Skills and Competence Development
Put in place an information security management training curriculum and other employee developmental mechanisms to enhance the skills and competences of employees in this area.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Skills and Competence Development at each level of maturity.
- 2Basic
- Practice
- Develop and begin to roll out some basic information security awareness training and development programmes.
- Outcome
- There is increased understanding of the role and value of information security in day-to-day business activities.
- Metrics
- # of training and development programmes available.
- % of IT employees who have taken training.
- % of business unit employees who have taken training.
- 3Intermediate
- Practices
- Develop and deliver information security training and development programmes that are linked to yearly target-setting.
- Provide on-demand training for selected employees, and support security certification and qualification programmes to bachelor's level.
- Outcome
- There is widescale understanding of the role and value of information security, and there is an opportunity to supplement scarce security resources and improve security on a more timely basis.
- Metrics
- # of training and development programmes available.
- % of IT employees who have taken training.
- % of business unit employees who have taken training.
- # of security certifications/qualifications achieved per time period.
- 4Advanced
- Practices
- Proactively deliver comprehensive information security training and development programmes across the organization.
- Tailor the programmes to address the individual requirements of, for example, high-potential employees and those on specific career paths, and support security certification and qualification programmes to master's level.
- Outcome
- Security can be further improved as a result of organization-wide availability of training and development programmes and tailored (not generic) security training.
- Metrics
- # of training and development programmes available.
- % of IT employees who have taken training.
- % of business unit employees who have taken training.
- # of security certifications/qualifications achieved per time period.
- % of employees who are overdue refresher training.
- 5Optimized
- Practices
- Continually review information security training and development programmes for improvement opportunities based on objectives, latest industry security thinking, and results from previous activities, and adjust them as required to address knowledge gaps.
- Support security certification and qualification programmes to doctorate level.
- Outcomes
- There is consistent and up-to-date understanding of security training requirements.
- Training and development programmes are regarded as industry examplars.
- Metrics
- Level of stakeholder satisfaction with training.
- % of IT employees who have taken training.
- % of business unit employees who have taken training.
- # of security certifications/qualifications achieved per time period.