EU Cybersecurity Skills Framework works towards commonalities of roles, competencies, skills, knowledge

The EU Agency for Cybersecurity (ENISA) released Wednesday details of a European Cybersecurity Skills Framework (ECSF) to create a common understanding of the relevant roles, competencies, skills, and knowledge. It also looks to facilitate cybersecurity skills recognition and support the design of cybersecurity-related training programs. It summarizes all cybersecurity-related roles into 12 profiles, which are individually analyzed into the details of the responsibilities, skills, synergies and interdependencies it corresponds to.

The features of the ECSF were announced at the agency’s ongoing Cybersecurity Skills Conference, which highlighted the actions taken by ENISA to create common understanding of the roles, competencies, skills, and expert knowledge required to engage in professional activity in the field. The conference attendants came from various sectors, such as public administrations working on skills, cybersecurity private organizations with an interest in building a competent workforce, professional associations, researchers, academics, and providers of training programs.

Despina Spanou, head of Cabinet for European Commission vice-president Margaritis Schinas, stated in a statement that, “ On the eve of 2023 European Year of Skills, the European Cybersecurity Skills Framework will be a tangible tool to help identifying the profiles of jobs that are the most necessary in the field. It can become an enabler of a common European language on cybersecurity skills across the whole European cyber ecosystem and a building block for the Commission’s work on a genuine Cybersecurity Skills Academy,” she added.

“The future security of our digital world will heavily depend on our capacity to develop an efficient & adequate cybersecurity workforce,” Juhan Lepassaar, ENISA’s executive director, said. “The cybersecurity job market is expected to soar further. By improving skills recognition and supporting the design of cybersecurity-related training programmes, the new framework announced today is a big step in the right direction.”

The ECSF is made up of two documents – the ECSF Role Profiles document lists the 12 typical cybersecurity professional role profiles along with their identified titles, missions, tasks, skills, knowledge, and competencies. The second document, the ECSF User Manual, provides guidance and practical examples on how to leverage the framework and benefit from it as an organization, provider of learning programs, or individual.

The framework provides a practical tool to support the identification and articulation of tasks, competencies, skills, and knowledge associated with the roles of European cybersecurity professionals. The objective of the framework is to create a common understanding between individuals, employers, and providers of learning programs across the EU member states, making it a valuable tool to bridge the gap between the cybersecurity professional workplace and learning environments. 

The ECSF will strengthen European cybersecurity culture, by providing a common European language across communities, making an essential step forward toward Europe’s digital future.

The twelve cybersecurity role profiles defined by the framework provide a common understanding of the main cybersecurity missions, tasks, and skills needed in a professional cyber security context, making it the perfect reference for profiling skills and knowledge needed by cybersecurity professionals. 

The framework was designed to be understood and comprehensive enough to provide appropriate in-depth cybersecurity insights as well as flexible enough to allow customization based on each user’s needs. By incorporating all stakeholder perspectives, the framework is applicable to all types of organizations and supports the development of all cybersecurity professions.

The ECSF is the result of the joint effort of ENISA and the ENISA Ad-hoc working group on Cybersecurity Skills Framework, formed by 17 experts from 14 member states. The first draft was presented to the public in April 2022, in addition to being discussed with several research projects, including the four EU pilot projects that prepared the way for the European Cybersecurity Centre and Competence Network and an Erasmus+ project on skills-Rewire. 

ENISA had last November identified a cybersecurity skills shortage. At the time, it said that the number of skilled and qualified workers is not enough to meet the demand, and national labor markets are disrupted worldwide as a consequence.

The cybersecurity workforce shortage and skills gap are major concerns for both economic development and national security, especially in the rapid digitization of the global economy. Thus, the development of an ECSF taking into account the needs of the EU and each one of its member states was an essential step towards Europe’s digital future.

The ECSF will ensure a common terminology and shared understanding between cybersecurity professional demand at the workplace and for recruitment purposes, and supply in terms of necessary qualification and training across the EU. It will also support the identification of a critical skill-set required from a workforce perspective. It enables learning providers to support the development of this set and policymakers to support the targeted initiatives and mitigate identified skills gaps.

The framework facilitates an understanding of key cybersecurity professional roles and the required essential skills, including soft skills, and sometimes also legislative aspects. In particular, it enables non-experts and HR departments to understand the requirements for cybersecurity-support resource planning, recruitment, and career planning. The structure also promotes harmonization in cybersecurity education, training, and workforce development. At the same time, this common European language for the cybersecurity skills and roles context connects well with the professional domain.

Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) rolled out its initial comprehensive plan of action to focus on and guide the agency’s efforts over the next three years. Over the period, the agency is set to spearhead the national effort to ensure the defense and resilience of cyberspace; reduce risks to, and strengthen the resilience of, America’s critical infrastructure; strengthen whole-of-nation operational collaboration and information sharing; and unify as ‘One CISA’ through integrated functions, capabilities, and workforce.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.