Do you know if your cybersecurity workforce is competent?

November 30, 2017

Reduce Cyber-Risk With a Competent Cybersecurity Workforce

There is a huge gap between the large number of available cybersecurity positions and the limited number of qualified resources to fill those positions. The cybersecurity workforce gap is on track to hit 1.8 million by 2022, according to Global Information Security Workforce Study (GISWS) from Frost & Sullivan for the Center for Cyber Safety and Education, with the support of (ISC)², Booz Allen Hamilton, and Alta Associates. That number represents a 20% increase since 2015. The report also found that 87 percent of cybersecurity workers started their careers doing something different, which is juxtaposed against the 94 percent of hiring managers who indicated they were looking for staff with existing experience in the field. This hints at one possible reason for the skill gap issue: Leadership may not fully understand the needed cybersecurity competencies, according to the results of the GISWS report.

When taken in the context of business security risk, this competency gap has some very unsettling consequences. As the principals of supply and demand would dictate, this drives up salaries to the point that only the organizations with the deepest pockets are able to draw-in the limited population of trained cybersecurity workers. Employers who can afford it pay exorbitant premiums for these limited resources. Other employers have to fill cybersecurity positions with lesser skilled or even non-skilled resources. These higher premiums also attract unscrupulous individuals who can write a good resume, but don’t always have the skills and knowledge to back it up.

At the same time, the cybersecurity landscape is growing more dangerous. The sophistication and volume of attacks are increasing at an alarming rate. Businesses are under assault like never before from cyber threats, and the cost and severity of the problem is escalating almost daily. According to Cisco, the number of so-called distributed denial-of-service (DDoS) attacks/assaults which flood a system’s servers with junk web traffic jumped globally by 172% in 2016 and they expect the total to grow to 3.1 million attacks by 2021. The sheer speed of technology innovation is challenging cybersecurity training entities to think differently about how to deliver course materials that can pivot quickly enough to stay in sync with industry trends. Many programs are only capable of producing graduates for one particular time and place and are unable to produce quality cybersecurity resources in the face of constant change.

Just to quickly summarize:
– There is a gap between the limited number of talented and available cybersecurity resources and the ever-growing number of available positions,
– There is a high probability that many cybersecurity resources are not fully competent and may be placed into positions of potential risk,
– The velocity of change in the threat landscape and sheer speed of technology innovation requires currently talented cybersecurity resources to continually and dynamically update their skills and knowledge to remain competent, and
– The level of business risk continues to rise as the number and severity of cyber-attacks continues to surge.

The underlying theme is the level of competence within the organization’s cybersecurity workforce. Ensuring the organization is 1) hiring the expected competence level of cybersecurity resources, 2) the level of current resource competency is kept ever-green, and 3) the overall organizational cybersecurity risk is reduced is a huge challenge to organizations that don’t have a means to systematically manage competencies across the enterprise.

A Competency Management System (CMS) is the foundational component supporting all aspects of cybersecurity human capital management across the entire business enterprise. This includes (but is not limited to):
– Recruiting and Hiring
– Talent Development and Retention
– Job Performance and Evaluation
– Succession and Continuity Planning
– Learning Management
– Strategic Cyber Talent Resource Planning

A robust CMS reduces cyber risk, enables a capable tactical cybersecurity workforce, informs important business decisions, and empowers business strategy. A well implemented and intelligent CMS increases a company’s cyber agility; to better position an organization in today’s high-risk, dynamic, and challenging cybersecurity environment.

Every cybersecurity job/role in an organization should have an associated set of specific competencies and the individuals who would perform the job/role would need to have those precise competencies in order to adequately perform within that job/role. These competencies are a set of individual performance behaviors which are observable, measurable and critical to successful individual and company performance. They define the unique characteristics of a person’s experience, knowledge, and skills which result in an effective and superior performance in a specific cybersecurity job/role. Competencies (with their specific behavioral indicators) facilitate the evaluation and demonstration of appropriate cybersecurity skills and knowledge.

