QGEA directions and guidance

Queensland Government cyber skills framework

Document type:
Framework
Version:
v1.0.0
Status:
CurrentNon-mandated
Effective:
June 2025–current
Security classification:
OFFICIAL-Public
Category:
Cyber security

Purpose

The Queensland Government cyber skills framework (this framework) is an essential element of the Queensland Government cyber workforce strategic plan 2025 – 2028 (draft – link not yet available). This framework will serve as a tool to assess, maintain and understand the skills, knowledge and attributes of the cyber workforce in the Queensland Government by:

  • providing a standardised approach to compare cyber role profiles, expertise levels and skills as agencies develop and expand their cyber teams
  • underpinning the identification of potential training and development to progress in a cyber role
  • supporting career pathways and internal mobility be providing visibility of the skills we have and skills we need
  • aligning with Australian Government and the broader Queensland Government digital capability program.

The framework provides visibility of the range of cyber roles within a Queensland Government context, and the key professional skills needed to fulfill those roles. The detailed role profiles identified simplifies career planning and progression and overarching workforce management.

Cyber career pathways for key role profiles in this framework have been developed to provide a practical guide to build individual skills and talent in areas of demand. The pathways include the proficiency level, behaviours (e.g. ‘soft skills’), professional skills (technical and non-technical) and competencies, and provide experiential learning and professional development suggestions.

The skills matrices at Appendices B and C provide a valuable tool to assist individuals and public sector entities to understand capability gaps, and opportunities to address these through targeted capability uplift.

This framework is targeted at Queensland Government public sector staff, cyber teams and departments that want to develop their cyber skills or workforce.

The capability model

To facilitate a common language to build our cyber workforce, we refer to the Australian Public Service (APS) professions capability model. The APS uses this model to help explain the different skills, knowledge and personal attributes that combine to make up someone’s overall capability. For more information including definitions of the key elements please refer to the APS professions capability model on the APS professions website.

In this framework depending on the outcome sought, we focus on different parts of this model. For example, for high level role profiles the focus is on ‘professional skills’ whereas for detailed career pathways the focus is on ‘behaviours’, ‘professional skills’, ‘experience’, ‘knowledge’ and ‘qualifications and certifications.’

Queensland Government cyber skills framework

The framework consists of three key elements:

  • Skills: adopts the Skills Framework for the Information Age (SFIA) and in reference to the APS professions capability model focuses on professional skills and behaviours in particular
  • Cyber role profiles: identifies 15 common cyber roles including key skills and related job titles
  • Career pathways: support attraction into cyber roles and career development through the definition of clear pathways that provide guidance on how to enter, transition into and develop in key Queensland Government role profiles.

Roles profiles versus jobs

It is useful to distinguish between the terms ‘role profile’ and ‘job’. In the context of the Australian cyber industry, the Executive Cyber Security Council’s defines roles (or role profiles) as:

A collection of responsibilities, duties, actions, and tasks. When combined and named, you have a job role. Unlike job titles, job roles tend not to be public facing. Additionally, roles often don’t always need to be the same person or must be one person per role. Consider an incident manager role. If a cyber security incident occurs, the role will need to be handed off and assumed by another person because they can’t keep managing an incident 24/7.

A job on the other hand is a specific employment position within an organisation, defined by one or more roles combined with organisational context, including tools, processes, standards and procedures. It has a one-to-one relationship with a person and may encompass multiple roles.

This framework adopts the same definitions and focusses on role profiles as this, combined with a consistent skills taxonomy, provides a better understanding of demands for cyber workforce at a whole of government level. It therefore provides a more consistent approach than jobs which can vary greatly among agencies.

Applying the cyber skills framework

To support the growth of cyber professionals in the Queensland Government, this framework identifies cyber security career pathways for key role profiles and a practical guide to develop the critical skills needed for these. Cyber career pathways help individuals, teams and agencies:

Note career pathways have been defined for a set of key role profiles that are common cyber role profiles or areas of focus (e.g. incident management and response) in Queensland Government.

Skills: Skills Framework for the Information Age

A key element of the Queensland Government cyber skills framework is the adoption of a standard approach to describing the skills and competencies of cyber professionals.

