1
The importance of qualifications frameworks in (not only)
cybersecurity
Project of the Ministry of the Interior "National Qualification Framework in Cybersecurity" (Národní kvalifikační rámec v
kyberbezpečnosti), VI20192022161
https://www.muni.cz/vyzkum/projekty/48648
Pavel Loutocký
https://www.cyqual.cz/
2
Introduction of the project
̶ Multidisciplinary research team (technical aspects of cyber security, general IT knowledge, security
studies, legal component)
̶ financed under the auspices of the Ministry of the Interior of the Czech Republic
̶ Started in June 2020, end in December 2022
̶ Inspired by the NICE framework, will reflect specific approaches and activities within the Czech
Republic / EU
3
The importance of qualification frameworks
̶ a comprehensive framework of qualifications in the field of cyber security
̶ a taxonomy introducing uniform concepts for job roles
̶ Functional frame of reference = clear and consistently understood communication of requirements
between the demand side (government and employers) and the supply side (education in general
and job seekers)
̶ human resources in the field of cyber security are noticeably inadequate
̶ not only IT but also professionals with legal, security and management backgrounds and relevant
multidisciplinary knowledge
̶ an attractive and sought-after area for education, training and qualification
̶ key role in ensuring the functionality, privacy and security of ICT infrastructures = general public
interest
4
The importance of qualification frameworks
̶ suitably adapted processes and procedures for:
̶ staff selection
̶ optimising work tasks
̶ further development of talent
̶ performance evaluation
̶ integrated cyber security workforce (specialists + support + management)
̶ systematic training to build the desired expertise
̶ exchange between public, private and academic spheres => linking cybersecurity research with various other
disciplines
̶ opportunities for individuals - online courses, training materials X only substitute the role of systematic training
programmes with the necessary accreditation
̶ need for specialised study programmes in the field of cyber security = need for a sufficient level of common
understanding of the content of the different disciplines
5
Relevant experience with qualification frameworks from abroad
̶ 1) National Institute of Standards and Technology (NIST) - National Initiative for Cybersecurity
Education (NICE) Cybersecurity Workforce Framework (NICE Framework)
̶ highly relevant - high level of granularity - sophisticated groups (competencies) of elements
(competences, knowledge, skills and tasks) => requirements linked to specific job roles (hierarchical
structure of categories and areas of specialisation)
̶ the most comprehensive material for a cybersecurity qualification framework + transparent
taxonomy
̶ X disadvantages
1) released in 2017 = some elements already outdated + emerging trends not included X revised
version available from early 2021 => significant contribution (most up-to-date)
2) partial mismatch between US and EU perspective (legal, organizational and cyber defence) =>
adaptation of elements to Czech (EU) environment.
3) missing better user friendly access – online platform
6
Relevant experience with qualification frameworks from abroad
̶ 2) European Union Agency for Cybersecurity (ENISA)
̶ focused on educational standards
̶ Predominantly identifying available cybersecurity courses and curricula, mapping available materials,
databases, educational information and identifying gaps in available education
̶ X European Cybersecurity Skills Framework (https://www.enisa.europa.eu/topics/cybersecurity-education/european-cybersecurity-skills-framework)
• but it is not a detailed overview of abilities/skills
̶ + Sector Skills Alliances 2020, SPARTA, CONCORDIA and CyberSec4Europe
̶ 3) American Joint Task Force on Cybersecurity Education - Cybersecurity Curricular Guideline
̶ Structured taxonomy to help create training materials and programs + identify employee skill gaps.
