4 steps to close the cybersecurity skills gap in your organization

The existence of a cybersecurity skills gap is widely accepted in business, industry and any other sector. All you have to do is look at the job numbers. The CyberSeek Global Security Heatmap identifies a total of more than 600,000 cybersecurity job openings in the United States alone. Since the same tool only identifies just over a million employees currently working in cybersecurity, the workforce needs to grow by at least 50% to even come close to demand.

Recognizing the shortage of cybersecurity professionals is one thing. However, identifying which skills that technical teams within your organization lack is another. And trying to address those gaps is just as difficult.

Understanding the skills your teams need is the first step to ensure they can prevent, detect, and respond effectively to threats. It can help development teams bring security controls to the design stage. And it can reduce the impact of cyber attacksboth on your organization and on those who use your software.

Here are four key steps you can take to identify the skills that are missing in your organization.

1. Build a Cybersecurity Competency Model

Organizations can start by defining the cybersecurity competencies needed for any job within your technical teams, describing the knowledge, skills and capabilities (KSA) needed to excel in a given position. A well-designed model identifies the KSAs and associated behaviors needed to establish proficiency, and prioritizes them based on beginner, intermediate, or advanced levels.

Building a competency model is a careful process. The skills requirements it identifies should be aligned with your organization’s strategic plan, as well as with the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework† Before capturing the skills required for each position, review existing job descriptions and seek input from technical team members for their insights. You can also use outside sources, such as the Department of Labor’s Occupational Information Network (O*Net Online†

Creating a competency model, evaluating each team member and creating a training plan to increase their cybersecurity skills takes time, but it is well worth the effort.

2. Evaluate and measure cybersecurity competency

With a cybersecurity competency model, the next step is to see how your technical teams compare to that model. A thorough assessment of the skills you have on hand provides a clear picture of the organization’s skills gap. It can help determine where training is needed, where to allocate resources, and how to proactively prepare for future threats.

You can identify skills using a combination of different types of assessments.

• Employee self-assessments† Let employees use the model to assess their own proficiency.
• Surveys or interviews. Asking employees about the skills they have and want to acquire can provide valuable insights.
• Cybersecurity skills assessments. Use a skills checklist or a hands-on assessment to determine what skills are needed.
• Performance interviews† Include questions about professional development goals and what employees consider their strengths.
• Work products† Collecting work samples from each team member can help assess their skills.
• Evaluate and measure with a scoring rubric. By having knowledgeable managers score employees’ skills according to a rubric, skills gaps can be identified.

3. Identify areas of team-level strengths and weaknesses, as well as skill silos

Just as important as assessing individual skills is identifying skills gaps at the team level. A strong team should have a diverse mix of technical, cybersecurity and professional strengths. Assessing the team as a whole can identify a key skill gap, such as familiarity with penetration testing, that could put the organization at risk.

It is also important to identify skill silos where, for example, only one team member has any knowledge of a priority topic, such as PCI standards. Team assessments can help you make informed decisions about training and development, prioritizing the skills they need most.

4. Track the effectiveness of your efforts to close the skills gap

Once skills needs are identified, organizations can close the gap by hiring new team members or training existing members. Training can be achieved through a variety of methods, including instructor training, online courses, mentoring, peer learning, webinars, and job shadowing/job sharing.

An essential step at this point is measuring the success of your skills strategy. Keeping track of the number of team members who have acquired new skills is an important metric. Other critical indicators include teams’ overall skill levels and the number of threats averted due to skill improvements.

Conclusion

Closing the cybersecurity skills gap starts with identifying the skills that your technical teams lack, then prioritizing the skills your organization needs most and acquiring them through training or hiring. It is quite a laborious process, but necessary to improve the security posture of your organization. Instead of talking about the skills gap, you’re going to do something about it.

dr. Heather Monthie is the head of cybersecurity training and education at Offensive Security†