Develop Cyber Professionals in Three Dimensions

To help offset the shortage of cyber professionals, we need a map for setting up our current people for maximum success. To support this, I introduce the Cyber Success Vector™, a model for that three-dimensional approach. The three factors are:

1. Breadth: ensuring the team member has solid professional basics and work-role-specific knowledge, skills, and abilities (KSA).

2. Scope: as the team member moves up in scope of responsibility, newly required KSAs are developed.

3. Depth: ensuring the team member develops in their current work role, and they are consistently challenged.

Cybersecurity professionals are not only three-dimensional, but also in motion. They enter new work roles, strive for promotion, and hone their craft. In the movie, Mark Felt, the title character quotes his father as saying, “Whatever we do, we have to make our lives vectors, lives with force and direction.” I chose “vector” as the basis of this model because people are (and should be) constantly in motion. Helping guide and sustain that motion helps them, and it helps all of us.

The environment is also in constant motion. New technologies are introduced. Threat actors find new ways to organize and attack. While we should make room for those who make a home in one role, we must ensure they remain relevant. 

This is both art and science. As statistician George E. P. Box once said, “All models are wrong, but some are useful.” This model, like others, organizes one’s thinking, rather than magically providing the answers.

Breadth

The x, or breadth, axis of the model progresses from the foundational to the specific regarding specialization. Work-role-specific KSAs and attributes are dependent on personal, professional, information technology (IT), and cyber KSAs and attributes.

This isn’t all or nothing. Weaknesses are opportunities. In fact, having a broad set of backgrounds and talents on a team is good, as it reduces so-called “groupthink”. As Gen. George Patton once said, “If everyone is thinking alike, then somebody isn’t thinking.” It simply means there is an opportunity to broaden some of that individual’s foundational attributes or KSAs. 

The Cyber Success Vector™ integrates the National Institute of Standards and Technology’s Workforce Framework for Cybersecurity (NICE Framework) with other work such as the Army Leadership Requirements Model, the Principles of Marine Corps Leadership, Daniel Goleman’s work on emotional intelligence, Stephen Covey’s Principle-Centered Leadership, W. Edwards Deming’s 14 Points, and even Confucianism to develop well-rounded, adaptable, synergistic cybersecurity professionals at all levels of the organization.

Scope

As cybersecurity professionals move up in scope of responsibility, KSAs and attributes from the previous rung become less directly applicable and more contextual. They inform decisions and execute actions. However, their new responsibilities require KSAs and attributes they may not have needed until now. Those above and around them must come together as a cohesive whole to smooth this transition. If this “it-takes-a-village” effort isn’t taken, the dreaded Peter Principle is in play (as discussed in the first article of this series). This speaks directly to the Scope or y-axis of this model.

Many leaders see the role of those below them as helping them further the higher leader’s success in exchange for advancing them along as proteges. This is the patronage approach. However, the leader’s true success happens at the point where the attacker is detected, the vulnerability is patched, and the application input is sanitized. Everyone enables this by: 

• doing their part 

• in their role 

• in their scope

• as part of a team. 

That’s success.

Depth

Each new role should be challenging. This means the individual is growing. However, it is crucial that a hired or promoted individual not be simply left to their own devices. Again, it takes a village. Individuals must build and refine themselves for the duration of their time in the role and prepare for the next, if desired.

To make sense of this progression, I have chosen an educational framework called Bloom’s Taxonomy. Bloom’s describes how an individual achieves mastery over a subject matter. This is the last ingredient to add direction and motion to how people in cybersecurity progress. Now we can describe how much of each KSA and attribute it takes to perform at each role and scope. We can:

• describe where someone is

• describe what it takes to get where they are going, and 

• build a plan to do it.

Wrapping Up

• The shortage isn’t going away. The cybersecurity professional is not static. Indeed, the threat and technology environments are not. We need to do better with the people we have. 

• Frameworks such as NICE have provided organizations with an excellent way of identifying necessary KSAs. We need to use and build on those frameworks.

• We need to build professionals for the future of the profession, not just for right now. 

Order the book, The Total Pro: Future-Ready Cyber Talent Through the Cyber Success Vector™.

Read the other installments in this series at The Cyber Success Vector™ Article Series.

© 2024 GrayVector LLC, all rights reserved.

Cyber Success Vector is a trademark of GrayVector LLC. All rights reserved.

The preceding work contains the opinions of the author, and do not represent those of any other person or organization.

References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by GrayVector LLC or the author.

NO WARRANTY. THIS MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. THE AUTHOR MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. GRAYVECTOR LLC AND THE AUTHOR DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.