American Flag  Official website of the Department of Homeland Security

Cybersecurity Workforce Planning Diagnostic

As the demands of global business, computing, and society revolve around information technology, the cybersecurity workload is increasing faster than cybersecurity professionals can meet the demand. As such, an emerging priority in cybersecurity is how organizations can attract, assess, and develop this specialized workforce.

Effective workforce planning enables organizations to build processes that not only identify where major cybersecurity gaps reside, but also pinpoint where an organization should proactively grow and shape its cybersecurity workforce to achieve mission priorities.

What is the tool?

The purpose of this tool, which was developed by the National Initiative for Cybersecurity Education (NICE), is to introduce a qualitative management aid to help organizations identify the data they need to gather to execute effective cybersecurity workforce planning. By considering implications of specific organizational characteristics around two factors– risk exposure (as a function of mission cybersecurity dependence aligned to compliance standards) and risk tolerance– organizations will gain insight into what types of data they need to better plan for and manage their cybersecurity workforce.

The Cybersecurity Workforce Planning Diagnostic Tool provides organizations with:

  1. A qualitative tool to identify their cybersecurity risk exposure and their willingness to take on greater cybersecurity risk (risk tolerance) due to the nature of their organization and the types of activities in which they engage.
  2. Placement within a quadrant aligning to one of four potential risk exposure/risk tolerance types: low risk/low tolerance; high risk/high tolerance; high risk/low tolerance; and low risk/high tolerance. (After completing the diagnostic, organizations can tally their combined risk exposure and risk tolerance score, and subsequently place themselves into a risk exposure/risk tolerance quadrant).
  3. Specific guidelines on the type of data an organization needs to collect to perform effective cybersecurity workforce planning processes (e.g., analyze gaps and identify future workforce needs) based on the risk exposure/risk tolerance type.

It is recommended that organizations review foundational resources on cybersecurity workforce planning. Two white papers, “Best Practices for Planning your Cybersecurity Workforce” and “Cybersecurity Capability Maturity Model” can be found in the Documents section of the Research tab.

Who can use the tool?

This tool enables private organizations and Federal agencies to make data-driven decisions in regard to resource allocation and human capital infrastructure investments to support an organization’s overall ability to meet its mission responsibilities.

Although risk exposure/risk tolerance type will vary by organization size, scope, and cybersecurity complexity, the Diagnostic assists organizations by guiding them to key considerations in gathering supply and demand data based on their respective organizational profile. Business leaders, human capital practitioners, and other key cybersecurity personnel can use the outcomes of the Diagnostic as an initial assessment for organizational supply and demand factors, and better understand how those components interplay with the broader workforce planning strategy.

How can organizations use the tool?

The Cybersecurity Workforce Planning Diagnostic characterizes organizations by their responses to risk exposure and risk tolerance questions to help identify an organization’s practices towards risk from internal exposure (e.g., poor cybersecurity monitoring and controls reporting), external exposure (e.g., threat actor cyber intrusions) and the amount of risk an organization is willing to accept.

The Diagnostic will help organizations identify general cybersecurity risk exposure and risk tolerance. It is not a substitute for in-depth, organization-specific risk assessment and analysis– questions listed within the diagnostic are representative. However, organizations can use Diagnostic questions to create a foundational knowledge about their cybersecurity workforce risk. In addition, organizations can use this knowledge to create more questions based on their technical and specific mission imperatives, and organizational structures. Finally, organizations should keep in mind that it will take the collaborative work of leadership, human capital experts, and cybersecurity managers and operators to accurately use the Diagnostic tool.

To learn more, download the tool to use for your organization.