Building and maintaining a strong, diverse, and technically effective cybersecurity workforce can prove difficult, but one method of simplifying this task is using a cybersecurity workforce skills framework to review the composition of an organization's current cybersecurity function.
Trustwave has worked with a number of organizations across a range of sectors - including financial services, higher education, and critical infrastructure – that have started to show an interest in undertaking (or actively performing) this type of analysis over the last 12-18 months. The service is available through Trustwave Consulting and Professional Services (CPS). Clients interested can get in contact with Trustwave sales or their CPS team member to receive more information for the service. Our team will then scope the work to their specific requirements and adjust the methodology for delivering it accordingly.
Let’s take a look at some of our lessons learned as we have embarked on performing these projects for our clients.
An Excellent Strategy for Building a Workforce
We believe this type of work can benefit many organizations and is a highly valuable way of applying rigor and strategy to the process of building out a cybersecurity workforce.
Here, we’ll share some context for the value of using skills frameworks, an overview of some of the frameworks that exist today, and a possible approach for using them to help develop a roadmap for building a suitable cybersecurity function within an organization.
As cyber threats and risks across all sectors of the global economy have continued to grow in size and complexity, there has been a general recognition by many organizations of the importance of either embarking on the journey to putting in place a dedicated cybersecurity function. (where one did not exist previously), or enhancing the composition of an existing cybersecurity team to meet current and future organizational needs. This has been compounded by a range of external factors, including:
- Increased expectations from markets, customers, and the community at large for organizations in all sectors of the economy to have a robust security program as ‘table stakes’ for doing business – particularly in the context of the massive data breaches we’ve seen affect a number of high-profile businesses globally in the last 18 months; and
- A rapid rise in regulatory frameworks that impose cybersecurity obligations on organizations (e.g., in relation to critical infrastructure management and the handling of personal information via privacy laws).
At the same time, cybersecurity has over the years become a much more established and mature vocation. The industry has moved well beyond the days where a team consisted principally of technical testers, infrastructure managers and risk and compliance analysts, with a fairly repeatable and easy to define set of skills.
The number of security related roles – and the diversity and blends of skills and backgrounds required – has grown exponentially as a corollary to a much more complex and diverse threat landscape .
While this is in most respects a positive, it does mean the task of building an effective security function within an organization is not a straightforward exercise. Training and education delivery, legal interpretation, relationship building and stakeholder management, crisis management, and architecture-related skills (just to name a few) are now increasingly common requirements within security teams.
While some businesses may be lucky enough to have people with decades of experience in the industry who have cultivated a diverse set of skills and are therefore able to wear multiple hats, these folk are often the proverbial ‘unicorn.’ It’s impractical for every organization to be expected to easily to find one – at least to start with.
Figure 1: The task of assembling a suitable cybersecurity workforce is no longer a simple one for most organisations
Further, a ‘cookie-cutter’ approach to creating a security function is simply not viable in most instances. Organizations need to build a team that consists of the appropriate blend of skills and knowledge - taking into account their unique set of needs and requirements - which may be influenced by:
- Industry-specific threats, risks and regulatory requirements;
- Organizational goals and strategic objectives;
- Potential certification goals (an organization aiming for ISO 27001 or legislative compliance, for example, may have different needs from their security function than one purely aiming for an effective, minimum viable approach to implementing protective and response-based controls);
- Available budget; and
- Other factors such as location of office(s), flexibility of working conditions, maturity and size of the organization and future growth plans.
In addition, finding the right people to build a security team – and making sure they are utilized effectively once on-board – has never been more challenging. Virtually every recruitment decision needs to be a good one in today’s highly competitive employment market for security talent.
The use of cybersecurity skills frameworks can provide an organization with a strategic way to employ a targeted approach to building a team suited to its needs in this environment.
