Career Management Process
The purpose of this document is to provide information about the activities and processes that will be performed within the KPMG Global Security Operations Centre (GSOC) to cover the management of careers for GSOC staff.
The GSOC Career Management Process covers activities necessary to ensure successful operation of the GSOC and its members of staff and compliance to the KPMG UK Career Framework and associated policies.
The responsibility of ownership and ongoing management of this document, including the processes contained therein, rests with the Global SOC Manager.
The intended audience for this document is the Global SOC Team. The document may also be viewed by the concerned IPBR personnel and the KPMG Global and Member Firms management that are responsible for and/or have established interest in this area.
All requests for exceptions to this processes contained within this document should be directed to the Global SOC Manager who, depending on the nature and the scope of the request, may liaise with the wider Security Management Team / Security Board to authorize or reject the request. Any such exceptions should be deemed valid only if granted in writing (e.g. communicated via email) and are valid for a period of 1 year only when they will automatically expire unless extended or renewed in the interim.
Any violations to the contents of this document should be reported directly to the following email address: << GSOC-Manager@kpmg.com >>
The following roles have overall responsibility for elements of this process. Please note that these are not comprehensive listing of responsibilities of each of the following roles, but represent these roles’ specific responsibilities to support the Career Management process.
It is the responsibility of each GSOC member to take charge of their career and drive the career management process. They will determine the career path they are taking and request for training that will further their career.
1.7.2 GSOC Director
The GSOC Director is responsible for ensuring that appropriate training budgets are in place. They also have authority to approve requests for training and to delegate authority for approvals for training requests to appropriate persons inside of the GSOC.
The GSOC Director will be involved in the KPMG Performance Management process for all GSOC members.
The Cost Centre assigned to the GSOC will determine the funding available for external training and provide approvals where required.
The Performance Manager of individuals in the GSOC is to be determined upon joining the GSOC. The Performance Manager will support the GSOC member throughout the performance management process as per KPMG’s processes.
- Resource Onboarding Process
- KPMG myPD Process
- Service Management Process
- Shift Management Process
The roles within the GSOC are aligned to the KPMG grading system and role profiles. The role profiles are located here.
In order to ensure that the GSOC operates effectively and efficiently, individuals within each role are expected to demonstrate some core competencies, in addition to specialised skills according to their roles, necessary to allow them to perform their roles.
The following sections describe categories of skills relevant to each GSOC member.
Depending on the role, GSOC members should have an understanding of the technology, infrastructure and operation of the GSOC and to apply industry best practice and KPMG standards towards using, configuring and working with technology used in the GSOC.
Skills in vendor specific technologies and trainings may be required to ensure that staff stays up to date with technology. Relevant training will be documented within the Training Catalogue.
Soft skills are essential for enabling a professional, collaborative and optimized working environment, and furthering one’s career. Relevant training will be documented within the Training Catalogue. Soft skills include but not limited to:
- Report writing;
- Project Management;
- Stakeholder Management.
It is expected that the GSOC will identify trends and provide insights into additional business opportunities for the GSOC over time.
Over time, as the GSOC evolves gaps in the skills of the GSOC staff may appear. These gaps may affect the ability of the GSOC to achieve its objectives. To avoid this, a skills gap analysis will be conducted yearly to identify areas of improvement as well as individuals required to go through skills update. The gap analysis will help to:
- Refine and define skills the GSOC needs, now and in the future
- GSOC staff to know what critical skills they’ll need to grow
- In recruiting efforts when current employees don’t have the skills or the interest
- Identify gaps where no one has the necessary skills
- Identify training needs so that training plans can be created
- Provides a basis for discussion with individuals for career development.
The gap analysis will be performed using the following steps:
- The roles for the GSOC will be reviewed to ensure that they are current and amended where necessary. The review process will take into consideration current requirements of the GSOC as well as future requirements.
- The skills matrix will then be updated to reflect whether each identified competency is needed now or in the future.
- A review of all GSOC members’ skills matrixes will be performed to determine if the appropriate skills are present in the GSOC and aligned to GSOC’s tactical/strategic needs.
- The results will be documented and discussed with each individual. The GSOC Operations Manager will then formulate a plan of action to mitigate any gaps identified.
The possible roles transfers within the GSOC are depicted in the diagram below. Please note that this is given for reference purposes only. As long as the sufficient skills, experience levels and grades are met, it is possible for a staff to request for a transfer to any role. The demand and capacity of the GSOC will be considered before such requests can be approved.
