Cyber security is a leading national security challenge facing this country today. An emerging topic of importance is how organizations track, assess, grow, and shape their workforce. Many organizations have turned to workforce planning as a way to understand their current cyber security human capital skills and abilities as well as potential infrastructure needs.

The Capability Maturity Model

As the cyber security workforce continues to evolve and organizations track and manage against the changing cyber security environment, understanding where current workforce planning capabilities lie and how to further develop has become increasingly important.

A capability maturity model (CMM) provides a structure for organizations to baseline current capabilities in cyber security workforce planning, establishing a foundation for consistent evaluation. It allows organizations to compare their capabilities to one another, and enables leaders to make better, well-informed decisions about how to support progression and what investments to make in regard to cyber security human capital initiatives.

This White Paper defines CMM by segmenting key activities into three main areas:

1.) Process and analytics,

2.) Integrated governance, and

3.) Skilled practitioners and enabling technology.

  • Process represents those activities associated with the actual steps an organization takes to perform workforce planning and how those steps are integrated with other important business processes throughout the organization. Analytics represents those activities associated with supply and demand data and the use of tools, models, and methods to perform workforce planning analysis
  • Integrated governance represents those activities associated with establishing governance structures, developing and providing guidance, and driving decision-making. It is the building block to an organization’s overall workforce planning strategy and vision as well as assignments of responsibility, promotion of integration, and issuing of planning guidance
  • Skilled Practitioners represents the activities associated with establishing a professional cadre of workforce planners within an organization. Enabling Technology represents the activities associated with the accessibility and use of data systems


An organization’s maturity level, it can realize several benefits by practicing good cyber security workforce planning. These benefits include, but are not limited to:

  • Increased consistency in execution of organization-wide cyber security workforce planning activities
  • Enhanced data-driven decision making and analysis around shaping, building, growing, and supporting a cyber security workforce
  • Enhanced confidence and credibility from the field in headquarter decisions and guidance on cyber security workforce planning
  • Decreased response times to analysis requests and external reporting requirements, enabling timely and proactive decisions to modify or change cyber security workforce policy as needed
  • Increased organizational alignment and pragmatic solution development between workforce, human capital, budget, and strategic planning organization sections or departments