The subject of Cybersecurity skills and the relevant persisting gap1 has allowed a variety of cybersecurity courses and certification schemes to arise2. In each case, the certification scheme owners have decided upon an implementation method based on their experience, practice and beliefs. But which one is the most suitable for evaluating and validating cybersecurity skills?
In a previous post, Preparing to fight Cyber Threats – The Human aspect, we underlined the importance of the design and implementation of a Certification Framework for Cybersecurity skills. The benefits of an effective certification framework are many and impact all interested parties (between them organizations, employers, individuals).
The CONCORDIA team has created a first version of this Framework taking into consideration the specific needs and peculiarities of Cybersecurity skills as they have been identified in the relevant 3.4. Deliverable 3,4 of the CONCORDIA project and other publications on the subject5 6.
In order to validate the assumptions and proposals of the Cybersecurity Skills Framework, a pilot Certification Scheme has been created and we are excited to be currently implementing the first examinations under this Scheme.
The piloting process consisted of the following steps:
- Selection of the profile for which the certification scheme will be created. For this first CONCORDIA pilot, the role of the Cybersecurity Consultant was selected. (A feasibility study was conducted, and the specific role selected based on the results2)
- Identification of the minimum components needed for the certification scheme based on international standards (i.e. ISO/IEC 17024:2012. Conformity assessment — General requirements for bodies operating certification of persons)
- Setting up a team to implement the certification scheme. The team consisted of people representing the various parts of the certification scheme (including experts in certification, in the technical aspects of the scheme and industry representatives).
- Implementing the procedures regarding the management of the certification scheme (name (C3 by CONCORDIA), details, description, application, ownership, pre-requisites, declaration of honor etc).
- Definition of the details of the examination. Special attention was given to the fact that cybersecurity is not a purely theoretical subject and that the role of the Cybersecurity Consultant requires related hands-on abilities and skills. Based on the above, it was decided that the exam should have (1) a theoretical part: consisting of questions to evaluate the candidates’ baseline knowledge needed to run the role effectively, and (2) a practical part: consisting of scenarios administered through a cyber-range platform. In the theoretical part, the candidates have to answer within a specific amount of time a set of questions with different level of difficulty and covering different learning objectives. In the practical part, the candidates have to conduct specific related tasks within a specific amount of time, showing that they have the necessary abilities and skills.
Finally, it should be noted that C3 by CONCORDIA is a certification scheme built upon both the NICE skills framework and the e-CF.
The first results of the C3 by CONCORDIA implementation are expected by September 2021. Should you be interested in applying to the C3 by CONCORDIA certification scheme please drop us an email at firstname.lastname@example.org.
Stay tuned for more exciting updates!
More information on the Subject of Cybersecurity Skills Certification and the Cybersecurity Consultant Role Profile creation can be found by following the links below:
- The State of Cybersecurity survey conducted by ISACA, 2021. https://www.isaca.org/go/state-of-cybersecurity-2021
- CONCORDIA Cybersecurity Skills feasibility study, 2020. https://www.concordia-h2020.eu/wp-content/uploads/2020/06/CONCORDIA-SkillsFeasibilityStudy-forpublication.pdf
- Assessing the courses for Cybersecurity professionals already developed by CONCORDIA1 partners, CONCORDIA, 2019. https://www.concordia-h2020.eu/wp-content/uploads/2020/04/CONCORDIA-AssessmentOfCoursesT3.4-ForWebsite.pdf
- CONCORDIA Methodology for the creation and deployment of new courses and/or teaching materials for cybersecurity professionals, https://www.concordia-h2020.eu/wp-content/uploads/2020/06/CONCORDIA-methodology-courses-professionals-for-publication.pdf
- ECSO Information and Cyber Security Professional Certification v3, ECSO, https://ecs-org.eu/documents/publications/60101ad752a50.pdf
- ENISA, Cybersecurity EducationEuropean Cybersecurity Skills Framework, https://www.enisa.europa.eu/topics/cybersecurity-education/european-cybersecurity-skills-framework
(By Iro Chatzopoulou,TÜV AUSTRIA)