Title: The CYBER security – Competency Health and Maturity Progression (CYBER-CHAMP) model: Extending the National Initiative for Cybersecurity Education (NICE) Framework Across Organizational Security

Problem Statement: There is a pervasive talent deficit in the cybersecurity industry that prevents employers from being able to fill their open positions efficiently. A holistic approach to security is required to ensure organizations have adequate prevention and response capabilities in case of a cyberattack. Specifically, industrial control systems (ICS’s) and their operational technology (OT) components have become a constant target for cyberattacks. Research Questions: It is proposed that the NICE Framework should be extended in the following areas: 1) Include guidance regarding the job roles and competencies for both IT and OT professionals. 2) Offer step-by-step solutions, based on the work role mappings from the NICE Framework, to increase cybersecurity through employee training and education. 3) Provide a streamlined, lifecycle approach to building a cybersecurity program. Contribution: The CYBER security – Competency Health and Maturity Progression (CYBER-CHAMP©) model provides a customized solution for businesses to understand their education gaps in organizational security and target areas for improvement. Rationale: The Framework for Improving Critical Infrastructure Cybersecurity v1.1 addresses ICS but does not offer a measurement of cybersecurity maturity or clear methods to ascertain an organization’s current risk profile. In Phases 1 and 5 of the model, measurements are provided to help an organization build their current and target risk profiles. The NICE framework provides a structure for planning an IT cybersecurity workforce, but the OT aspects of cybersecurity are only briefly discussed. The model uses Phases 2-3 to examine the competencies of an organization’s workforce, which includes both IT and OT roles. Current frameworks do not offer next steps to increase an organization’s cybersecurity. During Phase 4, employees’ roles are mapped to training, education, and/or certifications from common vendors. Investigative Approach: The model provides measurements and metrics for both an organization’s status and continual improvement. This improvement methodology includes guidance for creating an overall strategic plan for security improvement via products designed to increase an organization’s operational readiness through workforce competency health. Lessons Learned: Depending on who was participating, there were contradicting answers given in Phase 1 due to different security cultures in the organization. This revelation has influenced the steps listed in the User’s Guide, where Phase 1’s first recommended step is to assemble a team that champions the facilitation and implementation of the model in the organization. During Phase 2, the discovery was made that organizations may be missing roles that are necessary to perform critical cybersecurity functions. By understanding the functional roles and competencies needed, they can contract or hire cybersecurity help to fill these gaps. Implications: Using the model, organizations can discuss quantitative measures for improvement as a business case for advancing their security program. Future research can validate and extend the present theory and model to a variety of environments. It is of interest to investigate additional security roles and knowledge domains that are used to build standardized cybersecurity curriculum.