In a series of blogs, we’ll be using NIST’s NICE Cyber Security Workforce Framework to define human requirements for jobs in cybersecurity. A range of organizations in the public, private and academic sectors now use this approach.



It’s been too easy in recent times to lay the recruitment struggles of the cybersecurity industry at the door of the so-called skills gap. The real challenge is more complex. Businesses looking to recruit, for example, may be averse to paying top dollar for a self-taught ‘hacker’ with no college degree. The same applies to those aspiring to move into entry-level roles who may have taken useful and effective hands-on training but have no way of differentiating themselves when they lack formal experience. And the list of barriers for both businesses and applicants goes on. Put simply, the root of much of this is the speed at which cybersecurity as an industry has developed.


To address some of these issues, the US National Institute of Standards and Technology (NIST) has built the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. It can improve the way organizations identify, recruit, develop and nurture cybersecurity talent by helping them to interpret their workforce and identify skill gaps. In 2019, the Whitehouse encouraged US Federal Government agencies to adopt NICE in an Executive Order.


The framework shows cybersecurity leaders what abilities their team needs, which enables them to identify skill gaps, map career development, and understand the role of each member. For cybersecurity pros, it offers guidance towards achieving career progression or making the jump from one role to another.


In this series we will help you understand the five most common of these work roles. First up is Cyber Defense Incident Responder.


Cyber Defense Incident Responder




  • Incident Responder
  • Intrusion Analyst
  • CSIRT Engineer


Category: Protect and Defend Specialty
Area: Incident Response


What is a Cyber Defense Incident Responder?


Cyber Defense Incident Responders are the paramedics of cybersecurity, responding to incidents quickly and effectively in order to minimize damage.


This role is involved in providing an initial response to any IT security threats, incidents or cyberattacks that face an organization. Experience in computer investigations/general computer forensics is helpful but not essential if a candidate has developed relevant skills elsewhere.


Those in this role are expected to master a suite of forensic tools to help investigate security issues on the fly. After identifying the source of an issue, the task is clear: restrict damage, provide immediate remedial action and – where possible – offer a solution that mitigates the threat permanently.


Typical work duties


This is a varied, demanding role that requires someone who can operate in an agile way; most work is done throughout the day but shift work or flexi-time may be required. The role’s primary duty is to examine and analyze electronic media in suspected computer hacking cases. Communication skills are key, as employees must present their findings in an easy-to-read format that is free from unnecessary technical jargon. Below are some of the key duties for this role:


  • Identifying, capturing, containing, and reporting malware
  • Preserving evidence integrity according to standard operating procedures or national standards
  • Securing network communications
  • Recognizing and categorizing types of vulnerabilities and associated attacks
  • Protecting a network against malware (e.g., NIPS, anti-malware, restrict/prevent external devices, spam filters)
  • Performing damage assessments
  • Designing incident response for cloud service models


What skills do Cyber Defense Incident Responders need?


This role demands various skills, the most important of which are shown below:


  • Up-to-date knowledge of IT security hardware, software and solutions
  • C, C++, C#, ASM, PERL, Java, PHP or other scripting/programming skills
  • Knowledge of forensic and eDiscovery tools
  • Practical experience using computer operating systems


What traits are required to succeed in this role?


Personality is as important as skill – and this is true of all cybersecurity roles. Dr. Ryne Sherman, chief science officer at Hogan Assessments, says, “Traditional recruiting practices often overlook personality and focus on education, experience and a set of hard skills. While these are important, it is crucial to remember that personality characteristics play a huge role. A candidate with the suitable personality can be easily trained into the right role. This is especially true in the cybersecurity world, where companies struggle to find the experienced individuals they need.


Below are some traits that will help a Cyber Defense Incident Responder succeed:


  • A problem-solving mind-set
  • A propensity for teamwork
  • The ability to react quickly and efficiently under pressure


What qualifications are required?


Some employers will desire a Bachelor’s degree in a related field such as Computer Science or IT, but this is not a necessity.


I want to know more


At Immersive Labs we’ve mapped 700 of our labs to over 50 NICE cybersecurity roles in the entry, intermediate and advanced levels. Find out why and learn how the framework can help your organization by downloading our free eBook today.



Download our eBook on the NICE Cyber Security Workforce Framework


Learn how aligning cyber skills to the NICE Cyber Security Workforce Framework can help us reframe the skills gap and find the best talent.




Check Out Immersive Labs in the News.


February 6, 2020




Immersive Labs