- L1 Analysts will typically develop the necessary skills to specialise and move to L2, and eventually L3. Between each level, an assessment will be performed to determine if the move is appropriate.
- The Threat Intelligence Analyst can choose to be a full time L2 Analyst or Tooling Engineer, and vice versa.
- The Tooling engineer can choose to become an L2 Analyst, but he/she will be required to go through a 2 week probation period as an L1 Analyst.
- Depending on the seniority, experience and business needs of GSOC, it is possible for a Threat Intelligence Analyst or Tooling Engineer to be a L3.
- All GSOC staff are legible for secondments to IPBR (worldwide) or the wider KPMG (worldwide) as per section 3.8 Secondment opportunities.
Performance management within the GSOC will follow the standard KPMG Performance Management process. Performance reviews will be based on feedback collected from peers, GSOC management as well as contacts at member firms.
Considering the global nature of GSOC, there could be secondees from KPMG firms across the world with different performance management process. GSOC will tailor and provide input to each secondee’s performance management process.
To support the performance management process, please refer to GSOC grade behaviours document which will detail guidelines of behaviours each grade / role is expected to possess within GSOC. This document will compliment KPMG grade behaviours published within myPD.
The GSOC Director is a key stakeholder who needs to be consulted when promotion decisions are being made. GSOC Members seeking promotion shall consult with their Performance Managers. Regardless of the role, it is possible for each GSOC staff to be promoted without switching roles.
Please refer to KPMG Performance Management process for the grade levels.
Technology used within the GSOC will change frequently in a race to catch up with the ever changing threat landscape and sophistication of attacks. The skills of the GSOC team members will need to be updated regularly to keep with these changes. Upskilling within the GSOC will be performed using the following steps:
All members of the GSOC will be required to identify skills trends and report to the GSOC Operations Manager where they see the industry moving, i.e. with respect to skills. The trend analysis will be based on reliable sources that can back up affirmations or suggestions to adapt to the trends.
The GSOC Operations Manager will collect feedback from the team to identify which areas need improvement. Where gaps are found across the team, group skills upscaling will be organised. Any sessions arranged to achieve this will be organised in a manner that does not impact the services of the GSOC.
As part of the skills review, training necessary to close the identified gaps will be identified. New training will be added to the training catalogues and any deprecated or ineffective training will be removed.
Effectiveness of training included in the catalogue will be evaluated through a feedback system.
All requests for internal training shall follow KPMG’s standard processes. Please refer to Section 3.8 for the external training process.
All training will be arranged well in advance and planned for as part of the Shift Management Process. The expenses will be charged to the cost centre associated with the GSOC in accordance with the KPMG UK Training Policies and upon approval from the GSOC Director.
Knowledge transfer sessions will be conducted to allow anyone who has attended training to share the knowledge gained from the training with the rest of the team. This will also be planned for as part of the Shift Management Process.
The process flow for external training process is as follow:
- The GSOC staff will identify external training courses based on his development needs.
- The GSOC staff will initiate discussion with his Performance Manager to discuss how the training will benefit both GSOC and the staff.
- The Performance Manager will either approve or reject the request based on the output of the discussion.
- Once approved, the GSOC staff will gather all relevant details of the course and send the request to the GSOC Director for approval. Details shall include but not limited to:
- Course duration
- Breakdown of costs
- Name of PM
- Benefits to GSOC
- The GSOC Director will validate the training request in line with GSOC’s business needs as well as available budget. He will also confirm with the Performance Manager to confirm that it is indeed approved. The GSOC Director will then approve or reject the training request.
- If approved, the staff will go ahead and book the training as per the approved request.
Refer to the training catalogue for GSOC specific mandatory training to be completed. Each staff shall receive notification of KPMG Mandatory training through their local firm mechanisms. E.g. KBS.
As part of the KPMG’s strategy on mobility, resources within the GSOC may move to other departments (worldwide). This may be done as part of an individuals’ objectives or initiated by the GSOC to enable members to acquire specific skills or share their skills with other members.
All secondments out of the GSOC will be planned and approved by the GSOC Operations Manager in advance to avoid impacting the GSOC resourcing.
Employees from across KPMG (worldwide) might request to second into GSOC as well, and that will be managed through KPMG’s mobility program.