First and most important, is to realize that “cyber” and “cybersecurity” are umbrella terms. Fairly large ones at that. Much like there are many disciplines within engineering or areas of focus for practicing attorneys, there are many domains within cyber – we’ll get to those in a minute. If you’re anything like I was, this term itself led you down a deep rabbit hole. Here is what I’ve come to learn.
At a high level, you can begin to breakdown the term from a public and private sector perspective. One good resource for the public sector (government) perspective, specifically the Department of Defense, is that of the DoD Cyber Workforce Framework. Alternatively, you can read up on the NICE Framework created by NIST, which has a large overlap with the DCWF. From the private sector perspective, you can decompose the term into 8 broad domains, as outlined in the CISSP certification exam. I interpret the CISSP (Certified Information Systems Security Professional) as a “gold standard” certification for information security and is created by a well-known and respected non-profit organization by the name of ISC2 (International Information System Security Certification Consortium). Let’s go into a bit more detail on each.
Both the NICE Framework and the DCWF define work roles and for the time being, are further decomposed into KSATs – knowledge, skills, abilities and tasks. For now, knowing the KSATs exist will suffice as we will further explore this in Step 3. The CISSP defines domains, which one could draw parallels to work roles, which are broken down into subcategories. Once more, one could draw parallels that the subcategories are tasks/abilities and contain supporting bullets to define the necessary knowledge. The following table is a summary of the 3 perspectives and how they are broken down, with links to each:
| NICE Framework | DCWF | CISSP | |
| 1 | Oversight and Governance | IT (Cyberspace) | Security & Risk Management |
| 2 | Design and Development | Cybersecurity | Asset Security |
| 3 | Implementation and Operation | Cyberspace Effects | Security Architecture & Engineering |
| 4 | Protection and Defense | Intelligence (Cyberspace) | Communication & Network Security |
| 5 | Investigation | Cyberspace Enablers | Identity & Access Management (IAM) |
| 6 | Cyberspace Intelligence | Software Engineering | Security Assessment & Testing |
| 7 | Cyberspace Effects | Artificial Intelligence / Data | Security Operations |
| 8 | —– | —– | Software Development Security |
Hopefully this helps give a bit more clarity for when the term “cyber” is stated, and you are now more equipped to ask the clarifying question, “please tell me what specific area you are referring to?”.
Now that you are better equipped with your refined knowledge of cyber, let’s move to Step 2 where we dive deeper into these areas of interest and hone in to an area that you want to further explore. Finally, in Step 3, we will wrap things up and describe how to use this newfound information to expand your knowledge in a targeted and methodical manner, and the resources that can assist in that journey.