Let’s start with the usual clichés:
“Business (and society itself) is increasingly dependent upon technology.”
“The roles of information security, risk management and assurance are vital to providing confidence and trust over our use of technology and information, and thus business ability to leverage them for opportunity and gain.”
Of course, we would love to help protect business, government and society itself but first we say that we need resources and decry that our Profession faces a great skills-shortage. So, let’s explore what “skill” should mean within the Information Security Profession and why, as a result, we set the bar too low and fail to deliver the confidence that employers, peers and customers really need in us.
This article discusses why we urgently need to raise the bar and why The SABSA Institute’s Competency Development Programme is vital to both an Architect’s career and realisation of benefit and value in their organisation.
A Skills Shortage with the Wrong Focus
When we discuss a “skills shortage” we typically refer to a supply chain issue: that we do not have enough people with the right skills, and that the educational pipeline to develop and supply those skills to industry is worryingly thin.
In doing so we view the skills issue through a concave lens that diverges the focus outward – an explicit viewpoint to the skills-supply services from external domains. However, I as an employer look at skills requirements in a different way: I often need to look inward through a convex lens focussing implicitly to the capabilities of my own internal domain. The conclusion for many employers is painful for our industry to hear: never mind the external pipeline – many of the security professionals we already have in place do not possess the correct competence to deliver to business needs!
But we have absolute belief that we have the skills to do our jobs, we are sure we are the right people to undertake such important roles, we operate with integrity and we generate trust. So how can such a ‘shocking’ claim be justified?
Skill (noun): the ability to do something well; expertise
As a Profession we can be extremely busy “doing something well” without being productive doing the things that matter most. As a Profession we can be extremely good at deploying controls to comply with a standard or so-called “best practice” without any real understanding of what those controls are contributing to business performance and value. As a Profession we may have admirable skills to prevent malware but often lack an ability to articulate how that contributes to core business values and functions. As a Profession we can possess the skills to conduct risk assessments on technical issues but lack the competence to measure, translate and communicate risk in business terms or to balance technical risk with business opportunity.
Knowledge & Skill without Competence: A Road to Failure
Our profession has countless training courses and certification programmes that teach knowledge and many that develop skill. But teaching and certifying knowledge tells us little about a professional’s skill to apply that knowledge; and certifying skill provides little confidence over a professional’s competence to interpret and deliver to unique value context in an ever-changing environment.
Not for the first time, our profession may be guilty of both setting the bar too low and failing to understand its own purpose in the bigger picture that we are employed to serve. Knowledge is not enough. Skill falls short of the requirement. We may develop the knowledge and skill to do a job but not always the competence to recognise the right job, execute it, and articulate its value in true business terms. To deliver knowledge and skill without competence is ultimately following a path that will fail to deliver.
Professional Development: An Eternal Corporate Dilemma
We have all heard it:
“People are our most valuable resource.”
It is expected that we know what should be done and we know why, how, when and where to do it. We should indeed be recognised as a valuable resource, critical to business success. And yet even in the age of such a high profile for Information Security its professionals are often perceived as acting as a “business prevention department” obstructing progress and restricting innovation.
Could it be that the elephant in the room is our own lack of competence to articulate value to our unique organisational context?
When times are tough it is the organisation’s supposedly most valuable resource that gets cut. When budgets are strained we often supress training and professional development.
Could it be that hiding under the rug is the fact our Enterprise Masters perceive little-to-no strategic business value from those training programmes?
When the economic climate is stressed it creates pressure on all of us to perform at the highest standards and deliver quick results. Gains in this situation can be short-lived and potentially counter-productive: we are so busy just getting through the day that no framework is created and no competence is developed to solve the critical problems of tomorrow.
Could it be that the capabilities to reignite business performance, to be proactive, strategic and innovative are sacrificed at the altar of dealing with today’s blazing fires?
When it comes to workforce development, career progression and corporate investment in people, it turns out that ‘Urgent’ and ‘Important’ are not the same thing. It is not knowledge of today’s job function, but the capability to innovate tomorrow’s solutions that creates value, especially so in difficult economic conditions when the key to market leadership is the ability to reignite performance and generate momentum for growth.
But competence to apply knowledge and skill is not widely taught in our profession and we find ourselves short of the mark.
To transform the security “business prevention department” into a centre of excellence for business enablement, we must recognise that business value creation is the ultimate reason we even have a role. We must deliver an holistic through-life capability as a fundamental principle of our professional development plans. We must balance and enhance operational knowledge to do today’s ‘job’ with the needs for infrastructure capability development, and create the competence to align and drive the entire security function from strategic business requirements and values.
Unlike the approach of many training initiatives by technical vendors or member bodies, The SABSA Institute’s competency-based professional development framework is not measured in hours or points but in outcomes.
Knowledge-based competencies such as define, list, and explain may establish a baseline of security principles and language but interpreting these as a ‘gold standard’ for a professional is short-selling the profession itself. It is the rarely-taught Advanced competencies such as apply, solve, plan, create, integrate, and invent that form the focus of value-creation for business.
That is why The SABSA Institute’s educational and certification programme focuses on the link between professional competence and workplace effectiveness – the ability to tackle new thinking, solve problems, innovate strategic solutions, deal with continuous technical, organisation, cultural or political change, and the capability to drive value and success.
Competence is Value
The Return of Value for the business is significantly greater from investment in competence-based development programs for security professionals.
Here are just ten of the many benefits than can be leveraged from SABSA’s advanced professional competencies:
- Self-Efficacy – Having Advanced competence tested and accredited by a true professional Institute increases ability to demonstrate accomplishment, business worth and value, and contributes to professional identity.
- Self-Determination – Professionals who take a planned approach to advanced competency development tend to move up the career ladder more quickly and, perhaps more importantly, in the direction of their choice.
- Versatility to Meet Changing Expectations – Advanced competence, skills, attitudes and values enable and empower a security professional to meet the ever-changing expectations for performance assigned by employers, peers and customers.
- Create & Grasp New Opportunities – The ever-changing world in which we live presents risk but it also creates opportunity. Professionals with advanced competence to align security with fast-moving business strategy have greater potential than those who can operate today’s technical solutions.
- Competitive Edge – Development of strategic competence to solve tomorrow’s unknown future problems generates competitive advantage over those with mere knowledge of today’s facts.
- Confidence – Investment in a professional’s ability to update, modify and innovate generates confidence to deal with change and creates the ability to make valuable business decisions that balance opportunity with risk.
- Productivity – The more productive a professional, the greater that professional’s value to employers. Advanced competence increases vitality and accelerates productivity.
- Effective & Efficient – Advanced competence drives workplace effectiveness, efficiency and accuracy.
- Astute, Perceptive & Discerning – The knowledge to do things well is much less powerful and beneficial than the competence to evaluate context and do the right things excellently.
- Status, Recognition & Career Progression – Raising the status quo and being equipped to drive and deliver on strategy leads to recognition of business value contribution that opens greater leadership opportunities.