Building and maintaining a strong, diverse, and technically effective cybersecurity workforce can prove difficult, but one method of simplifying this task is using a cybersecurity workforce skills framework to review the composition of an organization's current cybersecurity function.
Trustwave has worked with a number of organizations across a range of sectors - including financial services, higher education, and critical infrastructure – that have started to show an interest in undertaking (or actively performing) this type of analysis over the last 12-18 months. The service is available through Trustwave Consulting and Professional Services (CPS). Clients interested can get in contact with Trustwave sales or their CPS team member to receive more information for the service. Our team will then scope the work to their specific requirements and adjust the methodology for delivering it accordingly.
Let’s take a look at some of our lessons learned as we have embarked on performing these projects for our clients.
We believe this type of work can benefit many organizations and is a highly valuable way of applying rigor and strategy to the process of building out a cybersecurity workforce.
Here, we’ll share some context for the value of using skills frameworks, an overview of some of the frameworks that exist today, and a possible approach for using them to help develop a roadmap for building a suitable cybersecurity function within an organization.
As cyber threats and risks across all sectors of the global economy have continued to grow in size and complexity, there has been a general recognition by many organizations of the importance of either embarking on the journey to putting in place a dedicated cybersecurity function. (where one did not exist previously), or enhancing the composition of an existing cybersecurity team to meet current and future organizational needs. This has been compounded by a range of external factors, including:
At the same time, cybersecurity has over the years become a much more established and mature vocation. The industry has moved well beyond the days where a team consisted principally of technical testers, infrastructure managers and risk and compliance analysts, with a fairly repeatable and easy to define set of skills.
The number of security related roles – and the diversity and blends of skills and backgrounds required – has grown exponentially as a corollary to a much more complex and diverse threat landscape .
While this is in most respects a positive, it does mean the task of building an effective security function within an organization is not a straightforward exercise. Training and education delivery, legal interpretation, relationship building and stakeholder management, crisis management, and architecture-related skills (just to name a few) are now increasingly common requirements within security teams.
While some businesses may be lucky enough to have people with decades of experience in the industry who have cultivated a diverse set of skills and are therefore able to wear multiple hats, these folk are often the proverbial ‘unicorn.’ It’s impractical for every organization to be expected to easily to find one – at least to start with.
Figure 1: The task of assembling a suitable cybersecurity workforce is no longer a simple one for most organizations
Further, a ‘cookie-cutter’ approach to creating a security function is simply not viable in most instances. Organizations need to build a team that consists of the appropriate blend of skills and knowledge - taking into account their unique set of needs and requirements - which may be influenced by:
In addition, finding the right people to build a security team – and making sure they are utilized effectively once on-board – has never been more challenging. Virtually every recruitment decision needs to be a good one in today’s highly competitive employment market for security talent.
The use of cybersecurity skills frameworks can provide an organization with a strategic way to employ a targeted approach to building a team suited to its needs in this environment.
As we will explain later in this article, there is no defined methodology for using cyber skills frameworks to undertake a workforce analysis. However, based on Trustwave’s experience in this space, the process can broadly be broken down into the following steps:
We’ll break these down further in the remainder of this article.
Depending on an organization's needs, the specific cyber skills framework that is going to be most useful for undertaking an analysis will vary. While this article does not cover all the different frameworks available in detail, suffice to say there are a number that exist, and the choice as to which may be appropriate will ultimately depend on matters such as:
It’s important to appreciate that unlike control frameworks such as the NIST Cybersecurity Framework and ISO 27001 – which are inherently designed to assess the current state of an organization's security program – cybersecurity skills frameworks are not assessment frameworks. In other words, they aren’t intended to be taken off the shelf and used ‘as is’ to assess the state of an organization's cybersecurity workforce. They are more analogous to frameworks which provide a set of building blocks from which an organization can pick and choose to build a workforce that best suits its needs.
This, of course, inherently requires an organization to have already done (or be prepared to undertake) a reasonable amount of introspective analysis to consider its current and future state needs for its security team so that it can select the right building blocks. This is where the help of an external expert such as Trustwave can be valuable.
Trustwave’s methodology for delivering these projects will naturally be customized somewhat depending on the organization we are undertaking the analysis for. However, broadly speaking, and based on our past experience delivering these projects, it entails the following:
To assess an organization's capability gaps, Trustwave’s approach involves working with its security team to understand the needs for its cybersecurity workforce, both now and in the future (i.e., its ideal state). To ensure this is done as thoroughly as possible, inputs such as the following are typically used:
Once this phase is completed, Trustwave has a clearer understanding of the ideal state for an organization's cybersecurity function and its current capability gaps.
While it’s useful to identify a set of capability gaps for roles within a cybersecurity team, a truly macro-level workforce skills analysis requires some way of clearly explaining the degree to which those gaps result in a deviation from an organization's ideal state for its cybersecurity workforce.
To achieve this, Trustwave’s approach for our previous clients has used data obtained from the previous analysis phase to create a dual-axis heat map that reflects the gaps that are identified. Specifically:
Figure 2: An example of the heatmap that was used to represent the deviation from the ideal state - each circle represents an individual job role. Note that this data has been fictionalized and is not reflective of a specific organization.
Each of these axes effectively provides a way of visually representing the extent to which the gaps for each actual job role form a proportion of the total relevant skills, knowledge and task statements from the selected skills framework that are considered relevant for the role.
Of the two types of gaps, it is far more preferable to have a misalignment between a position description and the tasks / skills performed in a role as opposed to an actual capability gap as the former is much more straightforward to resolve in most instances.
Any analysis of this nature is likely to result in a range of recommendations, based on the current state of the organization. Some examples could include:
For some of our clients we have also provided training plans that are useful for guiding the development of relevant soft and technical skills to help staff progress in their career development for each role within their security function, including considerations for on-the-job and course-based learning. Screenshots of these are provided below (a link is provided to sample training plans available on the Security Colony platform at the end of this article).
It is likely workforce skills analysis projects will become more frequent for cybersecurity teams in future. Devising a robust methodology for applying existing skills frameworks to undertake this type of exercise is paramount in providing appropriate value for an organization. If your business is considering undertaking a similar analysis, get in touch with Trustwave to see how we can help.