Jusletter IT

Mapping Competencies to Cybersecurity Work Roles

  • Authors: Anna Blechová / Jakub Drmola / Jan Hajný / František Kasl / Pavel Loutocký / Miroslav Mareš / Tomáš Pitner / Jakub Vostoupal
  • Category of articles: Security and Law
  • Region: Czech Republic, USA
  • Field of law: Security and Law
  • Collection: Conference proceedings IRIS 2022
  • DOI: 10.38023/2e2f01cf-ae2c-4536-90ad-460613905754
  • Citation: Anna Blechová / Jakub Drmola / Jan Hajný / František Kasl / Pavel Loutocký / Miroslav Mareš / Tomáš Pitner / Jakub Vostoupal, Mapping Competencies to Cybersecurity Work Roles, in: Jusletter IT 30 June 2022
The increase of dependence on digital services as a result of the COVID-19 pandemic reinforced the general need to effectively address the long-term perceived cybersecurity expertise gap. One of the instruments that allow better coordination and optimisation of efforts towards expedient and meaningful cybersecurity training and innovation is an alignment of perspectives on the competency requirements associated with the sought-after cybersecurity experts. To this goal, our research team is developing a cybersecurity qualifications framework modelled on the US-focused NICE framework. In this contribution, we present our progress in mapping the expected competencies to the defined work roles.

Table of contents

  • 1. Introduction
  • 2. Overview of the relevant Competencies
  • 3. Overview of the identified Work roles
  • 4. Mapping of Competencies to Work Roles
  • 5. Conclusion
  • 6. Acknowledgments and funding

1.

Introduction ^

[1]

The COVID-19 pandemics has uncovered many cybersecurity weaknesses. For example, the cybersecurity needs of Czech hospitals which had been repeatedly overlooked and ignored throughout the years. However, during the last two years numerous were targeted in ransomware campaigns that caused severe damage.1 The efforts to improve the situation are slowed down by challenges that can be resolved relatively quickly, if adequate additional funding is provided, such as overhaul of the obsolete software and hardware. However, the more fundamental issue causing the increasing vulnerability of many entities – the shortage of expert cybersecurity workforce (which is not a problem specific for the Czech Republic, as confirmed by Lusher2) – requires more complex and long-term solution. “An integrated cybersecurity workforce can address the cybersecurity challenges inherent to preparing their organisations to successfully implement aspects of their missions and business processes connected to cyberspace,3 thus, its absence presents a threat and limitation to any organisation with a digital presence.

[2]

The shortage of cybersecurity personnel is not a new issue but rather an issue with increasing scope and urgency. Its origin is primarily linked with the rapid development of the IT sector in general. As such, it might be more suitable to talk about the shortage of IT personnel in general.4 However, cybersecurity represents a specific expert field that requires competence in more than just IT skills. There is a particular challenge establishing universally accepted qualifications associated with some commonly referenced cybersecurity work roles. Depending on the given context (cybersecurity in small enterprise, cybersecurity in healthcare, national CERT) and perspective (employer, public policy, academia), the particular expertise associated with such a role is often varied. Nevertheless, there is currently no single and universally recognised taxonomy of cybersecurity work roles available in the EU context. The most advanced example of such a qualifications framework that allows for coordination in the understanding of the specific requirements associated with commonly referenced work roles is the US-centred NICE Framework developed originally in 2012, with several updates since then (latest in November 2020). However, the US perspective on cybersecurity conceptually differs from the EU perspective regarding the relevant regulatory structures and legal requirements and is therefore not directly transposable.

[3]

As we described in our previous contribution last year,5 our project aims to fill this gap with a particular focus on the Czech context. It shall also retain full interoperability and adaptability to the EU level or context of other Member States through the parallel English version of the framework. Such framework aims to offer a “taxonomy and common lexicon that describes cybersecurity work and workers irrespective of where or for whom the work is performed.”6 These frameworks can serve as a basis for uniformly understood communication of requirements between the demand and supply sides of the labour market, considering compatibility with the systematic structure of the cybersecurity field in general.7 The Czech Cybersecurity Qualifications Framework, developed by our interdisciplinary team in cooperation with stakeholders with varied perspectives on cybersecurity (commercial, public sector, academic), is inspired and influenced in particular by the above-mentioned NICE Framework, but we attempt to go beyond the example and provide more detailed and more dynamic instrument, adequately reflecting the current complexity of the cybersecurity workforce landscape.

