SFIA, the Skills Framework for the Information Age, has become the globally accepted common language for skills in the digital world. It provides descriptions of skills and responsibilities for professionals in and around information and communications technology.
SFIA is used in nearly 200 countries and is growing fast. It enables individuals to easily assess current skills and levels, identify skill goals and plan professional development, and match skills to roles and jobs.
SFIA Version 6, released in 2015, contains 97 skills, each described at one or more of 7 levels of responsibility. To aid navigation, SFIA structures the skills into 6 categories, each with a number of sub-categories. It also describes 7 generic levels of responsibility, in terms of Autonomy, Influence, Complexity, and Business Skills.
One of the areas that has grown since the publication of V5, and is therefore reflected in V6, is the area of cybersecurity. SFIA V5 contained three core skills for security professionals: Information assurance, Information security and security administration. All of these were updated in V6, including adding a level 7 description for Information security and level 1 and 2 descriptions for Security administration.
SFIA V5 also contained 10 skills which specifically included the word ‘security.’ Investigation identified another 22 SFIA skills which were regularly used to describe the roles of security professionals and were needed for security capabilities, but didn’t include the word ‘security’ anywhere. Apart from demonstrating the limitations of using word search to identify relevant skills—which sadly many users resort to—it highlighted how much coverage SFIA already had for this area.
Security references were specifically added to Solution architecture, Systems development management, Programming/software development, and Testing.
Digital forensics (DGFS), and Penetration testing (PENT) were also added to the skills list in V6.
SFIA works well with the various cybersecurity frameworks and information security standards. However, it covers a much wider scope, defining skills needed across the complete digital information and communications technology landscape.
With regard to digital forensics, cybersecurity and information security, SFIA is being used to help quantify and close the skill/capability gaps, providing a consistent model for all (ICT) professions.
It’s not just about determining the headcount gap regarding the number of cybersecurity professionals, but it assists in understandinghow organisations can build their own cybersecurity capability.
By understanding the unique skills required, organisations can determine if the gaps are in knowledge, role design and/or professional skills. It helps determine who needs upskilling, which roles may require a redesign, and identifying relevant training, mentoring, knowledge transfer and other development activities.
Of course, security is just one of the many ICT elements covered in SFIA. Organisations and governments around the world use SFIA in a multitude of different ways, from defining role profiles and job descriptions to recruitment and procurement. SFIA is also utilized in talent and skills management to quickly identify an individual’s skills, the skills they may be lacking, and recommendations for further education and training.
Note: Matthew Burrows is speaking on this topic at ISACA’s EuroCACS conference in Cophenhagen this month. Learn more about the conference.
Matthew Burrows Managing Director,
[ISACA Now Blog]