A Suggested Approach to Undertaking a Workforce Cybersecurity Skills Analysis
As we will explain later in this article, there is no defined methodology for using cyber skills frameworks to undertake a workforce analysis. However, based on Trustwave’s experience in this space, the process can broadly be broken down into the following steps:
- Understanding the range of skills frameworks that are available, the way they work, and selecting a preferred framework (or frameworks) for undertaking the analysis;
- Using the selected framework(s) and mapping them against the most relevant skill, task and knowledge statements from an organisation’s existing cybersecurity job roles, as well as to any future state needs that are identified;
- Considering the delta between the current state of organization's security function vs. the ideal state to meet its current and future state needs; and
- Providing recommendations to an organization based on the analysis described in the last two points, as well as any other supporting outputs if required.
We’ll break these down further in the remainder of this article.
Depending on an organization's needs, the specific cyber skills framework that is going to be most useful for undertaking an analysis will vary. While this article does not cover all the different frameworks available in detail, suffice to say there are a number that exist, and the choice as to which may be appropriate will ultimately depend on matters such as:
- Regional Context – for example, organizations principally operating in the EU may be interested in the very recent European Cybersecurity Skills Framework, while those in Australia may want to consider the Australian Signals Directorate (ASD) Cyber Skills Framework (to name just two). Those operating in a more global context may prefer a framework that is more cross-regional in its authorship – for example, the Skills for the Information Age (SFIA).
- Granularity of Analysis Required – organizations looking to undertake an in-depth analysis of their workforce may prefer the National Initiative for Cybersecurity Education (NICE) Workforce Framework for Cybersecurity (NIST NICE Framework). NIST NICE includes over 600 knowledge statements, 370 skill statements (and supporting ability statements), and over 1,000 task statements relevant to cybersecurity and mapped to a range of work roles – but this can be overwhelming for some. On the other hand, SFIA provides a much more ‘light touch’ approach that focuses on skills. It has around 121 ICT related skills, around 40 of which are related to cybersecurity.
- Preference for Public Domain or Proprietary Frameworks – for organizations looking to undertake a detailed skills analysis only, the choice as to whether to go with a framework that is already publicly available or one that is proprietary may be solely based on whether one is better suited to its needs. There are some excellent frameworks available in the public domain (as already mentioned), but others are available for a fee (for example, the Gartner IT Skills Lifecycle and Chartered Institute of Information Security Skills Framework). One advantage of the public frameworks is they enable organizations to make use of a broad range of identifiers for different skills, tasks, and knowledge statements in position descriptions that may form part of future recruitment campaigns.
- Interoperability of Frameworks – Some organizations may be interested in using more than one skills framework. There could be a multitude for reasons for this – for example, Trustwave has worked with organizations where the security team wanted to retain backwards compatibility with other parts of the organization that had already used the SFIA framework, while also wanting to leverage the detail and granularity of the NIST NICE framework. In these cases, it’s worth considering whether the frameworks of interest are interoperable in anyway. SFIA, for example, includes a mapping of its skills to the cybersecurity work roles in NIST NICE.
Mapping the Framework Against Current and Future State Needs
It’s important to appreciate that unlike control frameworks such as the NIST Cybersecurity Framework and ISO 27001 – which are inherently designed to assess the current state of an organization's security program – cybersecurity skills frameworks are not assessment frameworks. In other words, they aren’t intended to be taken off the shelf and used ‘as is’ to assess the state of an organization's cybersecurity workforce. They are more analogous to frameworks which provide a set of building blocks from which an organization can pick and choose to build a workforce that best suits its needs.
This, of course, inherently requires an organization to have already done (or be prepared to undertake) a reasonable amount of introspective analysis to consider its current and future state needs for its security team so that it can select the right building blocks. This is where the help of an external expert such as Trustwave can be valuable.
Trustwave’s methodology for delivering these projects will naturally be customized somewhat depending on the organization we are undertaking the analysis for. However, broadly speaking, and based on our past experience delivering these projects, it entails the following:
- Identify the organization's current and future state security workforce needs (collectively, we call this the ideal state) and determine any role or capability gaps; and
- Determine the extent to which these capability gaps created a deviation from the ideal state.
