The Path to Cyber Resilience – Integrating SFIA and CIISec for a Skilled Security Workforce

Introduction

Research on behalf of the UK Department for Science, Innovation and Technology (DSIT), published in September 2024, explored the degree of cyber security skill gaps and skills shortages. The research was based on surveys of cyber sector and non-cyber sector businesses as well as through sources such as the Lightcast labour market database. One of the stand-out findings from this research shows that 44% of companies have skill gaps in basic technical areas, that is, for skills that enable employees responsible for cyber security to carry out basic tasks specified in the government’s Cyber Essentials scheme. The DSIT report also states that “27% have gaps in advanced skills, such as penetration testing.” The report is well worth a read!

Addressing Cyber Skills with SFIA and CIISec

The DSIT report provides insightful information on which skills are missing or fall short and their impact on the cyber security labour market. While there are encouraging signs of growth in cyber skills and roles, challenges remain regarding recruitment, skills shortages and staff turnover. A skills-based approach addresses these challenges but requires a shared definition of the skills in question, a common skills taxonomy.

The Skills Framework for the Information Age (SFIA) and the skills framework from The Chartered Institute of Information Security (CIISec) provide a robust foundation for defining cyber skills precisely, supporting their use in assessing proficiency, identifying and addressing skill gaps, defining recruitment requirements, and attracting and retaining talented cyber professionals.

The most recent incarnation of SFIA (version 9) strengthens support for cyber skills. The SFIA Foundation has also introduced a cyber skills view that focuses on cyber-related skills among the 147 skills in the new version of the framework. The CIISec framework focuses entirely on cyber skills and has recently been updated.

CIISec provides guidance on mapping the skills from its framework to equivalent SFIA skills. There are several approaches to using the two frameworks in tandem so as to benefit from both of them. The synergy between the two frameworks can help organizations build a workforce that is not only technically skilled but also adaptable, certified, and ready to meet emerging challenges.

SFIA/CIISec Adoption and Integration for Talent Processes

Below is a well-structured six-step approach to defining, assessing, and developing the essential cyber skills and maximising the benefit of the two frameworks.

Identify Threats and Business Needs

‘Start with the end in mind’ may sound like a cliché, but it’s exactly the right thing to do. Identify the biggest areas of threat and those that will have the biggest impact on the organization’s ability to operate and fulfil its business strategy. By evaluating organizational needs against these frameworks, you can better understand the skills required to address emerging cyber threats and industry changes.

Define Job Profiles

Identify each cyber job’s functional role and the part it will have to play in keeping the organization safe and secure. Break the job down into key responsibility statements and tasks. Use this information to identify specific skills that will support the ability to carry out these tasks and perform the job successfully. SFIA and CIISec provide excellent definitions and levels of proficiency that can be used to profile the jobs. Make sure to include behavioural competencies – perhaps ones not even defined by SFIA and CIISec – critical for cyber professionals, for instance, ‘Accuracy and Attention to Detail,’ ‘Problem-Solving’, and ‘Crisis Management.’

Design for the Future and Career Development

When designing job profiles, ensure that they are future-ready. That may sound difficult, but by utilising SFIA and CIISec—frameworks that are updated on a scheduled basis—and involving your cyber specialists and strategists in the job profiling process, you will increase your chances of getting it right. A regular review of cyber skills using the SFIA and CIISec standards enables organizations to adapt to new cybersecurity trends, technologies, and regulations.

Ensure that you build the jobs at various levels (seniority and/or grades) to support the development of career pathways. Defined career paths encourage cybersecurity professionals to pursue continuous growth, helping them stay relevant as the threat landscape evolves.

These approaches help ensure that the workforce has the necessary skills at various proficiency levels to handle current and future security challenges.

Assess Skills and Identify Gaps

Assess employees’ skills using the two frameworks to determine individual and organizational capability. The two frameworks provide clear definitions of demonstrable levels of proficiency that contribute to accurate assessment. Identify each employee’s gaps by comparing them with those required for successful job performance. Use aggregated assessment data to determine the organization’s cyber capability. This can also inform the ‘build or buy’ decision—whether to recruit for missing skills or develop employees’ skill levels. 

Provide Learning Opportunities

Map learning of different types and media to the skills defined by SFIA and CIISec (Lexonis provides a service that does precisely that). Targeted learning and development (L&D) based on skill gap analysis, which results from skill assessment, ensures that it is based on real business needs. Such an approach is really powerful, particularly when it comes to cyber security skills—the business really cannot afford to get it wrong by not investing in skills that are evidently required for successful performance.

Integrate into Talent Management Processes

Embed SFIA and CIISec into recruitment, workforce management, career pathing, and L&D programs to ensure that all cyber security-related talent processes are aligned and that the organization fully benefits from the investment involved in using these frameworks. This will help to ensure that the workforce remains agile and capable of defending against evolving cyber threats.

Conclusion

Separately, SFIA and CIISEC offer powerful frameworks for skills enablement in cybersecurity. SFIA v9 provides a structured approach to defining and assessing skills across various IT and cybersecurity roles, ensuring organizations can map, measure, and develop skills aligned with industry standards. CIISec is specifically tailored to the cyber security profession and offers detailed guidance on the knowledge, behaviours, and technical expertise required for different roles, specifically within the cyber security sector. The two frameworks combined create a comprehensive solution for building, developing, and sustaining a future-ready cyber security workforce.

Lexonis and SFIA/CIISec

At Lexonis, we help clients build and shape job skill profiles by identifying the right skills for successful performance. Lexonis’ extensive library of job families, SFIA-based job profile templates, learning and development activities, and interview questions will help you fast-track your efforts and derive the benefits of implementing the framework. Allied with our experience of implementing CIISec, we are in the best position to help you make your implementation of cyber security skills with SFIA and CIISec a success!

If you are interested in learning more about how you can benefit from SFIA and CIISec, listen to Kevin Streater, the COO of CIISec, Andy Andrews, a SFIA Council member and Leah Prevost, a Lexonis SFIA Accredited Consultant by registering for our upcoming webinar:

How to Protect Your Organization Against Cyber Attacks by Using SFIA 9 and CIISec