Cybersecurity Workforce Planning
Workforce planning is a systematic way for organizations to determine future human capital requirements (demand), identify current human capital capabilities (supply), and design and implement strategies to transition the current workforce to the desired future work state. Best in class workforce planning is designed in a repeatable and reliable fashion, highlighting risks and forecasting needs over time.
Effective workforce planning highlights potential risk areas associated with aligning the workforce to work requirements. Applied correctly, workforce planning allows organizations to adjust resources to meet future workloads, patterns of work, and fundamental changes in how work is accomplished. A workforce planning approach must fit the needs of a specific organization and account for unique characteristics of the cybersecurity profession.
Leading practice workforce planning consists of three components:
- Process: Establishing an integrated and consistent means of diagnosing workforce needs and risks. This includes a defined model, data, and analytics.
- Strategy: Providing a direct line of sight between business and workforce requirements. This includes a shared vision, governance, and continuous monitoring or performance.
- Infrastructure: Supporting execution of an effective and repeatable workforce planning process. This includes a healthy workforce of people, collaboration across levels and enabling technology.
Using a Workforce Planning Process, such as the example provided below, an organization can conduct a cybersecurity workforce and workload analysis, enabling it to identify current and future needs and potential gaps which may impact an organization’s ability to meet goals and objectives.
Additionally, cybersecurity workforce planning will require a shared vision and performance management. A shared vision will provide a common language and taxonomy to define cybersecurity workload and workforce allowing agile response to emerging technology and new threats. Performance management is also
One of the most important aspects of workforce planning is identifying the workforce and workload requirements that impact the nature of the work performed. Workload and workforce requirements are the unique characteristics that make one profession different from another, and may change how workforce planning is executed for that workload or workforce. NICE found unique workload and workforce requirements specifically important to cybersecurity:
- Surge Capacity– the need to expand resources and capabilities in response to prolonged demand
- Fast-paced– the need to sustain multiple work streams occurring rapidly
- Transformative– the need to adapt to fundamental changes to technology, processes, and threats
- High Complexity– the need to employ a large number of intricate technologies and concepts
- Agile– the ability to shift between roles or needs should a threat warrant different support
- Multi-functional– the ability to maintain and execute a variety of activities at any given time
- Dynamic– the ability to provide for constant learning to effectively approach new endeavors and problems
- Flexible– the ability to move into new roles or environments quickly to increase knowledge and skills
- Informal– the ability to work in a nontraditional environmen
Coupled with workforce planning best practices, these requirements help identify workforce planning needs as they apply to cybersecurity.
NICE recommends cybersecurity workforce planning use a two-pronged approach. As outlined above organizations should use workforce planning to identify cybersecurity skills, proficiency gaps and workload. Organizations should develop an approach that integrates best practices for workforce planning specific to cybersecurity with the seven categories of the National Cybersecurity Workforce Framework—providing a standardized and categorized way from which to build this approach. Secondly, organizations should use a Capability Maturity Model to apply the elements of best practice workforce planning to analyze their cybersecurity requirements and maturity needs.
Click here to read more information on NICE’s approach to cybersecurity workforce planning.
The NICE Capability Maturity Model (CMM)
As the cybersecurity workforce continues to evolve, and organizations track and manage against the changing cybersecurity environment, understanding where current workforce planning capabilities lie and how to develop those capabilities has become increasingly important.
A capability maturity model (CMM) provides a structure for organizations to baseline current capabilities in cybersecurity workforce planning, setting a foundation and consistency of evaluation. It allows organizations to compare their capabilities to one another, and enables leaders to make better decisions about how to support progression and what cybersecurity human capital initiative investments to make.
NICE’s CMM segments key activities into three main areas: 1) process and analytics, 2) integrated governance, and 3) skilled practitioners and enabling technology.
Process represents those activities associated with the actual steps an organization takes to perform workforce planning and how those steps are integrated with other important business processes throughout the organization.
Analytics represents those activities associated with supply and demand data and the use of tools, models, and methods to perform workforce planning analysis.
Integrated governance represents those activities associated with establishing governance structures, developing and providing guidance, and driving decision-making. It is the building block to an organization’s overall workforce planning strategy and vision as well as assignments of responsibility, promotion of integration, and issuing of planning guidance.
Skilled Practitioners represents the activities associated with establishing a professional cadre of workforce planners within an organization. Enabling Technology represents the activities associated with the accessibility and use of data systems.
Using the NICE Maturity Model
The NICE Cybersecurity Workforce Planning CMM has three maturity levels. These levels are limited, progressing, and optimizing. Limited is the most basic level, portraying a key activity area or segment of an organization’s cybersecurity workforce planning capability that is in its infancy. This level of capability is at its start of development and may be represented by an organization having limited establishment of processes, lacking clear guidance or having little in terms of data and analysis methods. The progressing level describes a key activity area of some aspect of cybersecurity workforce planning which an organization has started to perform, commonly represented by an organization establishing some infrastructure to support workforce planning efforts. The final level of maturity, optimizing, depicts a key activity area or segment of cybersecurity workforce planning capability that has fully developed, such as one that is integrated with other business processes and can support different levels of workforce and workload analysis, the results of which drive short and long term decision making for the cybersecurity workforce.
It is important to note that organizations will have differing goals when it comes to the maturation of the cybersecurity workforce planning capability and that all organizations do not need to reach the optimizing state for all key areas. This decision should take into account many different variables. Leaders need to assess the impacts of: allocation of resources, implementation, timing, and return on their investments. Therefore, organizations should view their maturity rankings less as a grade or judgment and more as an indication of resources spent on workforce planning. Having a “limited” maturity level does not equate to “bad” workforce planning, but rather that the organization has not dedicated resources to partially or fully develop that aspect of the maturity model, and that there are extenuating circumstances for that outcome.
In order to use the model, organizations must have an accurate understanding of their current workforce planning capabilities as they relate to the three segment areas, with the ability to site-specific evidence of conducting related activities. An organization’s current capability is the springboard upon which to build further maturity, using the CMM to pinpoint necessary next steps and decision points for progression. NICE recommends a three-step process to using the CMM determine an organization’s current cybersecurity workforce planning capability and progress individual organizational maturity along the continuum:
- Gather data on qualitative CMM variables
- Analyze data and determine current maturity levels by CMM key area
- Determine priority areas for increased maturity and develop action plans
No matter an organization’s maturity level, an organization would realize several benefits by practicing strong cybersecurity workforce planning. These benefits include, but are not limited to:
- Increased consistency in execution of organization-wide cybersecurity workforce planning activities;
- Enhanced data-driven decision making and analysis around shaping, building, growing, and supporting a cybersecurity workforce;
- Enhanced confidence and credibility from the field in headquarter decisions and guidance on cybersecurity workforce planning;
- Decreased response times to analysis requests and external reporting requirements, enabling timely and proactive decisions to modify or change cybersecurity workforce policy as needed; and
- Increased organizational alignment and pragmatic solution development between workforce, human capital, budget, and strategic planning organization sections or departments.
Click here to read the white paper that provides more information on NICE’s approach to using a capability maturity model in improving an organization’s cybersecurity workforce planning capability.