfully implement aspects of their missions and business processes connected to cyberspace.
Many organizations are challenged with the hiring and development of a resilient, highly skilled workforce capable of leading a comprehensive information security program. The National Institute of Standards and Technology (NIST), National Initiative for Cybersecurity Education (NICE), has developed a framework and reference guide that describes the interdisciplinary nature of cybersecurity work.
NIST developed the guide to serve as a fundamental resource to identify how to empower a workforce with the knowledge, skills, and abilities (KSAs) needed to complete tasks that can strengthen the cybersecurity posture of an organization. The guide also seeks to improve communication about how to identify, recruit, develop, and retain cybersecurity talent.
Employing the NICE framework can help organizations optimize their cybersecurity workforce through aligning people, processes, and technology. These strategies are best summarized as:
Having a clear, up-to-date understanding of job roles and finding competent people to fulfill those roles is essential for any organization to function effectively in a cybersecurity environment
Cyberattacks are evolving and striking organizations constantly. To continuously defend your organization from these threats, your workforce needs to establish structured processes and implement best practices
While new technology can be easy to acquire, your organization will still be at risk of an attack until your employees have the right skills. By providing your workforce with the right cybersecurity training, you can garner the full potential of deployed security technology.
Organizations can use the NICE framework to:
- Inventory and track their cybersecurity workforce to gain a greater understanding of the strengths and gaps in KSAs and tasks performed;
- Identify training and qualification requirements to develop KSAs to perform cybersecurity tasks;
- Improve position descriptions and job vacancy announcements selecting relevant KSAs and tasks, once work roles and tasks are identified;
- Identify the most relevant work roles and develop career paths to guide staff in gaining the requisite skills for those roles; and,
- Establish a shared terminology between hiring managers and human resources staff for the recruiting, retention, and training of a highly-specialized workforce.
The reality is that we face a severe shortage of cybersecurity professionals and we all will be competing with everyone else for the talent that is out there. This is a serious problem at a time when healthcare needs the talent necessary to build the cyber defenses that will protect patient information and assure its reliance on systems and data to support medical facility operations and care delivery.
There is no magic bullet to provide an immediate solution to meet the demand for cybersecurity professionals. However, the NICE workforce framework gives the health care industry a starting point to help standardize roles, identify tasks, and provide vision to all levels of management on what a skilled and capable cybersecurity workforce looks like.