Organizations should align the cyber resources’ development plans with the organization’s unique cybersecurity needs. Then continually consider the long and short-term cyber environment and identify the necessary skills, knowledge, and competencies which support the ever-changing landscape. The review of needed competences should be accomplished at regular intervals and updated often. Resources that are competent today, may not be competent next week, as the dynamic skills and knowledge needed in the rapidly evolving cybersecurity industry continue to change.

A robust CMS for your cybersecurity resources will mitigate cyber-risk, provide proof of competent cybersecurity personnel to interested stakeholders (investors, C-level leadership, customers, insurance agencies, government, and regulators), and demonstrate employees and contractors are competent to carry out the tasks they are required to perform, and they are continually developing, alongside the introduction of new cybersecurity technology, threats, and regulation. Developing internal candidates will save time and money on recruiting, on-boarding, and training. Additionally, creating a career path and demonstrating advancement and promotion opportunities through development can help retain top talent.

Businesses know they need to bolster technological defenses, build a cyber aware organizational culture, and mitigate overall cyber-risk to remain competitive and maintain or improve business value. Viable organizations realize their sustained success depends on how capable their cybersecurity resources are. They also recognize, formal education doesn’t necessarily equip these resources with the appropriate skills to thrive in the workplace. Smart organizations ensure:
– Individual cybersecurity competencies meet the specific requirements defined within their cybersecurity policies, processes, and objectives,
– The resources are continually evaluated to evergreen/updated competency requirements, and
– Proof of a competent cybersecurity workforce is maintained.

The administration of an organization’s cyber talent management processes with a structured and well managed CMS is pivotal to success.

Boxley Group’s Competency Management System With CompetencyIQ®

Boxley Group’s robust and intelligent CMS with CompetencyIQ® is a technical and professional workforce development program which proactively supports an organization’s need to attract, retain and develop a competent, efficient, and competitive cybersecurity workforce that is prepared to reduce cyber-risk, and deliver business and strategic objectives.

The CompetencyIQ® solution supports the CMS by giving clear visibility into the needed cybersecurity competencies of the across the organization, by providing a detailed operational perspective of organizational capability rather than the traditional HR viewpoint. CompetencyIQ® uses objective quantitative metrics to measure and manage competencies yielding intelligence and insight into the cybersecurity competencies of individuals, teams, and the overall organization.

In today’s diverse cybersecurity environment, organizations need to identify and rapidly develop a competent cybersecurity workforce, with comprehensive documentation, in an increasingly mobile, dynamic, and global workplace. To be successful in this environment, organizations need to clearly identify and properly manage the ever changing cybersecurity competency landscape of their contracted and/or professional workforce and many businesses are struggling with inadequate technology and internal processes for selecting, evaluating, developing, and retaining top cybersecurity talent.

Due to litigation, statutory and regulatory requirements, and competition the cybersecurity industry is putting increasing pressure on organizations to prove their workforce is competent. A competent cyber-workforce is a major component of ensuring reduced financial risk, mitigating legislation, and maintaining brand reputation. Examination of the causes of cybersecurity breaches has led the industry to conclude that it’s not just about technology or process failure. It is the organization’s ability to behave in the right way, at the right time, which can make the difference between a major cybersecurity event occurring or not.

Hence, there is an imperative for businesses to continually identify and document any employee job/role related cybersecurity competencies, assess and determine any competency gaps, and then address those gaps in a timely and recordable manner. The requirement is not only to assure the competence of employees, but also to be able to prove it.

Boxley Group’s CMS with CompetencyIQ® is simple to use, adaptable, accessible, and relevant to your organization’s staff and managers. It is more than a piece of software, but it is the design of the software solution which facilitates these success factors.

The nature of cybersecurity is becoming more complex; measurable skills and knowledge requirements are overtaking the traditional training activities in the workforce. The ability to attract, select, develop, and retain the cyber-aware people is becoming a primary driver of business strategy.

Whatever the nature of the organization, the competence of its people is the key to achieving business goals and objectives. It is also critical in ensuring a strong cyber-aware performance. The need for organization-wide CMS is paramount within the organization and its supply chain.

For more information about establishing a robust Competency Management System, or how to get more out of your existing Competency Management framework, please go to

Gain Access To Your White Papers

    To download the White Papers, please provide the following information.