Feb 12 2008

Filling the Gap

The Essential Body of Knowledge creates a baseline of must-know information for the IT security workforce.

Criminals and terrorists are busy plotting their next move. Will they attack a well-known building, government office or the PC on the desk in front of you?

Digital ills appear in what seem to be the most innocent of packages: spoofed Web addresses, attachments with a hidden virus or spyware. Organizations face a growing host of cyberthreats and vulnerabilities — hard drives erased, payroll systems wiped out, and agency or corporate Web sites compromised. Everyone in government needs to be prepared, especially those responsible for securing our information technology.

Enter the IT Security Essential Body of Knowledge: A Competency and Functional Framework for IT Security Workforce Development. The IT Security EBK addresses one of the most complex aspects of IT security — the human element — to ensure that we have the most qualified, appropriately trained and educated IT security workforce possible. The EBK is designed to equip the IT workforce, and those who manage, recruit and hire that workforce, with a framework for professional development, career planning, training, education and human resources management.

The EBK Defined

What is the IT Security EBK? The Homeland Security Department’s National Cyber Security Division (NCSD) developed this umbrella document to link competencies and functional perspectives to government and private-sector IT security roles. Addressing skill requirements in a new way, the EBK provides a national baseline of essential knowledge and skills that IT security practitioners should have to fill specific roles.

Although sample job titles are listed within the document, roles are used because they are typically more descriptive than job titles and provide utility regardless of specific organization or context. This high-level approach provides insight on career paths for all IT security professionals, no matter which organization or agency they work for. It also simplifies the development process for instructional designers who create role-based training courses and materials.

PHISH FRY: Phishing exploits accounted for 57.6% of incidents reported to U.S.-CERT for the fourth quarter of 2007, far surpassing the next most pressing security problem — policy violations — at 9.6%.

SOURCE: U.S.-CERT Quarterly Trends and Analysis Report, December 2007

Prior to the IT Security EBK, no single resource existed that pulled together all aspects of IT security workforce development. In fact, the government has many complex and sometimes conflicting training standards for different contexts, environments or markets. As the focal point for securing cyberspace for the nation, NCSD is responsible for combining all of this information into a single tool, conceptualizing the entire IT security workforce.

For the EBK, the NCSD team built directly on the work of established references and best practices from the public and private sectors. The EBK is not intended to represent a standard, directive or policy mandated by DHS: Instead, it should be viewed as a complement to existing, widely used models for describing IT security processes or training, such as that of the National Institute of Standards and Technology or the Committee on National Security Systems. The document further clarifies key IT security terms and concepts for well-defined competencies, identifies notional security roles, and defines four primary functional perspectives: management, design, implementation and evaluation.

NCSD worked with higher education, government and private-sector subject-matter experts to develop a context-neutral, high-level framework describing essential knowledge and skills for IT security professionals in all environments. The goal? To create a single foundation linking competencies to security roles to help create the best-trained, most-qualified workforce to address the continuously changing and complex nature of cyberthreats and vulnerabilities.

Total cyberincidents reported to U.S.-CERT — from public and private sector
Fiscal 2006:

Fiscal 2007:


Breakout of federal incidents
Fiscal 2006:

Fiscal 2007:


Sound Foundation

The roots of the IT Security EBK go back to 2003, when President Bush released the National Strategy to Secure Cyberspace. The strategy was created to “engage and empower Americans to secure the portions of cyberspace that they own, operate, control, or with which they interact.” It recognized that “securing cyberspace is a difficult strategic challenge that requires coordinated and focused effort from our entire society, the federal government, state and local government, the private sector, and the American people.” It elaborates on this by noting a national shortage of adequately trained and appropriately certified personnel to create and manage secure systems.

To shift that dynamic, the IT Security EBK is intended to:

  • help ensure that IT security professionals understand and perform their roles securely, thus protecting the nation’s information and systems;
  • raise the profile of IT security as a profession to attract and retain IT security workers;
  • assist professionals in navigating the maze of available security certifications;
  • help agencies prepare career paths and training for their IT security workforce.

How-To Guide

Agencies can begin to use the IT Security EBK for workforce development and planning (and consumers can use it for professional development). Because it’s not tied to a specific technology, it allows for broad application in a variety of environments.

Recruiters and hiring managers can use it to revise job descriptions or to help identify prospective employees. Employees can use it to identify gaps in their education and experience or to determine the next step in their career. Training-course developers can use it to enhance role-based content, whether the training is instructor-led or Web-based. Universities, community colleges and state governments are already using the draft IT Security EBK for curriculum and workforce development initiatives.

With today’s frequent headlines of cybersecurity breaches, whether through malice or accident, the country needs educated and experienced IT security professionals. These professionals must protect the systems that provide government services and enable the economy to function. They need top-notch skills to prevent major disruptions of critical systems. A baseline set of skills should help agencies and private groups pinpoint and fill their skill gaps.

Photo: Tetra Images/Punchstock