̶ Frequent linkages between the NICE Framework and ENISA activities
̶ based on eight knowledge areas divided into more detailed units + description of what is needed for a
specific position with cross-disciplinary overlaps highlighted
7
Establishing a Czech National Qualifications Framework for
Cybersecurity
̶ a universal, holistic and detailed framework of qualifications for cybersecurity valid for the Czech
Republic, but perhaps also inspiring for foreign countries
̶ up-to-date classification of individual job roles, comprehensive description of required knowledge, skills
and competences/tasks
̶ should serve as a basis for developing professional capacity in this area
̶ making the framework available through a dynamic online platform
̶ application on both the supply (education, candidates) and demand (employers) side of the labour
market
̶ CZ/ENG/possibly other languages
8
Establishing a Czech National Qualifications Framework for
Cybersecurity
̶ a taxonomy and common lexicon that describes the work and personnel in the cybersecurity field
̶ the basis for a uniformly understandable communication of requirements between the demand and
supply sides of the labour market
̶ Inspired and influenced in particular by the NICE framework developed by NIST in the USA
̶ our aim is to go beyond the NICE Framework example and provide more detailed information (more job
roles, more dynamic links, better use)
9
Goal and results of the CYQUAL project
̶ Identified 5 core elements of the skills framework
̶ 1) Trustworthy data source
• CYQUAL build on updated (2021) NICE Framework
• NICE content adjustments made with ECSF progress in mind
• Framework administration and application guarantee by NÚKIB
̶ 2) Accuracy and granularity
• Textual description of the role difficult to utilize further
• Granular data points needed for analytical or generation tools = content structure inspired by
NICE Framework
• X need to adapt to EU context (laws, approach to cybersecurity) = NICE content rehaul =>
CYQUAL content basis
10
Goal and results of the CYQUAL project
̶ 3) Usable format
• PDF or EXCEL file difficult to utilize further in software tools and data mining + not user
friendly representation
• => database in open data format = .json file format
• => dynamic representation in a public online platform = CYQUAL Platform
̶ 4) Unified perspective
• What exactly is expected from cybersecurity auditor from the academia / public sector / private
sector – is it the same?
• How can the administrator of the framework efficiently gather input from relevant stakeholders
to unify the perspective?
• => CYQUAL Platform curation mechanism
̶ 5) Current and up-to date content
• How to simplify content management of the Framework to allow regular updates
• Need to reflect latest trends (2021 NICE Framework X development in AI or quantum
computing)
• => CYQUAL Platform version update mechanism
11
Goal and results of the CYQUAL project
̶CYQUAL Framework
̶CYQUAL Platform
̶+ Action plan for NÚKIB on support for CS education
̶+ Articles & conference papers – summary available here
12
CYQUAL Platform
̶ Platform for access to and management of the CYQUAL Framework = https://platform.cyqual.cz/en
Core features:
̶ Robust database of qualification elements
̶ 1000+ Requirements sorted under 50+ Competencies & 1000+ Tasks
̶ build on rehauled NICE (2021) Framework content = trustworthy data basis
̶ Initial database of work roles with granular qualification description
̶ 100+ roles sorted under 37 specialization areas each with text description, categorisation and granular set of
Competencies, Requirements and Tasks (build on rehauled NICE F. with ECSF progress in mind and NÚKIB input)
̶ User friendly representation and access to the Framework though the Platform = online + .json file
̶ User friendly tool for gathering input from stakeholders
̶ for unification of the perspective and reflection of current trends
̶ User friendly tool for administration of the Framework
̶ access to the feedback and update of the version
13
Describtion of online platform
̶ an information system for managing the qualification framework, which allows data management and
proposing changes to the data
̶ the application shall provide a user interface that interprets the data in a comprehensible form
̶ the application provides an interface to the information system and to public data
̶ a database that permanently stores all the data handled by the platform;
̶Open Data
̶ realtime switching between language versions (CZE<->ENG) and potentially other languages if needed
̶ platform.cyqual.cz
14
Need for curation mechanisms
̶ Framework needs to be curated up to date reflecting recent development in the cybersecurity field
̶ No other approach (known to us) does not offer any sophisticated online tool which would offer possibilities to revise
add/modify/delete work roles, requirements, tasks, descriptions etc.
̶ Modification of the dataset without a user-friendly tool would be labor-intensive/unreal (compare it with NICE framework
approach through .xlsx)
̶ The platform for curations serves academia, governmental, and sector-specific needs and purposes
̶ The taxonomy is a suitable basis for further utilization through analytical tools or other (semi)automated processes, the
platform „opens“ the dataset for further elaboration for the specific needs of any subject
̶ The curation is done by different types of the users:
1. Non-logged user
2. Logged-in user
3. Administrator
15
Types of users
1. Non-logged user
̶ User-friendly display and access to the current version of the Qualifications Framework
2. Logged-in user
̶ reserved for the representatives of stakeholders, who use the Platform in a similar way to the non-logged-in user, but in
addition, use the user-friendly content management tool for providing feedback on the current version of the Framework and
suggestions for its modification or addition of further elements;
16
Types of users
3. Administrator
̶ the guarantor of the content of the Framework with access to curation and modifying tool of the content that is made
available to all users through the Platform. The recommendations provided by logged-in users are displayed to the
administrator comprehensively, providing guidance for modifications of the Framework based on the collected feedback from
logged-in users and other channels and inputs.