[4]

We have divided the preparation and development into four stages. The first stage was focused on the initial search for source materials and existing models of qualifications frameworks, labour market analysis and identification of suitable structure for the framework. This stage was successfully concluded in 2020. The second stage of the project is the most complex one. It constitutes a meticulous modification, creation, description, translation and interlinking of the various qualification elements (e.g., as described further, relevant competencies to defined work roles in the first-tier granularity and further particular requirements to the work roles in order to achieve even greater level of detail). We are also working on launching a user-friendly visualisation of the qualifications framework through an online platform that would allow for reaping full benefits from open access re-use of the database through various follow-up applications and tools. The third stage shall constitute optimisation, promotion and stakeholder (private and public sectors alike) feedback on the framework. Eventually, the last stage of the project shall be finalising the online platform and maximising the utility potentially derived from this taxonomical tool for mapping the cybersecurity workforce landscape through dissemination and raising awareness.

[5]

This particular contribution aims to present our progress regarding the mapping of the expected competencies to the defined work roles. For this purpose, the following chapters shall focus on our approach to creating the pool of relevant competencies, our effort towards defining key cybersecurity roles and subsequently our approach to mapping given competencies to particular roles, as well as future steps we are about to take towards the creation of the Czech Cybersecurity Qualifications Framework.

2.

Overview of the relevant Competencies ^

[6]

Competencies for the purpose of here presented qualifications framework aim to represent more generalised and abstract areas of expertise that are associated with the given work role in the cybersecurity field. Based on our initial research of existing qualifications frameworks, we established as a suitable source for the pool of relevant competencies the available version of NICE framework. Given the detail and established nature of this framework, we approached it as a benchmark for competence requirements in the field of cybersecurity. The NICE framework operates with a structure of competencies as groups for specific requirements on cybersecurity roles (knowledge, abilities and skills), which is a structure we adopted also for our approach to qualifications framework. Therefore, the competencies identified under NICE framework served us as a base data structure, which we meticulously revised in order to update, enrich and adjust the particular definitions and sum of competencies to current situation in the cybersecurity from European, rather than US perspective. We further translated the resulting revised and enriched dataset of competencies to create parallel Czech language mutation and obtained thereby a set of 59 Competencies with explanatory description associated each with one of the four superordinate categories defined as Competency groups (here we also followed the suit of NICE framework and adopted the distribution between Technical; Organisational; Professional and Leadership competencies. For an example of four of these Competencies see Table 1 below.

Table 1: Examples of Competencies

Competency Group Competency Description
Organisational competency Data Management This Competency describes capabilities related to the development and execution of data management plans, programs, practices, processes, architectures, and tools across all stages of the data lifecycle. Includes processes around the creation, storage, archiving, discovery, access, disposal, as well as enhancement, and reuse of data and information assets.
Technical competency New Technology Fluency This Competency describes capabilities related to keeping up to date on technological developments, including new applications of technology, emerging technologies, and the effective use of technology to achieve results.
Professional competency Conflict Management This Competency describes capabilities related to managing and resolving conflicts, grievances, confrontations, or disagreements in a constructive manner to minimise negative personal impact and collaborating with others to encourage cooperation and teaming.
Organisational competency Organisational Awareness This Competency describes capabilities related to understanding an organisation’s mission and functions; its structure; and how programs, policies and regulations impact the objectives of the organisation.
[7]

The pool of 59 Competencies we currently operate with for the initial version of the qualifications framework shall be one of the core data elements binding the Work roles with associated Requirements. This will allow for overview of the main areas of expertise associated with the given Work role and help to link the developed qualifications framework with other parallel efforts towards taxonomy of cybersecurity expertise requirements, such as the framework developed under the SPARTA project,8 or currently prepared Skills framework by ENISA.9 They serve as crucial element of the framework that allows systematic grouping of the subordinate specific requirement on the particular work role. As such, the competencies provide the first-tier specification of the requirements and allow for further second-tier specification through the particular requirements to be developed and for higher level of granularity that allows for functional linking with study program curricula etc. to be achieved. This two-tier structure is exemplified by following example of selected links between 15 Requirements and Competency “Data Management” provided in Table 2. Our current database contains 44 Requirements linked to this Competency and similar groups of Requirements linked to the other 58 Competencies, creating a dense structure of particular requirements that help to define expectations commonly associated with particular cybersecurity work role expertise.

[8]

To clarify, each Competency in our qualifications framework is associated with following parameters: title in English, title in Czech, description in English, description in Czech, Competency ID, link of the Competency ID with one Competency group ID, multiple links of the Competency ID with relevant Work Role IDs and multiple links of the Competency ID with the associated Requirement IDs.

