Towards an integrated platform for skills in cyber built on the European Cybersecurity Skills Framework
Difficult to understand the trainings big picture
The needs to protect oneself against threats to information and operations, to maintain the cybersecurity posture of an organization and to increase the resilience against such threats, are still urgently felt by all interested parties. A core component to fulfilling these needs, is the existence of cyber – competent professionals. And competence regarding cybersecurity is not only needed for the dedicated professionals (external or internal to an organization) but also for all staff members of an organization even if they are not directly involved in cybersecurity processes and activities.
When it comes to the cybersecurity professionals, various publications still report a cybersecurity skills gap, flagging that the top 3 competencies missing or not enough covered by the existing professionals varies from one year to another [1]. On the other hand, a considerable amount of Cybersecurity related courses and trainings are offered by various European and international organisations. A simple search on the internet will reveal many courses that relate to the cybersecurity domain, without providing a clear picture on the competencies offered or how they could relate to a specific role. To add to this confusion, there are training courses that seem to address one specific role (e.g. CISO), have similar titles but have different curriculum.
Hence, in several cases, the information provided is confusing the trainee on what and how they should perceive cybersecurity concepts, as well as how to use them to cover their professional needs. Besides, the courses for professionals are promoted on a variety of platforms and they are difficult to be compared with respect to the competencies covered and role profile addressed. This makes difficult for an individual to build a clear career path and identify development opportunities.
The CONCORDIA map of courses for cybersecurity professionals
In an attempt to address these challenges, we have built the CONCORDIA map of courses and trainings for cybersecurity professionals [2]. The map is displaying structured information on existing European offer for short courses/trainings and provides different filters as to help match easier the specific need for skills development with the offer.
One can choose to sort the courses based on the cybersecurity level addressed (Device-, Network-, Software/ System, Data/ Application-, User-Centric), or on the relevance to an industry sector (eg. Telecom, Financial, Transport e-mobility, e-Health or Defence), but also on the format (face-to-face, online, blended), and the timing of the course/training.
Missing a key ingredient – Solution enabled by ECSF
Although we are offering on the CONCORDIA map a large plethora of filters to help the users identify easier the course(s) of interest, the database lacks a key ingredient – the links to role profiles that each of the courses are addressing through the knowledge and skills covered. The e‑CF European Competence Framework for ICT professionals available at the time of building the map defines 30 role profiles and 40 associated competencies but they are difficult to be associated to the specificities of the cybersecurity domain.
This was a challenge of the cybersecurity education ecosystem we flagged already two years ago and captured in the CONCORDIA Roadmap for Education [3] under the heading C5: Heterogeneity of competencies related terminology. This lack of a cross‑domain and cross‑industry agreed terminology related to the cybersecurity skills necessary for a specific role makes it difficult for companies to fill in open positions. They find it hard to match the recruitment criteria with the studies and the qualifications listed in the CVs of the applicants because of the use of non‑standard terminology. Individuals, in turn, cannot easily identify the skills they need to possess or develop to match market demand. And, finally, course providers have difficulties in designing curricula that answer to the market needs.
As part of the CONCORDIA roadmap, we pledged for one single platform hosting all the existing Cybersecurity related programs (university level and Ph.D. programs, short courses and trainings for professionals).
The platform should consider collecting the content by using categories based on a standard terminology (specific skills framework included). The categories would be further used as filters for different enquires of the courses database. The 12 role profiles defined in the current version of the European Cybersecurity Skills Framework[1] (ECSF) seem to be a natural solution.
The benefit for stakeholders
The adoption of a standard lexicon such as the one proposed by the ESCF, including cybersecurity role profiles will help companies identifying the right talent for the jobs as well as education providers to better shape their curriculum to match the cyber workforce needs. By applying the same terminology and using an EU wide skills framework to job descriptions, course description and role profile would help individuals selecting the right education modules to support their career path, and filtering better the jobs openings according to their competence and level of expertise. Finally, the policy makers would be able to collect more structured data at country/regional level in support of future policy development and have a solid basis when coordinating with external countries towards addressing global scale cyber security challenges.
Towards an integrated platform for skills
Building on the CONCORDIA database of courses and trainings for cybersecurity professionals, the REWIRE project [5] attempts to make further steps towards integrating the relevant cybersecurity skills related content. The REWIRE CyberABILITY platform – currently in design phase – will provide up-to-date information regarding the job market, competences, training courses, certification schemes and a career roadmap.
References
[1] E.g. The Current (2022) State of the Cybersecurity Workforce ISACA Research, indicates that respondents are looking for a range of skills in candidates, noting the top skills gaps they see in today’s cybersecurity professionals are soft skills (54 percent), cloud computing (52 percent) and security controls (34 percent). Soft skills also top the list of skills gaps among recent graduates, at 66 percent. The 2021 report of the same research activity indicated that the top three skills gaps they see in candidates are soft skills (56 percent), security controls (36 percent) and software development (33 percent). https://www.isaca.org/why-isaca/about-us/newsroom/press-releases/2022/state-of-the-cybersecurity-workforce-new-isaca-research-shows-retention-difficulties-in-years
[2] https://www.concordia-h2020.eu/map-courses-cyber-professionals/
[3] https://www.concordia-h2020.eu/wp-content/uploads/2021/10/roadmaps-05-Education.pdf
[4] https://www.enisa.europa.eu/topics/cybersecurity-education/european-cybersecurity-skills-framework
(By Felicia Cutas, EIT Digital)