We’re excited to bring back Transform 2022 in person on July 19 and virtually from July 20-28. Join leaders in AI and data for in-depth discussions and exciting networking opportunities. Register today!
The existence of a cybersecurity skills gap is universally accepted across business, industry and all other sectors. All you have to do is look at the working numbers. The CyberSeek Global Security Heatmap identifies over 600,000 total cybersecurity job openings in the United States alone. Considering that the same tool only identifies just over a million total employees currently working in cybersecurity, the workforce needs to grow by at least 50% to catch up with demand.
Recognizing the shortage of cybersecurity professionals is one thing. However, identifying who lack of technical teams within your organization is another. And trying to fill those gaps is just as difficult.
Understanding the skills your teams need is the first step to ensuring they can effectively prevent, detect and respond to threats. It can ensure that development teams bring security controls to the design phase. And it can reduce the impact of cyberattacks, both on your organization and on those who use your software.
Here are four key steps you can take to identify skills gaps in your organization.
1. Build a cybersecurity skills model
Organizations can start by defining the cybersecurity skills needed for each position within your technical teams, outlining the knowledge, skills, and abilities (KSAs) required to excel in a given role. A well-designed model will identify the KSAs and associated behaviors needed to establish competence, and prioritize them as beginner, intermediate, or advanced.
Building a competency model is a painstaking process. The skills needs it identifies should be aligned with your organization’s strategic plan, as well as with National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. Before establishing the skills needed for each position, you should review existing job descriptions and solicit feedback from technical team members to get their ideas. You can also use external sources, such as the Ministry of Labor’s Career Information Network (O*Net online).
Creating a skills model, assessing each team member, and creating a training plan to increase their cybersecurity skills takes time, but it’s worth it.
2. Assess and measure cybersecurity skills
With a cybersecurity competency model in place, the next step is to see how your technical teams compare to this model. A thorough assessment of the skills you have will provide a clear view of the organization’s skills gap. This can help determine where training is needed, where resources should be allocated, and how to proactively prepare for future threats.
You can identify skill sets using a combination of several types of assessments.
- Employee self-assessments. Ask employees to use the model to assess their own competence.
- Surveys or interviews. Asking employees what skills they have and want to acquire can provide valuable information.
- Cybersecurity skills assessments. Use a skills checklist or practice assessment to determine the skills needed.
- Performance reviews. Include questions about professional development goals and what employees consider their strengths.
- work products. Collecting work samples from each team member can help assess their skills.
- Evaluate and measure with a rubric. Having competent managers rate employee skills against a rubric can identify skill gaps.
3. Identify team-level strengths and weaknesses, as well as skill silos
Just as important as assessing individual skills is identifying skills gaps at the team level. A strong team should have a diverse mix of technical, cybersecurity, and professional strengths. Assessing the team as a whole can identify a missing key skill, such as familiarity with penetration testing, that could put the organization at risk.
It’s also important to identify skill silos, where, for example, only one team member has knowledge of a priority topic, such as PCI standards. Team assessments can help you make informed decisions about training and development, prioritizing the skills they need most.
4. Track the effectiveness of your efforts to close the skills gap
Once skill needs are identified, organizations can fill the gap either by hiring new team members or by training existing members. Training can be accomplished through several methods, including instructor training, online courses, mentoring, peer learning, webinars, and job shadowing/sharing.
An essential step at this stage is to measure the success of your skills strategy. Tracking how many team members have learned new skills is a key metric. Other critical metrics include overall team skill levels and the number of threats averted through skill enhancement.
Closing the cybersecurity skills gap starts with identifying the skills that are lacking in your technical teams, then prioritizing the skills your organization needs most and acquiring them through training or hiring. This is quite a laborious process, but necessary to improve the security of your organization. Rather than talking about the lack of skills, you will do something about it.
Dr. Heather Monthie is Head of Cybersecurity Training and Education at Offensive Security.
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including data technicians, can share data insights and innovations.
If you want to learn more about cutting-edge insights and up-to-date information, best practices, and the future of data and data technology, join us at DataDecisionMakers.
You might even consider writing your own article!
Learn more about DataDecisionMakers