skillstx brand green with TAG

Is this the Security specialist you were looking for?

I met with a customer recently who was trying to work out how to describe all the competencies they needed in the company. They needed to populate the skills and competencies module in their brand new HR system which they’d just spent the last 9 months implementing, and was due to go live within the next week. The HR system had some constraints – it only allowed a maximum of 8 competencies, and had a 4-level structure so you could describe each competency at multiple levels. They had consulted all the senior managers in the IT department, and come up with an initial list which included “Security”, “Networks”, and “Service Management”.


All good, you might think! However, doubts were beginning to creep in about how this was actually going to work once they start trying to use the system for common tasks.

Their Approach


The plan, once the system was live, was pretty much identical to the multitude of other organizations that I’ve seen implement Human Capital Management (HCM) or similar Human Resources (HR) platforms over recent years:


  • Add all the Job Descriptions or Role Profiles into the system, complete with the competencies and levels needed for each job/role
  • Ask each employee to log into the system and select the competencies they have
  • Consider gaps that individuals have between their current competencies and those required for their job/role
  • Create a development action plan to address any gaps, including training, experience building, mentoring and any other development activity which the individual and their manager agreed would help


This isn’t the first time I’ve seen this – particularly in the last 2-3 years. I’ve lost count of the companies who have spent many millions of pounds on licences and project costs, and a year or more in time, but are left feeling they’ve not really got what they need.


How many skills and levels are needed?


Imagine you have one competency for “Security”, and then reflect on how you need to be able to use this. Even if your system allows you 4 levels that can be applied to the Security competency, you’ve still got to describe everything from setting security policy for the whole company, through designing security solutions for systems, configuring firewalls and network switches, investigating security breaches, digital forensics, penetration testing, internal and external auditing, through to security administration and granting someone access permissions to an application. Even just looking at an example for one of these specialisms, Digital Forensics, I think the descriptions of this skill at 3 different levels in SFIA (Skills Framework for the Information Age) illustrates the point:



Here are a few related scenarios, using a selection of our HasBean cartoons to help demonstrate how things can sometimes go wrong:






Development Planning for existing employees


Performance Reviews


Project Resourcing


Business Risk Mitigation




Existing Best Practice


Why make something up specific to your company when there’s already an internationally-accepted framework which described the skills at the various levels that are needed?


SFIA, the Skills Framework for the Information Age, has been around for around 20 years, and is regularly updated to reflect the skills found out there in the Digital world. Through development and maintenance of this framework by people out there using it, we have found that 7-levels of responsibility are needed to describe everything from start skills for those in their first jobs, through practitioners, experts, and up to senior strategists and C-level activities. The current version includes 102 professional skills, each described at more than one of the 7-levels in the framework (390 skill-level descriptions to cover these combinations). SFIA also described Autonomy, Influence, Complexity, Knowledge and Business Skills, at each of the 7-levels, covering those critical aspects on top of the 102 professional skills.




8 competencies and 4 levels are not sufficient to deal with the specialisms within the domains of Digital, IT, Cybersecurity, Software Engineering and other technology-focussed skillsets that almost all companies are dependent on. The Human Resources systems are fine for supporting typical HR processes, and very high-level skills and competencies elements, but unless we accept the need to deal in a little more detail, we will end up recruiting the wrong resources, losing good existing staff, failing in projects and service delivery, and potentially being fined for data breaches and other compliance issues.

Take at look at how it should feel for an individual specialist worker, their manager, and the executive leadership in the organization.