SFIA structures skills across seven proficiency levels – from Level 1 (“Follow”) up to Level 7 (“Set strategy, inspire, mobilize”). These levels are backed by behavioural indicators, giving a clear picture of what capability looks like at each stage.
Take the CRIM (Cybercrime Investigation) skill. At an entry-level (Level 2), it defines how a junior team member might assist with evidence collection. At a senior level (Level 6), it covers managing complex investigations, handling legal processes, and shaping organizational strategy. That clarity is invaluable – especially when your cyber team spans multiple disciplines and maturity levels.
SFIA’s structure helps HR teams, L&D leaders, and cybersecurity heads align on what skills are needed, where gaps exist, and how to close them.
What CIISec Adds – Credibility and Progression
While SFIA defines the what, CIISec3 strengthens the how. As a professional body, it provides a framework designed by cyber practitioners – and recognized across government, defense, and enterprise sectors.
CIISec offers detailed job role profiles, mapped to knowledge, capability, and behaviour. These profiles support clear, role-based development – from analyst to principal consultant.
It’s not just theory. CIISec frameworks underpin:
- Recruitment – with role templates and skill expectations
- Development – via CPD pathways and member accreditation
- Validation – giving leaders confidence that their teams can deliver
It aligns neatly with SFIA too. For instance, a CIISec-accredited IT Security Specialist might have SFIA levels mapped across skills like Threat Intelligence, Security Operations and Incident Management.
Together, these frameworks create a shared language – for both technical and business leaders.
Cutting Cyber Risk Down to Size with SFIA and CIISec
Using SFIA and CIISec isn’t about ticking a box. It’s about building genuine capability – and closing the human side of the cyber gap.
Here’s how:
1. Role clarity boosts resilience
Without frameworks, job descriptions vary wildly. This leads to mismatched hires, weak onboarding, and unclear responsibilities. SFIA and CIISec bring structure, defining exactly what’s needed at each level. That means better alignment, faster ramp-up, and stronger teams.
2. Skills-based hiring means fewer blind spots
Instead of relying on credentials alone, you can use SFIA to define must-have skills and then build interview and assessment processes around them. CIISec’s professional standards provide additional validation, reducing the risk of overpromising or underperforming hires.
3. Career paths retain your top talent
With clear progression mapped out, you can show your cyber teams a future in your organization. That’s powerful in a high-burnout field and helps reduce the cost of attrition.
4. Compliance and audit readiness is built-in
Regulators and insurers increasingly want proof of capability. SFIA and CIISec frameworks allow you to document workforce competence, development, and readiness in a structured, repeatable way.
Cut the Fluff: Here’s How You Get It Done
Rolling out SFIA and CIISec doesn’t need to be complex. Start small, focus on priority roles, and scale as you go.
Here’s a tried-and-tested approach:
Step 1: Map your current roles
Compare job descriptions with SFIA and CIISec profiles. Where are the overlaps? Where are the gaps? Focus on roles tied to threat detection, vulnerability management, or incident response. These are high-value, high-risk roles where skills matter most.
Step 2: Assess skills and identify critical gaps
Assess your cyber team’s job-related skills using the clear skill definitions provided by SFIA and CIISec. Identify the biggest and most critical gaps.
Step 3: Align training and development
Based on the gaps identified, build development plans around SFIA levels and CIISec pathways. Use this to shape L&D priorities and mentoring programs.
Step 4: Track progress and impact
Use metrics like time-to-competence, incident response time, and audit readiness. Reassess regularly to stay aligned with evolving threats.
Step 5: Refresh annually
Review skills data, threat landscape, and strategic goals each year. Update your role profiles and learning paths accordingly.
It’s Time to Put People at the Heart of Cyber Strategy
Technology alone won’t solve cyber risk. What makes the difference is capability – the right people, with the right skills, in the right roles.
SFIA and CIISec offer a structured, human-first way to achieve that. They give you a shared language for building teams, growing careers, and proving expertise. They turn a chaotic skills landscape into a strategic asset.
At Lexonis, we bring these frameworks to life. With tools designed for people leaders, and consultants who speak both cyber and HR, we help you transform your workforce into a resilient, responsive, risk-aware function.
Want to See What This Could Look Like in Your Organisation?
Book a free consultation with Lexonis. We’ll create a tailored SFIA job profile for one of your cyber roles – and show you how to build clarity, capability and confidence across your teams.
About Lexonis
At Lexonis, we help clients build and shape job skill profiles by identifying the right skills for successful performance. Lexonis’ extensive library of job families, SFIA-based job profile templates, learning and development activities, and interview questions will help you fast-track your efforts and derive the benefits of implementing the framework. Allied with our experience of implementing CIISec, we are in the best position to help you make your implementation of cyber security skills with SFIA and CIISec a success!
References
- Employers Must Act as Cybersecurity Workforce Growth Stalls and Skills Gaps Widen, ISC2, September 2024
- SFIA 9 Cyber Security View, SFIA Foundation
- CIISec Skills Framework, Chartered Institute of Information Security