Table 2: Selected Requirements linked to Competency “Data Management”

Ability to accurately and completely source all data used in intelligence, assessment and/or planning products.
Knowledge of the capabilities and functionality associated with various technologies for organising and managing information (e.g., databases, bookmarking engines).
Knowledge of the characteristics of physical and virtual data storage media.
Knowledge of data classification standards and methodologies based on sensitivity and other risk factors.
Knowledge of collection capabilities, accesses, performance specifications, and constraints utilised to satisfy collection plan.
Knowledge of collection systems, capabilities, and processes.
Knowledge of the available tools and applications associated with collection requirements and collection management.
Knowledge of the parameters and limitations of new and emerging collection capabilities.
Skill in developing data dictionaries or metadata repositories.
Skill in data pre-processing (e.g., imputation, dimensionality reduction, normalisation, transformation, extraction, filtering, smoothing).
Skill in performing format conversions to create a standard representation of the data.
Skill in using data analysis tools (e.g., Excel, STATA SAS, SPSS, R).
Skill in creating collection requirements in support of data acquisition activities.
Skill in data mining techniques (e.g., searching file systems).
Skill in evaluating data sources for relevance, reliability, and objectivity.

3.

Overview of the identified Work roles ^

[9]

The second core element of the developed qualifications framework is the specification of the work roles associated with particular cybersecurity expertise. In this case, we could not rely on the NICE Framework, as it provided only limited set of relevant work roles that were described from the US-centric perspective. Therefore, we sourced input from multitude of sources we obtained through our initial research and proceeded to creating more comprehensive list of work roles, which would describe the landscape of cybersecurity expertise from a European perspective. We closely cooperated with experts from the Czech National Cyber and Information Security Agency, who provided us with critical feedback and practical context for the most accurate definition of particular work roles. The outcome at the current stage of the project is a dataset of 90 Work Roles, organised in a hierarchy of seven main Work Role Categories (Roles in development and planning; Operational and administration roles; Supervisory, leadership, educational and support roles; Roles in protection against cyber security threats within the CERT team; Analytical roles; Roles in collection operations; Investigation roles), were further divided in 37 Specialty Areas, which allow for systematic grouping of the Work Roles and efficient future development and enrichment of the dataset. To provide a specific example, Table 3 shows three selected Specialty Areas out of eight that we categorised under the Work Role Category “Roles in development and planning”, which is defined as area of cybersecurity, where the experts conceptualise, design, procure, and/or build secure information technology (IT) systems, with responsibility for aspects of system and/or network development.

Table 3: Selected Specialty Areas linked to Work Role Category “Roles in development and planning”

 

Specialty Area Description
Risk management Workers oversee, evaluate and support the documentation, validation, authorisation and assessment processes required to ensure that existing or new IT systems meet the organisation’s security requirements. In addition, they ensure adequate risk reflection, compliance with regulatory requirements, and internal and external safeguards.
Software and hardware development Workers develop and program new (or modify existing) computer applications, software, hardware or specialised programmable tools in accordance with the best practice safeguards for software and hardware development.
Testing and Evaluation Workers prepare and conduct tests and evaluations of systems for compliance with relevant specifications and requirements. They apply cost-effective planning principles and methods. They evaluate, verify and validate technical, functional and performance characteristics, including interoperability between systems and their elements.
[10]

Under each of these Specialty Areas one or more Work Roles are defined through English and Czech title and description, as well as through links of the Work Role ID with multiple IDs of relevant Competencies. We again provide a particular example in Table 4, where we list the five currently defined Work Roles associated with the Specialty Area “Risk Management”.

Table 4: Identified Work Roles under the Specialty Area “Risk Management”

 

Work Role Description
Designating Representative/Authorising Official A senior official or executive with authority to formally assume responsibility for operating an information system at an acceptable level of risk to the relevant entity’s operations (including mission, functions or public presentation), organisational assets, personnel, collaborating entities, or public authority.
Business Continuity Manager Works with designated staff to develop and implement plans to anticipate, address, and mitigate impacts in the event of disruptive incidents to the entity’s business and operations, including the prevention and recovery process.
Security Control Assessor Conducts independent, comprehensive assessments of management, operational and technical security controls and other supporting measures embedded in or used within the system to determine the overall effectiveness of these measures.
Security Cloud Computing Analyst Performs analysis of relevant factors related to the processing and storage of data using cloud computing services. Addresses specific legal regimes and related risks and constraints, translating the findings into outputs and recommendations
Cybersecurity Auditor Conducts and documents security policy compliance audits, including technical compliance reviews, and incorporates audit results into the security awareness and risk management plan. Assesses compliance of security measures with best practices, laws, regulations, internal policies, other rules and contractual obligations related to the IT system and identifies potential corrective actions to ensure compliance.