This framework adopts the Skills Framework for the Information Age, a globally recognised model and methodology used for describing skills and competencies of digital professionals with a common language. SFIA has been selected as the skills taxonomy for this framework because it:

  • can be adopted in a way suitable for a range of organisation sizes, which this framework needs to cater for (e.g. small statutory authorities through to large departments)
  • aligns with the Queensland Government digital capability program and the Australian Government who have also adopted SFIA as part of the Australian Public Service Digital Professional Stream Strategy
  • is readily available to Queensland Government for use under a national licence
  • is maintained and reviewed regularly by a global community
  • is growing and expanding the list of cyber skills and guidance within it including an Information and cyber security view for easy navigation of cyber professional skills.

To learn more about SFIA please see:

Cyber role profiles

This framework identifies a range of potential cyber role profiles that may exist within an agency, including key SFIA skills and common job titles. Role profiles can assist individuals for career development and agencies for workforce planning. In addition, they form the basis for framing possible career pathways in key Queensland Government role profiles.

These 15 role profiles were initially derived from those listed in the Executive Cyber Council Australian cyber workforce program report 2024. Some minor amendments have been made to suit the Queensland Government context during consultation on the development of this framework.

An agency may not have all the role profiles below in place for several reasons including organisational remit (e.g. risk profile and choice of controls), budget and staffing, size (e.g. more fluid approaches are required in smaller agencies) and sourcing strategies (e.g. some role profiles / functions may be provided externally). A role or even a career pathway may form part of alternative role profiles and job titles which incorporate additional responsibilities.

These role profiles however provide a way to think about the cyber capabilities and role profiles for both individuals and organisations for career progression and workforce management.

The SFIA professional skills and role profile matrix (XLSX, 30.1 KB) provides a useful matrix to understand the key skills required for each role profile and commonalities across them. This can be used to identify opportunities to mobilise talent towards a role profile or address capability gaps via uplift programs.

Career pathways

This section outlines potential career pathways in Queensland Government to assist with individual career and agency workforce planning for key roles profiles.

These role profiles were identified as candidates for the career pathways due to the demand in the sector for jobs in these role profiles. They are also the focus of the Queensland Audit Office report on incident management capability and skills and the Queensland Government’s existing cyber skills guidance.

This template can also be used as a guide for developing career pathways for other role profiles.

Each career pathway is broken into three categories of Foundation, Practitioner and Higher to demonstrate career progression. The SFIA levels of responsibility (DOCX, 3.2 MB) provides a detailed mapping between SFIA levels and the Queensland Public Service streams.

The Career pathways and skills matrix (XLSX, 59.4 KB) provides a useful matrix to understand the key skills required for each pathway and where common skills are required across multiple roles, identifying potential opportunities for mobility or in the case of gaps capability uplift.

Career pathway elements provide a guide on how the career pathways are structured and can be interpreted for career development.

Further information

Mapping SFIA to NICE

The US Government’s NICE Cybersecurity Workforce Framework provides a common definition of cybersecurity, a comprehensive list of cybersecurity tasks, and the knowledge, skills and abilities required to perform those tasks.

NICE provides a more detailed approach to skills than SFIA’s definitions and may be a preferred skills framework for some agencies.

For agencies using NICE, SFIA provides a mapping to this framework. The current mapping is for the previous version of SFIA (SFIA 8) but it is expected that this will be updated by SFIA in the future to reflect SFIA 9.

See Mapping SFIA 8 skills to NICE work roles

APS career pathfinder tool

The APS Career Pathfinder is a tool designed by the Australian Public Service to help people explore digital and other career options in government. It includes a range of cyber roles and like this framework uses SFIA in addition to other skills frameworks.

For individuals the career pathfinder tool can be used to help you:

  • learn about different roles including profiles of people doing jobs with that role now
  • find roles that match your skills
  • identify what skills you need for a role and how to get them.

For employers the career pathfinder tool can be used to:

  • see what different roles require including skills and desirable to develop position descriptions and job advertisements
  • help develop the skills of your staff and identify what training and development may need when developing performance plans
  • understand your organisation’s skill profile.

Acknowledgments

This framework was developed in consultation with a range of cyber professionals including representatives of the Australian Public Service Commission, Executive Cyber Council Workforce Working Group and Queensland Government public service.

The Queensland Government Cyber Security Unit thanks everyone involved for their generosity in sharing their expertise, knowledge and career stories for the benefit of aspiring cyber professionals and our cyber workforce.

This publication contains information from the Skills Framework for the Information Age used with permission from the SFIA Foundation. Powered by SFIA-AU

The career pathways in this framework have been informed by elements of the ‘Incident response learning and development pathway’ within the Australian Signals Directorate Cyber Skills Framework.

Last updated:
30 June 2025