A Compass for Navigating Cyber Careers
When someone says they work in cybersecurity, it could mean anything from cloud engineering to incident response, from red teams to risk governance. The field is vast and only getting more complex.
Despite all the frameworks we use to secure systems, most organisations still lack a shared language for describing the people who do the work. That’s what the NICE Framework offers: a way to map roles, skills, and development pathways across the full cyber landscape.
What Is NICE?
The National Initiative for Cybersecurity Education (NICE) began in 2008, when the US government recognised the need to better understand and plan for cyber talent across its federal workforce. Developed by the National Institute of Standards and Technology, or NIST, the NICE framework is now used globally across both public and private sectors to structure cyber workforce development.
Why Does It Matter?
“Cyber” can be a vague word. It gets used to mean everything from penetration testing and cloud security, to compliance and risk, and job titles vary across companies, industries, and countries.
The NICE Framework cuts through that ambiguity with a common language and logical structure to describe what people in cyber teams actually do, what they need to know, and what skills they should be developing. This development mindset is built in, with NICE referring to all cyber workers as learners.
Key Concepts
The NICE Framework rests on a few core concepts:
- Work Categories (7 in total): Broad groupings like Securely Provision, Operate & Maintain, and Protect & Defend.
- Work Roles (33 in total): Specific job functions such as Security Architect or Cyber Defence Analyst.
- TKS Statements: Each work role is broken down into:
- Tasks - what you do
- Knowledge - what you must know
- Skills - what you must be able to do
What Can You Do With It?
Whether you’re thinking about your own career path or looking to support others, the NICE Framework is a practical tool that can help:
- Career Planning – Understand what’s expected in a role you aspire to, and find the gaps in your current skills.
- Team Assessments – Map where your team is strong, and where you may need to either upskill, hire, or outsource.
- Competency Heatmaps – Visualise where capability sits within your organisation or programme.
- Governance & Assurance – Use the NICE framework to assess your hiring plans or workforce coverage plans.
- Futureproofing – Plan ahead for emerging roles and evolving threat landscapes, and build into your team’s hiring and learning plans.
Cyber Careers Pathway Tool
To illustrate how Work roles and TKS pathways interact in practice, a Cyber Careers Pathway Tool is available on the cisa.gov website - you can navigate through with the CISO role, aka the “Executive Cybersecurity Leadership” role or the “Cybersecurity Architecture” role.
Final Thoughts
The NICE Framework helps you to make sense of cyber workforce terrain and the varied type of career you can have within it. NICE brings structure to conversations that might otherwise be vague, or even political as different teams build up their own capabilities.
If you’re mentoring someone, building a team, or reviewing your own career path, NICE can be a useful framework to consider.