̶ Feedback and recommendations for further update of the Framework
17
Content management
̶ Key benefit and added value associated with representing the Framework through the Platform is the possibility to
systematically gather feedback from a wide range of stakeholders on the current content of the Framework
̶ Achieve and maintain a consistent multi-perspective view on the requirements related to the respective work roles
̶ It allows for systematic updates of the Framework on a regular basis
̶ The Platform with such a curation mechanism is thus a tool to facilitate the (administrator-coordinated) collection of feedback
and steadily develop and adapt the content of the Framework to current needs and uses
̶ The selection and validation of appropriate stakeholders for feedback is entirely in the administrator’s competence
18
Content management
̶ Login = custom content management
̶ Content Management sub-page provides an overview structure of the database content and allows direct access to the
sub-levels of the corresponding structures
̶ User has possibility to suggest changes in
the period set by the Administrator
19
Content management
̶ The user has the possibility to edit
existing elements and their links based
on the current version of the Framework
̶ Adding or removing requirements or
changing the description of the work role
characteristics
̶ The modifications are not only displayed
graphically on the link of the element, but
the element is also highlighted in yellow
within the relevant overview
20
Content management – why?
̶ Given the complexity of the Framework and the number of elements involved in the specification of a particular work role, it
is crucial to provide the logged-in user with user-friendly visualization of the previously made changes
̶ The tool is intended for periodic as well as irregular updates of the Framework
̶ The time period for stakeholders to input changes on the current version can be quite extensive
̶ The changes visible to the logged-in user regard only their copy of the current version of the Framework
̶ The aggregate view containing recommendations from all login users is visible only to the administrator - the administrator
can effectively assess the multitude of suggestions and changes recommended by the stakeholders and transpose them into
the new version of the Framework that will then be published and available to all users of the Platform
21
Curation mechanism
̶ Administrator is the curator
̶ The administrator is continuously provided with all suggestions for changes and additions logged-in users provide through
editing their own copies of the current version of the Framework during the editing period
̶ The changes of each logged-in user are shown together since changes to elements across users may be incompatible with
each other, especially with respect to newly proposed elements to add
22
Curation mechanism
̶ Change suggestions from users are taken as a basis for decisionmaking by the Framework content guarantor (administrator)
when editing or updating the database content
̶ The Platform allows the administrator to work dynamically with the content of the Framework and to offer the current version
as a basis for stakeholder feedback via the feedback-gathering function from logged-in users
̶ To better manage the content of the database, the administrator has the Data Version Management sub-page, through which
he can determine which version of the database is displayed to users
23
Curation mechanism – data versions
̶ Administrator manges data versions
̶ updating the content is done by:
̶ (i) creating a new version of the data,
̶ (ii) making administrative modifications
according to feedback from logged-in users
to update the content version, and
̶ (iii) publishing this modified version,
which thus becomes the new up-to-date version displayed to all users.
24
Evaluation and user feedback
̶ the utilization of the available inputs and synergies from existing qualification frameworks, such as the NICE Framework and
the European Cybersecurity Skills Framework, produced a tool that is not only complementary, but shows a way towards
further and more dynamic utilization of these frameworks
̶ the result is a dynamic common reference tool for cybersecurity workforce requirements with sufficient granularity and
availability to be used as a basis for policy approaches as well as extension instruments utilizing the reference database for
analytical or guidance purposes
̶ The primary benefit is the significant labor-intensity reduction of maintaining and updating the Framework
̶ The secondary benefit is a user-friendly interface for stakeholder feedback, which increases the volume and detail of this
feedback
̶ ECSF example through connection to REWIRE project: https://platform.cyqual.cz/en/auth/content/work-roles/11918
25
Conclusion
̶ The framework is optimised with the help of the stakeholder network
̶ The possibility of continuously updating the framework through an online platform, publicly available
̶ Platform: https://platform.cyqual.cz/en
̶ Keep an eye on the updated page: https://www.cyqual.cz
̶ Please also contact us for further consultation
26
Thank you for your attention