Let’s face it, the skills gap for cybersecurity professionals is only growing larger year by year. It’s becoming tougher and tougher for organizations to find skilled people who can professionally handle the enormous task at hand of securing your organization. Does this mean that you have to leave yourself vulnerable to malicious hackers and cyber criminals because you cannot find anyone? Of course not, it’s possible to train someone who is already part of your organization to become your next cybersecurity expert. How this is achieved will vary depending on your organization’s cybersecurity planning capabilities. Here are some tips to deploy for cultivating and training your next cybersecurity expert.

Preparation: Cyber Security Workforce Readiness

Before you begin attempting to train a cyber security expert, it’s important to understand what your needs are in a cyber security expert. If your organization has little to no established processes and a lack of guidance for the cyber security professional or methods, you may need to train someone who will structure and lead the cyber security force. If your organization has some processes established and some infrastructure and funds allocated for cyber security, then training can be for less managerial roles. If your organization has fully developed processes, planning, guidance, and clear division of labor then cyber security training can be done to the task level or to any tier of work required. You can answer the following questions to understand if your business is capable of supporting planning for a cyber security workforce.

  1. Processes: Do you have an established process(es) for consistently identifying the needs and risks in your cyber security workforce? Is there a common workforce planning model, data analysis, and reporting structure?
  2. Strategy: Is there a shared vision, governance model, and performance incentives in place between the business and the cyber security department? Are requirements for the business and the cyber security team understood?
  3. Infrastructure: Is there a healthy amount of human capital, collaborative culture, and technology available to support the present and future needs of the cyber security team?

Planning: Cybersecurity Team Skill Needs

After having an understanding of your organization’s cyber security planning capabilities it’s recommended to establish a baseline of your current cyber security team. If you have none then use the following as a guide for what to build towards. High performing cyber security teams generally have the following characteristics:

  1. Agile: Can the team respond swiftly to any attacks or indicators that emerge at anytime?
  2. Multifunctional: How diverse is the team’s range of skills, knowledge, and abilities?
  3. Dynamic: How fast and effectively can the team adopt new skills and methods to maintain security of the systems they are defending?
  4. Flexible: Can the team quickly change priorities for the day if required?
  5. Informal: Does the team work well under an informal structure where hours are flexible and they adjust scheduling to continuously achieve their mission?

Your assessment will likely be a qualitative one, answering these questions and categorizing both the soft and hard skills required for the job will help you understand what is needed for an effective cyber security expert in your company.

Once the skills required are identified you can then identify what your gaps are. With the skills and gap identified you can now develop a training program to cultivate those skills in your existing staff who you determine are a good fit to transition into cyber security. Some of the most well-suited staff for cyber security are your current IT staff. They should already have a deep understanding of your network environment and some of its vulnerabilities. That advantage will save you a lot of time and money getting someone up to speed on the inner workings of your organization.

Cultivation and Training: NICE Cyber Security Framework

With the needs established from within your organization, it may now be a good time to review what has been recommended by the Department of Homeland Security when it comes to developing your cyber security team. The National Initiative for Cyber Security Education (NICE) Cyber security Workforce Framework was developed to serve as a blueprint for organizations to establish a common language for workforce development. From the DHS, here are the areas you want to train staff in:

  • Analysis:
    Specialized data review and evaluation of security information and refining that information into actionable intelligence.
  • Data Collection & Operations:
    Using industry accepted strategies for data collection about your organization’s cyber security effectiveness. Additionally, continuously gathering information of developing threats that could impact the organization.
  • IT Forensics:
    Conduct a full range investigation on security incidents and events to identify criminals, root causes, and exploited vulnerabilities.
  • Maintenance:
    Ensures systems are always operating with optimal cyber security measures in place. This skill set requires technical support, database administration, IP management, network servicing, system administration, and process analysis.
  • Cyber Security & Data Governance
    Will need to communicate cyber security efforts with management and act as liason between cyber security team and the rest of the organization. Additionally will need to perform project management duties and strategic planning.

There are a few others but this is the core of what your staff will need to know. It is advised to use the NICE Framework when cultivating your internal training program. With the NICE Framework your cyber security team will be better managed and more well equipped than many companies who are not aware of the framework’s existence. This will require collaboration with HR to maintain this.

Establish Career Paths

Going into cyber security will be a transition to a new career path for many people. It’s a career path that they likely weren’t interested in before but may be now. It’s advised that you demonstrate how critical cyber security is to the market right now and what they will gain in skills, knowledge, and opportunity by agreeing to train as a cyber security expert.

Developing your next cyber security expert doesn’t have to be a challenge, thankfully too many government agencies have your back in the process of development and encourage you to explore their resources to aid you in building out an effective team. Find out more here about the National Initiative for Cyber Security Careers and Studies and leverage the federal resources available to you.

This article originally appeared in IT Security Central and was reprinted with permission.