By Josu Mendívil, IT Director and CISO at the University of Deusto
The degree of knowledge and awareness of cybersecurity by employees should be considered a critical factor for the security of companies and organizations. Such criticality concerns both ICT technical and professional profiles and users who interact with the systems.
To deal with this situation, training and awareness activities are a vital element in the cybersecurity strategy of any organization, with competency-based management models being one of the most effective tools to carry them out.
Currently, there are many training initiatives focused on improving the culture of cybersecurity. At an international level, a few references should be mentioned, such as the Cybersecurity Curricula Guideline, oriented towards the design of university degrees in cybersecurity, and the NICE project, National Initiative for Cybersecurity Education, which defines the skills and knowledge that ICT workers must achieve in the field of cybersecurity. The European Digital Competence Framework, DIGCOMP, also identifies some competencies in the field of cybersecurity aimed at citizens.
However, even if an extensive and growing academic offer is available for professional profiles, companies and organizations face considerable difficulties in implementing and managing an effective training and awareness system aimed at their non-ICT staff, that is, those who manage ICT only at the user level.
Approaches to cybersecurity training and awareness
To face this situation, organizations establish general cybersecurity training plans, with limited content and without proven criteria to ensure their suitability. This approach, beyond an introduction to the subject, cannot constitute the core of effective training and awareness. The different job profiles that exist in organizations require training, attention, and resources appropriate to their performance and degree of responsibility.
Another approach is based on the design and implementation of internal developments, carried out from scratch and customized to the needs of the organization. There is no doubt that this model is very useful as it adapts to the needs and objectives of the organization that implements it, but it also presents difficulties and limitations. The complexity of its design and implementation, together with the high economic costs and the dedication of personnel, is a major obstacle to undertaking these projects. Only a few corporations have the resources and the will to tackle them. And when they are carried out, their results cannot be extrapolated or used in other environments as they are developed to provide a specific response to the defined scope and environment.
A new methodological proposal
To overcome these problems and limitations, some authors propose exploring methodological innovations that simplify the generation of competency frameworks in cybersecurity, in such a way that the resources allocated to the generation of competency maps can be assumed by a greater number of organizations and that the return on investment and the benefits obtained are better understood and valued by company managers.
In line with this proposal, the Computer Service of the University of Deusto is investigating the use of industry security standards, such as the ISO 27000 standard, or in the Spanish case, the National Security Scheme, to establish a plan of training and awareness based on cybersecurity skills for non-ICT staff in the Spanish university sector.
To identify the competencies of an organization, company or sector, occupational analyses are usually carried out by work groups made up of management personnel, male and female workers and specialists on competencies. These occupational analyses are developed using methodologies based on each job description and analysis, such as the DACUM method, the SCID model and its AMOD variant, or the Functional Analysis.
Functional Analysis, FA, is a method used to identify labour competencies by disaggregating the functions of a sector, company, or department into more specific sub-functions, which in turn are divided into increasingly specific activities, until the elemental actions that can be assigned to a worker are identified.
According to this principle, FA is applied from the general to the particular, starting with the identification of the main purpose that identifies the purpose of the productive activity. Based on this purpose, a breakdown by functions is carried out, according to the following levels:
- Key Features
- Principal functions
- Basic functions or units of competencies
- Competency elements
The process ends when the minimum productive functions that a worker can develop are reached, the result being the Functional Map, represented in figure 1. Reading it from left to right, it shows to what is necessary to do, while reading from right to left, it explains the reason why it is done.
In this methodology, the process is traditionally carried out by a work group made up of experts and workers from the productive function studied, who identify the main purpose and carry out the recurrent disaggregation process. There is no doubt about the validity of this approach. However, in this document a new model is proposed, in which the task and activity analysis of the working group are replaced by the dimensions of the selected security standard. In this way, the working group already has the disaggregation levels of the FA which correspond to the organization of security standards. The experts and workers in this new approach, therefore, change their role. They should not carry out a long and complicated field work that allows them to identify competencies. In this proposal, the tasks they perform, presented in figure 2, are the following:
- Identify the security measures of Annex II of the ENS or of the ISO 27002:2022 controls that apply to the productive function analyzed.
- Transform the texts to the grammatical structure proposed by the Functional Analysis
- Point out the elements of competency that can provide a solution to the units of competency identified.
- Identify the job profiles of non-ICT
- Determine performance
- Establish for each job profile the level of performance that must be achieved in each element of competency that applies to it.
The result provides a map of technical skills and levels of awareness and training for each non- ICT user profile, all organized in a common measurable, replicable, and consistent framework.
The proposed methodology allows for the effective and affordable development of cybersecurity skills maps for non-ICT personnel in sectors, companies and organizations, thereby providing a valuable reference regarding what competencies in the field of cybersecurity non- ICT personnel should know and be able to carry out. It also provides a useful instrument to know and evaluate said competences. In this way, both the drawbacks presented by general training models and the barriers presented by the high cost of resources and time associated with the creation of specific maps from scratch are overcome.
The final result makes it possible to incorporate cybersecurity skills into the general map of job skills of organizations, thus granting them the visibility and consideration they so urgently need.
About the author
Josu Mendívil holds a Degree in Business Administration at University of Deusto and will defend his dissertation to obtain a PhD degree in Engineering at the University of Deusto in December 2022. He has a Specialized Degree in Management of University IT Services by the University of Castilla and an Official University Master’s Degree in Free Software from the Open University of Catalonia. He has developed and carried out numerous security training courses in security and researched about the development of cybersecurity skills. He is CISO and Member of the Security Committee of the University of Deusto, CISA, as well as an ISO 27001 Lead Auditor.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on dev.connect.geant.org/csm2022