RTI uses cookies to offer you the best experience online. By clicking “accept” on this website, you opt in and you agree to the use of cookies. If you would like to know more about how RTI uses cookies and how to manage them please view our Privacy Policy here. You can “opt out” or change your mind by visiting: http://optout.aboutads.info/. Click “accept” to agree.
This report reviews the federal, private sector, and international definitions of the cybersecurity workforce. We find that there is no comprehensive definition of who composes the cybersecurity workforce in the United States. Rather than a definition, frameworks focused on work roles, tasks, knowledge, and skills that can cut across job titles and industries are common. The lack of a standardized definition of the workforce is a limiting factor in addressing the national cybersecurity challenges and workforce gaps cited by employers and industry research. Leading taxonomies, including the NICE Framework from the National Institutes for Standards and Technology (NIST), consider the cybersecurity workforce to include both core workers and those who engage in cybersecurity activities in their role, providing an expansive definition of cybersecurity workers.
Based on this review of frameworks and definitions, we propose a definition of the cybersecurity workforce for the Cybersecurity Workforce Data Initiative (CWDI). This proposed definition balances the tension between a broad set of cybersecurity work roles and skills like those emphasized by federal government agencies and a narrow, concise definition from organizations like the European Union, United Kingdom, and professional organizations. Our proposed definition establishes a core workforce and adjacent workforce based on the percentage of work activities that align with the NICE Framework work roles and aligning them with traditional metrics in labor market research.