NICE Framework: "Oversee and Govern" Challenges

This is the fourth of six articles in our series from Learning Tree instructor Aaron Kraus on the NICE Cybersecurity framework and common challenges many organizations face while maintaining vital cybersecurity skills and resources.

person holding out hand with hexagon images of various interactions

Typical Roles/Skills for this Category

NICE lists typical roles or titles for staff working in the Operate and Maintain category. All organizations are different, so these are examples and not prescriptive, i.e., not all organizations will have these particular jobs, titles, or roles, and they may be combined with other functions, outsourced, or not performed if they are not required. However, the sample roles from the NICE documentation, as well as definitions and specific skills that individuals in these roles might need, are listed below:

Cyber Legal Advisor:

Laws and regulations which impact security and privacy are constantly evolving, and determining how or if they apply to your organization often requires specialized skills and training in the legal field.

Cyber Instructional Curriculum Developer, Cyber Instructor, Cyber Workforce Developer and Manager:

We have all attended boring and ineffective training; some caused to poorly designed material and some due to a lack of instructional delivery skills. Instructional design, presentation, and teaching skills all require knowledge and practice. Determining the right blend of skills and acquiring training or education to develop an organization's workforce also requires understanding HR and workforce development.

Privacy Officer/Privacy Compliance Manager, Information Systems Security Manager, Communications Security (COMSEC) Manager:

Managing the organization's security and privacy efforts often requires understanding and interpreting outside requirements like privacy regulations and having adequate hands-on experience managing people, processes, and technology per the requirements.

Cyber Policy and Strategy Planner, Executive Cyber Leadership, IT Investment/Portfolio Manager:

These high-level management roles require a thorough understanding of information security and cybersecurity concerns and business leadership and management skills like strategic planning. This governance provides direction and oversight for all the organization's activities, and leaders must understand how to adapt it to changing business or mission requirements.

Program Manager, IT Project Manager, Product Support Manager:

One step down from executive and strategic leadership, these managers are typically focused on tactical execution tasks in alignment with an organization's mission or strategy. This may include managing the delivery and maintenance of individual products, IT systems, or portfolios of services, systems, and capabilities which allow the organization to achieve its goals.

IT Program Auditor:

Auditors need the ability to evaluate both systems and the overall programs used to operate and maintain them. This requires data collection and analysis skills and some management skills to schedule and coordinate the work required.

Pain Points

Many organizations struggle to implement risk-based security because it involves a thorough understanding of several aspects of operations, including what systems and services are in use, where and how data is utilized, and the actual task of implementing and enforcing governance, like policies and standards. Risk management must be a concern at the highest level of an organization. Still, security is often deprioritized in favor of operational concerns until there is a security breach.

Defining governance structures can be challenging as leaders must understand the organization's internal requirements and external factors like regulations and laws. The need to provide oversight can also be a challenge as it is an overhead cost in most organizations, so audit or assessment activities can be resource-constrained to the point of ineffectiveness.

Skills Development Opportunities

Governance and oversight blend universal skills such as business leadership, audit, and risk assessment and internal or organization-specific skills like program management frameworks and oversight tools, including metrics and scorecards. Developing senior, executive, and C-level management skills is also challenging, as personnel requires a mix of on-the-job experience and formal training and skills development. In this category, many certifications exist which help validate that employees have the theoretical knowledge required, including:

Certification courses such as CISSP training and CCISO training develop and demonstrate skills in high-level program management and leadership of a security program.

Certifications such as CIPP/US training, CIPT training, or CIPM training develop skills needed to understand and implement global privacy requirements, technology, and processes.

Certified Information System Auditor, CISA training teaches skills in assessing the architecture of a system.


Become a leader in your organization's information privacy, technology, and management policy with Learning Tree Data Privacy Courses.


This piece was originally posted on October 7, 2020, and has been refreshed with updated styling.