4.

Mapping of Competencies to Work Roles ^

[11]

The latest stage of our progress towards Czech Cybersecurity Qualifications Framework constitutes a successful mapping of the above-described dataset of relevant Competencies of cybersecurity experts on all of our 90 identified Work Roles. This completed our first-tier qualifications framework, which allows to define each of the identified Work Roles not just by textual description as exemplified above, but also through a set of Competencies commonly expected from an expert on this position, which are further specified by textual descriptions of their own. In this stage, we obtained a complex matrix that allowed taxonomical description of the requirements on cybersecurity experts comparable or exceeding the level of detail pursued by other Europe-focused qualifications framework we are aware of. We provide an example of the current level of detail we achieved in defining the role of “Cybersecurity Auditor” in the following Table 5.

Table 5: Description of Work Role “Cybersecurity Auditor”

 

Title Cybersecurity Auditor
Work Role Category Roles in development and planning
Specialty Area Risk Management
Description Conducts and documents security policy compliance audits, including technical compliance reviews, and incorporates audit results into the security awareness and risk management plan. Assesses compliance of security measures with best practices, laws, regulations, internal policies, other rules and contractual obligations related to the IT system and identifies potential corrective actions to ensure compliance.
Relevant Competencies Data Management; Computer Network Protection; Enterprise Architecture; Identity Management; Incident Management; Data Security; Information Management; Information Systems and Network Security; Information Technology Assessment; Systems Testing and Evaluation; Vulnerabilities Assessment; Business Continuity; Organisational Awareness; Data Privacy; Law, Policy, and Ethics; Process Control; Risk Management; Conflict Management; Critical Thinking; Communication; Policy Development
[12]

Similarly, as the above-described Work Role, we have mapped all 90 of the Work Roles in the framework. As such, our first-tier qualifications framework contains over a thousand links between Work Roles and Competencies. They allow to have a good idea about the general expectation for the particular work role, yet the descriptions are too vague to be usable for example to link particular curricula of a course with requirements for given Work Role. For example, “Data Management” is certainly one of areas, where you expect “Cybersecurity Auditor” to be knowledgeable, however, expertise required from this role in this area of competency is certainly rather different from for example “Data Specialist” or “Database Manager”.

[13]

We are fully aware of the limited potential of qualifications framework based on description and definition of the expertise on this level of abstraction. For this reason, in the next stage of our project, we shall build on these links between Work Roles and Competencies and add to the definition of each Work Role several dozens of links to specific Requirements associated with this Work Role, which fall under the relevant Competencies to better define the particular expertise requirements commonly assigned with the expertise under this work role in cybersecurity. The current thousand links between data points will therefore expand to multiple thousands. Thus, the currently established links between Work Roles and Competencies represent necessary intermediate steps, as they allow us to determine the basic pool of Requirements that need to be verified in connection with the given Work Role. Of course, only a part of Requirements associated with given Competency are likely to be relevant with the given Work Role. In this sense, if a Work Role “Cybersecurity Auditor” is associated with the above-mentioned Competency “Data Management”, which is linked to 44 particular Requirements, not all of these Requirements are relevant for this particular Work Role, and the second-tier granularity of the qualification definition shall be provided particularly through determining how many and which of these “Data Management” Requirements are relevant for “Cybersecurity Auditor” expertise and which are not.

[14]

Additional granularity of the framework shall be provided by linking each Work Role with up to several dozens specific Tasks, which are commonly associated with the given expert role in cybersecurity. This shall further expand the number of links between elements by additional thousands. In order to be able to efficiently present, manage and keep up-to-date, IT experts from our team are developing in parallel a user-friendly visual representation of the Czech Cybersecurity Qualifications Framework. This shall serve as access point to the open data format of the current version of the framework and should ensure maximal utilisation of the developed taxonomy in further applications and tools. We provide regular updates about our project, publications of its progress and contacts on the research team on our website: www.cyqual.cz. This website shall in the future also include a link to the publicly accessible platform presenting and giving access to the framework. The platform should be up and running by the late stage of the project, i.e., by the end of the year 2022. Until then, we will have processed the data representing the taxonomical qualifications framework and will have optimised the definition of the identified work roles through a network of Czech stakeholders representing public, private and academic perspectives on the requirements associated with the given expertise in cybersecurity. We also welcome potential cooperation with non-Czech stakeholders, as our dataset is developed bilingually in Czech and English. Those interesting in early access to the dataset, in exchange of ideas or direct participation in fine-tuning the framework links between elements through contributing additional perspective are more than welcome to contact the research team through any of the authors of this contribution.

