Design Cybersecurity Proficiency-Based Projects
Learning Objectives
After completing this unit, you’ll be able to:
- Compare performance-based and proficiency-based projects.
- Explain the value of proficiency-based projects in cybersecurity.
The NICE Workforce Framework for Cybersecurity (NICE Framework) outlines the responsibilities of various cybersecurity Work Roles through defined Task statements that describe the work to be completed. These help ensure effective cybersecurity risk identification, risk response, and continuous risk management in an organization. To accomplish the tasks, cyber professionals must develop the corresponding knowledge and skills.
In this unit, we use this alignment to design highly-interactive and immersive cybersecurity projects that meet employer needs. These projects also measurably enhance critical cybersecurity skills, enabling aspiring and current professionals to stand out in the job market.
Build Skills That Employers Value
According to the 2024 Fortinet Global Cybersecurity Skills Gap Report, 91% of respondents prefer to hire candidates with certifications. This preference likely stems from the perception that certifications “validate skills” and ensure candidates have the necessary knowledge and skill to perform in a specific role. However, the report also reveals a concerning trend: 70% of respondents identify a lack of necessary skills among cybersecurity staff as a leading case of breaches.
These findings appear to highlight a crucial point: While certifications are valuable indicators of knowledge and commitment, they might not always guarantee practical skills or on-the-job effectiveness. As shown in the Trailhead module A Skills-First Approach to Cybersecurity, it’s possible that some employers rely too heavily on certifications as assurance of real-world competence. This overreliance can contribute to the persistent skills gap, as organizations prioritize certified individuals over candidates with stronger practical skills and fewer formal credentials.
A skill-based hiring approach means removing degree requirements and instead focusing on the specific skills or competencies a job candidate needs to be able to fill a role. You can then assess applicants based on their ability to meet the needs of the job, regardless of where they learned their skills.
The study and blog post are only two reasons for a skills-first approach to designing proficiency-based cybersecurity projects that align with the NICE Framework. These projects encourage professionals (current and aspiring) to use their existing knowledge and skills to complete tasks that push them beyond their current capabilities.
Advance from Performance to Proficiency
Imagine you're in your kitchen, preparing to bake a cake. You have the recipe with detailed instructions, all the necessary ingredients premeasured, and a fully equipped kitchen with the oven preheated to the correct temperature. You meticulously follow each step of the recipe, being sure to minimize any deviations from the instructions.
This is a performance-based task where the emphasis is on following a predefined procedure. Success depends more on your ability to follow instructions than on your baking experience and creativity.
Now, imagine a different scenario. Your task is still to bake a cake, but you’re in a more complex environment. First, you’re in an unfamiliar kitchen and the ingredients you usually rely on aren’t available–there’s almond flour instead of wheat flour, and you don’t have eggs or sugar. Additionally, the only available appliance is a stovetop with no oven. In this situation, you have to think creatively and adapt what you already know about baking. You rely on your knowledge, skills, experience, and intuition to figure out substitutes and new techniques.
This is a proficiency-based task. You’re making independent decisions, applying your skills in an unpredictable environment, trying new approaches, and extending your current knowledge to achieve an expected result.
This analogy shows the core differences between performance and proficiency.
Performance
Performance describes a learner’s ability to apply skills in familiar or practiced situations, where instruction is clear and minimal independent decision-making is required. The focus of performance is on following directions to achieve a result. This is why learner performance is commonly assessed as having met expectations, partially met expectations, did not meet expectations, or something similar. These standards describe how well the learner applied their skills to remain on task and achieve the result.
Proficiency
Proficiency describes a learner’s ability to apply skills anywhere, at any time, and in any situation. The focus of proficiency is on independent decision-making and increasing adaptability. The more proficient a learner becomes, the less guidance they need and the more they can handle unexpected situations. Proficiency represents a versatile application of skill in a particular decision-making context. Proficiency is typically measured on a scale, for example, awareness, basic, intermediate, advanced, and expert. These measures describe how the learner uses their knowledge and skills to achieve the result. Let’s review the scale in more detail.
-
Awareness: You have a basic understanding of the skill and its concepts, but you need step-by-step guidance and supervision to apply it. You’re primarily observing and learning at this stage.
-
Basic: You can perform the skill in straightforward situations with clear instructions, but you still require frequent feedback and support. You’re starting to develop some independence but still relying on others for guidance.
-
Intermediate: You can apply the skill in a variety of situations with growing independence. You can handle some complexity, but you still need occasional guidance or support when facing new challenges.
-
Advanced: You can confidently and independently apply the skill in complex and unpredictable situations. You can troubleshoot problems, make informed decisions, and even guide others with less experience.
-
Expert: You have mastered the skill, easily applying it in any situation. You innovate, mentor, and advance the field through your expertise and continuous learning.
The NIST report Measuring Cybersecurity Workforce Capabilities: Defining a Proficiency Scale for the NICE Framework cautions that a candidate’s proficiency level doesn't necessarily correspond to years in the field or in a specific role. Proficiency can be developed through diverse experiences and demonstrated in various ways. This highlights the value of proficiency-based projects as an ideal training and assessment approach. Proficiency-based projects allow individuals to demonstrate knowledge and skills in a way that directly aligns with the specific needs and dynamic culture of a workplace.
Keep in mind that performance-based learning has an important place in a cybersecurity curriculum or training program, especially for developing foundational knowledge and for processes that rely on consistency (for example, incident response, log management, compliance, backup procedures). The “right way” matters here because deviation can lead to security vulnerabilities or legal issues.
Align Proficiency-Based Projects with the NICE Framework
At the conclusion of the Trailhead module A Skills-First Approach to Cybersecurity, we share the idea that as more organizations embrace skills-first hiring, job seekers should consider adjusting their strategies as well. Education, certifications, and previous experience are useful, but the focus is on what you can do–not on what you have accumulated. To succeed in this environment, candidates must objectively grow and demonstrate their skills. These labs offer a way to do exactly that.
Organizational curriculum designers and instructors can use the sample scenario below to inform the design of proficiency-based training aligned with the NICE Framework. This ensures entry-level and experienced security professionals alike develop the precise skills needed to achieve work-specific outcomes.
In the next unit, we’ll review specific projects and a lab to see the NICE framework in action.