By Matthew Burrows, BSMimpact. com
We ' ve talked for years about it not being all about technology. Many seem to have a love / hate relationship when it comes to process- some saying that we don ' t want more process. The merits, opportunities and challenges of cloud, digital, big data, dev / ops, agile, IoT, SIAM, standards, frameworks, and many other topics are all hotly debated. The subjects of people, knowledge, skills and competencies also contain many areas for potential disagreement. The latest versions of most of the international standards that we deal with, including ISO / IEC 20000( for Service Management), ISO / IEC 27001( Information Security), and ISO 9001( Quality Management) have been aligned, and extend their focus on people and their skills / competencies.
Recently I witnessed a disagreement between two experts over whether there is or isn ' t a skills shortage in our industry. The part that interested me was that they were able to have a disagreement because neither of them " knew " the answer. I was able to get them to agree on something, that we need an answer to the following questions:
What skills do we have? What skills do we need? The planning of any journey requires confirmation of the destination as well as the starting point, and the answers to these questions are critical to establish the starting point and the destination of the next leg of our skills and competencies journey, both at an individual and an organisational level. However, when I ask professionals at all levels around the world, hardly anyone is confident they can answer either of these questions.
What help is available? SFIA, the Skills Framework for the Information Age, has become the globally accepted common language for skills in the digital world. It provides descriptions of skills and responsibilities for professionals in and around information and communications technology.
SFIA is used in nearly 200 countries and is growing fast. It enables individuals to easily assess current skills and levels, identify skill goals and plan professional development, and match skills to roles and jobs.
SFIA Version 6, released in 2015, contains 97 skills, each described at one or more of 7 levels of responsibility. To aid navigation, SFIA structures the skills into 6 categories, each with a number of sub-categories. It also describes 7 generic levels of responsibility, in terms of Autonomy, Influence, Complexity, and Business Skills.
One of the areas that has grown since the publication of V5, and is therefore reflected in V6, is the area of cybersecurity. SFIA V5 contained three core skills for security professionals: Information assurance, Information security and security administration. All of these were updated in V6, including adding a level 7 description for Information security and level 1 and 2 descriptions for Security administration.
SFIA V5 also contained 10 skills which specifically included the word‘ security.’ Investigation identified another 22 SFIA skills which were regularly used to describe the roles of security professionals and were needed for security capabilities, but didn’ t include the word‘ security’ anywhere. Apart from demonstrating the limitations of using word search to identify relevant skills— which sadly many users resort to— it highlighted how much coverage SFIA already had for this area. Security references were specifically added to Solution architecture,
22 itSMFI Forum Focus— September 2016
Systems development management, Programming / software development, and Testing.
Digital forensics( DGFS), and Penetration testing( PENT) were also added to the skills list in V6.
SFIA works well with the various cybersecurity frameworks and information security standards. However, it covers a much wider scope, defining skills needed across the complete digital information and communications technology landscape.
With regard to digital forensics, cybersecurity and information security, SFIA is being used to help quantify and close the skill / capability gaps, providing a consistent model for all( ICT) professions.
It’ s not just about determining the headcount gap regarding the number of cybersecurity professionals, but it assists in understanding how organisations can build their own cybersecurity capability.
By understanding the unique skills required, organisations can determine if the gaps are in knowledge, role design and / or professional skills. It helps determine who needs upskilling, which roles may require a redesign, and identifying relevant training, mentoring, knowledge transfer and other development activities.
Of course, security is just one of the many ICT elements covered in SFIA. Organisations and governments around the world use SFIA in a multitude of different ways, from defining role profiles and job descriptions to recruitment and procurement. SFIA is also utilized in talent and skills management to quickly identify an individual’ s skills, the skills they may be lacking, and recommendations for further education and training.
What to do next In simple terms, use SFIA to do a baseline assessment to confirm what skills your individuals have, and provide a rolled up view of these for the organisation. We can help you to complete this in a matter of only a few weeks, and with relatively modest cost. There are always reasons not to do something, but I ' d argue that none of us can afford not to know the answer to these basic questions, and we should just get on with it.