The existence of a cybersecurity skills gap is universally accepted throughout business, industry and every other sector. All you have to do is look at the job numbers. The CyberSeek Global Security Heat Map identifies more than 600,000 total cybersecurity job openings just in the United States. Considering that the same tool only identifies a little over one million total employees currently working in cybersecurity, the workforce needs to grow by at least 50% to even come close to filling the demand.
Recognizing the shortage of cybersecurity pros is one thing. However, identifying which skills technical teams within your organization are missing is another. And trying to address those gaps is equally hard. Understanding what skills your teams need is the first step toward ensuring they can prevent, detect and respond effectively to threats. It can ensure that development teams bring security controls to the design phase. And it can reduce the impact of cyberattacks, both on your organization and those that use your software.
Here are four key steps you can take to identify the skills that are missing in your organization.
1. Build a cybersecurity competency model
Organizations can start by defining the cybersecurity competencies needed for each job within your technical teams, describing the knowledge, skills and abilities (KSA) required to excel in a given position. A well-designed model will identify the KSAs and associated behaviors necessary to establish proficiency, and prioritizes them according to beginner, intermediate or advanced levels. Building a competency model is a careful process. The skill requirements it identifies should be aligned with your organization’s strategic plan, as well as with the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. Before establishing the skills needed for each job role, you should review existing job descriptions, and solicit input from technical team members for their insights. You also could make use of outside sources, such as the Department of Labor’s Occupational Information Network (O*Net Online). Creating a competency model, evaluating each team member and creating a training plan to increase their cybersecurity skills takes time, but it is well worth the effort.
2. Evaluate and measure cybersecurity competency
With a cybersecurity competency model in place, the next step is to see how your technical teams stack up against that model. A thorough assessment of the skills you have on hand will provide a clear view of the organization’s skill gap. It can help determine where training is needed, where resources should be allocated and how to prepare proactively for future threats.
You can identify skill sets using a combination of several types of evaluations.
- Employee self-assessments. Have employees use the model to rate their own proficiency.
- Surveys or interviews. Asking employees about the skills they have and want to attain can provide some valuable insights.
- Cybersecurity skills assessments. Use a skills checklist or a hands-on assessment to determine skills that are needed.
- Performance reviews. Include questions about professional development goals and what employees consider to be their strengths.
- Work products. Collecting work samples from each team member can help assess their skills.
- Assess and measure with a scoring rubric. Having knowledgeable managers score employee skills according to a rubric can identify skills gaps.
3. Identify areas of strengths and weaknesses at the team level, as well as skills silos
Just as important as assessing individual skills is identifying skills gaps at the team level. A strong team should have a diverse mix of technical, cybersecurity and professional strengths. Assessing the team as a whole can identify a key missing skill — such as a familiarity with penetration testing – that could put the organization at risk. It’s likewise important to identify skills silos, where, for example, only one team member has any knowledge of a priority topic, such as PCI standards. Team evaluations can help you make informed decisions about training and development, prioritizing the skills they need most.
4. Track the effectiveness of your efforts to close the skills gap
Once skills needs are identified, organizations can close the gap either by hiring new team members or training existing members. Training can be accomplished through several methods, including instructor training, online courses, mentoring, peer learning, webinars and job shadowing/job sharing. An essential step at this point is to measure the success of your skills strategy. Tracking the number of team members who have acquired new skills is one key metric. Other critical indicators include the overall skill levels of teams and the number of threats averted because of improved skills.
Closing the cybersecurity skills gap starts with identifying the skills that are missing in your technical teams, then prioritizing the skills your organization most needs and acquiring them through training or hiring. It’s a fairly painstaking process, but necessary to improving your organization’s security posture. Rather than talking about the skills gap, you’ll be doing something about it.