Lexonis

From Skill Gaps to Cyber Strength – Unlocking Potential with the SFIA and CIISec Skills Frameworks

Andy Andrews

Introduction

Cybercrime is escalating fast – in both complexity and impact. Yet, while tech continues to evolve, one constant remains: your people are still your strongest line of defence.

The issue? There’s a global shortage of skilled cybersecurity professionals. According to the latest ISC2 workforce study, the shortfall has hit 4.8 million – up 19% in just one year. Even with 5.5 million professionals in the field, the demand far outweighs the supply¹.

This presents a clear risk for CISOs, CTOs, and CHROs. Tools alone won’t save you. Without skilled people behind them, even the best defenses can crumble.

That’s where skills frameworks like SFIA 9 (Skills Framework for the Information Age) and CIISec (Chartered Institute of Information Security) come in.

Why SFIA is a Game-changer for Cyber Roles

The SFIA2 framework has become a global standard for defining digital and IT capability. Its latest release, SFIA Version 9, goes deep on cybersecurity – outlining specific skills like Identity Access Management, Cybercrime Investigation (CRIM), and Threat Intelligence.

SFIA structures skills across seven proficiency levels – from Level 1 (“Follow”) up to Level 7 (“Set strategy, inspire, mobilize”). These levels are backed by behavioural indicators, giving a clear picture of what capability looks like at each stage.

Take the CRIM (Cybercrime Investigation) skill. At an entry-level (Level 2), it defines how a junior team member might assist with evidence collection. At a senior level (Level 6), it covers managing complex investigations, handling legal processes, and shaping organizational strategy. That clarity is invaluable – especially when your cyber team spans multiple disciplines and maturity levels.

SFIA’s structure helps HR teams, L&D leaders, and cybersecurity heads align on what skills are needed, where gaps exist, and how to close them.

What CIISec Adds – Credibility and Progression

While SFIA defines the what, CIISec3 strengthens the how. As a professional body, it provides a framework designed by cyber practitioners – and recognized across government, defense, and enterprise sectors.

CIISec offers detailed job role profiles, mapped to knowledge, capability, and behaviour. These profiles support clear, role-based development – from analyst to principal consultant.

It’s not just theory. CIISec frameworks underpin:

  • Recruitment – with role templates and skill expectations
  • Development – via CPD pathways and member accreditation
  • Validation – giving leaders confidence that their teams can deliver

It aligns neatly with SFIA too. For instance, a CIISec-accredited IT Security Specialist might have SFIA levels mapped across skills like Threat Intelligence, Security Operations and Incident Management.

Together, these frameworks create a shared language – for both technical and business leaders.

Cutting Cyber Risk Down to Size with SFIA and CIISec

Using SFIA and CIISec isn’t about ticking a box. It’s about building genuine capability – and closing the human side of the cyber gap.

Here’s how:

1. Role clarity boosts resilience

Without frameworks, job descriptions vary wildly. This leads to mismatched hires, weak onboarding, and unclear responsibilities. SFIA and CIISec bring structure, defining exactly what’s needed at each level. That means better alignment, faster ramp-up, and stronger teams.

2. Skills-based hiring means fewer blind spots

Instead of relying on credentials alone, you can use SFIA to define must-have skills and then build interview and assessment processes around them. CIISec’s professional standards provide additional validation, reducing the risk of overpromising or underperforming hires.

3. Career paths retain your top talent

With clear progression mapped out, you can show your cyber teams a future in your organization. That’s powerful in a high-burnout field and helps reduce the cost of attrition.

4. Compliance and audit readiness is built-in

Regulators and insurers increasingly want proof of capability. SFIA and CIISec frameworks allow you to document workforce competence, development, and readiness in a structured, repeatable way.

Cut the Fluff: Here’s How You Get It Done

Rolling out SFIA and CIISec doesn’t need to be complex. Start small, focus on priority roles, and scale as you go.

Here’s a tried-and-tested approach:

Step 1: Map your current roles

Compare job descriptions with SFIA and CIISec profiles. Where are the overlaps? Where are the gaps? Focus on roles tied to threat detection, vulnerability management, or incident response. These are high-value, high-risk roles where skills matter most.

Step 2: Assess skills and identify critical gaps

Assess your cyber team’s job-related skills using the clear skill definitions provided by SFIA and CIISec. Identify the biggest and most critical gaps.

Step 3: Align training and development

Based on the gaps identified, build development plans around SFIA levels and CIISec pathways. Use this to shape L&D priorities and mentoring programs.

Step 4: Track progress and impact

Use metrics like time-to-competence, incident response time, and audit readiness. Reassess regularly to stay aligned with evolving threats.

Step 5: Refresh annually

Review skills data, threat landscape, and strategic goals each year. Update your role profiles and learning paths accordingly.

It’s Time to Put People at the Heart of Cyber Strategy

Technology alone won’t solve cyber risk. What makes the difference is capability – the right people, with the right skills, in the right roles.

SFIA and CIISec offer a structured, human-first way to achieve that. They give you a shared language for building teams, growing careers, and proving expertise. They turn a chaotic skills landscape into a strategic asset.

At Lexonis, we bring these frameworks to life. With tools designed for people leaders, and consultants who speak both cyber and HR, we help you transform your workforce into a resilient, responsive, risk-aware function.

Want to See What This Could Look Like in Your Organisation?

Book a free consultation with Lexonis. We’ll create a tailored SFIA job profile for one of your cyber roles – and show you how to build clarity, capability and confidence across your teams.

About Lexonis

At Lexonis, we help clients build and shape job skill profiles by identifying the right skills for successful performance. Lexonis’ extensive library of job families, SFIA-based job profile templates, learning and development activities, and interview questions will help you fast-track your efforts and derive the benefits of implementing the framework. Allied with our experience of implementing CIISec, we are in the best position to help you make your implementation of cyber security skills with SFIA and CIISec a success! 

References

  1. Employers Must Act as Cybersecurity Workforce Growth Stalls and Skills Gaps Widen, ISC2, September 2024
  2. SFIA 9 Cyber Security View, SFIA Foundation
  3. CIISec Skills Framework, Chartered Institute of Information Security
Share:
FacebookXLinkedIn

You may also like

Skills Gaps
The Skills Gap: Time to Take Action

There is a skills gap problem in the developed economies…

Learn more
eBook
How to ensure that your skills transformation journey leads to business success

The business value of adopting a skills-based talent strategy and…

Learn more
Learning
Learning and Development Global Sentiment Survey 2024

What is trending in workplace L&D this year? Are your…

Learn more
Master competency management

Lexonis is your quickest, smartest route to competency-based Talent Management.

Request a demo
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.