5.

Conclusion ^

[15]

In our contribution, we build on our previously presented report on the development of Czech Cybersecurity Qualifications Framework by offering a particular insight into the results of the most recent stage of our progress, which constituted mapping of relevant competencies to identified cybersecurity roles. Drawing inspiration and model data from the NICE Framework and other available qualifications frameworks we identified in our initial research phase, we built a dataset of 59 Competencies that are commonly associated with the cybersecurity expertise. Following from our intense cooperation with Czech National Cyber and Information Security Agency as well as consultations with other stakeholders, we identified 90 Work Roles that we arranged in a hierarchy of seven main Work Role Categories and 37 Specialty Areas. Subsequently we linked the relevant Competencies with each of these 90 Work Roles, in order to establish systematic description of commonly expected qualification associated with the given work role. As we indicated, this stage of the framework is generally on par with the provided detail with other currently available or developed skills framework with European focus. Our goal is to proceed further and provide even greater level of detail, along with the lines of NICE Framework, and develop a second-tier granularity of expertise though particular requirements within these competencies associated with given work roles. We developed the dataset bilingually in Czech and English and we are currently working on a platform providing user-friendly visual representation as well as open data source for further applications and tools to be developed on top of this qualifications framework.

6.

Acknowledgments and funding ^

[16]

This article was created on the basis of the project support of the Ministry of the Interior, Czech Republic within the project “Národní kvalifikační rámec v kyberbezpečnosti” [National Qualifications Framework in Cybersecurity] with the identification code VI20192022161.

  1. 1 For example the University Hospital Brno was targeted in March 2020 and the attack severely crippled the day-to-day functions of the hospital for a few weeks. For more details, see the Report on the State of Cybersecurity in the Czech Republic for the year 2020, available here: https://www.nukib.cz/download/publikace/zpravy_o_stavu/Zprava_o_stavu_KB_2020.pdf (accessed on 28 October 2021), 2021.
  2. 2 Cf. Lusher, Present and Future Solutions for the Lack of Cybersecurity Professionals. Dissertation. https://search.proquest.com/openview/5efe4cf12de7323b4c5d840db2b9a498/1 (accessed on 22 October 2021), 2018.
  3. 3 Newhouse/Keith/Scribner/Witte, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. NIST Special Publication 800–181. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf (accessed on 14 November 2020), 2017. P. IV.
  4. 4 Cf. Forbes Technology Council, 16 Tech Roles That Are Experiencing A Shortage Of Talent. Forbes. https://www.forbes.com/sites/forbestechcouncil/2021/06/10/16-tech-roles-that-are-experiencing-a-shortage-of-talent/?sh=52a8bc203973 (accessed 5 November 2021), 10. 6. 2021.
  5. 5 Cf. Hajný/KaslL/Loutocký/Mareš/Pitner. Progress towards Czech National Cybersecurity Qualifications Framework. Jusletter IT. Die Zeitschrift für IT und Recht. Bern: Weblaw, 2021. ISSN 1664-848X. doi:10.38023/f79f430a-ca8b-409f-9a1f-66135b8ff2d8.
  6. 6 Cf. NIST, Nice Framework Resource Center. https://www.nist.gov/itl/applied-cybersecurity/nice/nice-framework-resource-center (accessed on 28 October 2021), 2020.
  7. 7 For more detailed analysis, please, refer to our paper Drmola/Kasl/Loutocký/Mareš/Pitner/Vostoupal. The Matter of Cybersecurity Expert Workforce Scarcity in the Czech Republic and Its Alleviation through the Proposed Qualifications Framework. ACM International Conference Proceeding Series: ARES 2021: The 16th International Conference on Availability, Reliability and Security. New York: Association for Computing Machinery, 2021. ISBN 978-1-4503-9051-4. doi:10.1145/3465481.3469186.
  8. 8 Cf. SPARTA. Cybersecurity skills Framework. https://www.sparta.eu/assets/deliverables/SPARTA-D9.1-Cybersecurity-skills-framework-PU-M12.pdf (accessed on 28 October 2021), 2020.
  9. 9 Cf. ENISA. European Cybersecurity Skills Framework. https://www.enisa.europa.eu/topics/cybersecurity-education/european-cybersecurity-skills-framework (accessed on 28 October 2021), 2020.