Identifying Current and Future State Needs
To assess an organization's capability gaps, Trustwave’s approach involves working with its security team to understand the needs for its cybersecurity workforce, both now and in the future (i.e., its ideal state). To ensure this is done as thoroughly as possible, inputs such as the following are typically used:
- Existing Position Descriptions – these are mapped to the frameworks that have been selected. Let’s assume, as an example, that NIST NICE is selected as a relevant framework. Trustwave will map the existing position descriptions to the task, knowledge, and skill statements in that framework and identify additional statements in it that appear relevant to the roles that exist in the organization's security function, or which are desired based on the function’s current and future state needs, and which are likely to indicate capability gaps. These mappings are provided to the organization for review.
- Existing Cybersecurity Strategy – must be audited to help identify current gaps, areas of focus, and future aspirations for the organization's cybersecurity function this area. I f no strategy is documented, this information may be gathered primarily from interviews with relevant stakeholders within the cybersecurity team (as per the next point).
- Interviews – with team leaders across different areas of the security function (for example, security operations, architecture, awareness and program management) to gain insights based on day-to-day realities involved working within the relevant team, identify areas where position descriptions may not align with actual job roles (it is not uncommon in many businesses for people’s actual day-to-day roles to vary considerably from what their formal document job role says they do), and understand any ‘unwritten’ aspirations or plans that may feed into future state needs.
Once this phase is completed, Trustwave has a clearer understanding of the ideal state for an organization's cybersecurity function and its current capability gaps.
Understanding the Deviation from the Ideal State
While it’s useful to identify a set of capability gaps for roles within a cybersecurity team, a truly macro-level workforce skills analysis requires some way of clearly explaining the degree to which those gaps result in a deviation from an organization's ideal state for its cybersecurity workforce.
To achieve this, Trustwave’s approach for our previous clients has used data obtained from the previous analysis phase to create a dual-axis heat map that reflects the gaps that are identified. Specifically:
- For each cybersecurity job role within the team, the y axis is used to plot capability gaps – i.e., tasks/skills considered essential but not currently performed in the role (or not performed to the proficiency needed); and
- The x axis is used to plot the number of misalignments between a position description and the actual role. In other words, the degree to which tasks/skills are already being executed in actual day to day job functions within the security function, but not included in the formal position description for the corresponding role.
Figure 2: An example of the heatmap that was used to represent the deviation from the ideal state - each circle represents an individual job role. Note that this data has been fictionalised and is not reflective of a specific organisation.
Each of these axes effectively provides a way of visually representing the extent to which the gaps for each actual job role form a proportion of the total relevant skills, knowledge and task statements from the selected skills framework that are considered relevant for the role.
Of the two types of gaps, it is far more preferable to have a misalignment between a position description and the tasks / skills performed in a role as opposed to an actual capability gap as the former is much more straightforward to resolve in most instances.
Recommendations and other outputs
Any analysis of this nature is likely to result in a range of recommendations, based on the current state of the organization. Some examples could include:
- Implementing regular strategic workforce planning sessions to help understand future state needs more clearly and quickly identify and address any current state needs that may have arisen;
- Remediating position description misalignments with actual day-to-day job requirements;
- Identifying strategies to address identified capability gaps – whether through including these in the day-to-day duties of existing roles or creating new roles to address them.
For some of our clients we have also provided training plans that are useful for guiding the development of relevant soft and technical skills to help staff progress in their career development for each role within their security function, including considerations for on-the-job and course-based learning. Screenshots of these are provided below (a link is provided to sample training plans available on the Security Colony platform at the end of this article).
It is likely workforce skills analysis projects will become more frequent for cybersecurity teams in future. Devising a robust methodology for applying existing skills frameworks to undertake this type of exercise is paramount in providing appropriate value for an organization. If your business is considering undertaking a similar analysis, get in touch with Trustwave to see how we can help.