Dear WP9 members,
We proposed at the kick-off meeting to share our plans for 2019,
regarding the WP9.
As Task leader for WP9.3 (Professional Training in Cybersecurity),
here is a first sketch.
= March-June =
First, as we discussed together, it seems important to analyse the
current situation of cybersecurity training in general, be it from the
framework point of view or from the offering point of view. This is why
we should definitely spend some time to gather information about
existing skills and label framework (this will obviously also be
discussed in T9.1), and we should try and collect data about existing
courses (actual training courses, but more importantly course
description/specifications).
For this part, I have in mind the following existing initatives:
- ECSO WG5 on skill framework, which will most certainly also be
studied in T9.1
- The emerging French label "SecNumedu-FC" (Full disclosure: I was
part of its definition back when I worked at ANSSI, but I still
believe it can be an interesting starting point)
- Existing certifications (ISO270001, CISSP)
- Current trends in professional training in cybersecurity (ICS
security, cyberrange, etc.)
This could lead to a document that we should share and publish.
= July-October =
Then, we should focus on the domains we believe are both important and
under-developped. Clearly, ICS security and cyberrange are the hot
stuff, but we should try and explain which subjects are to be
developped
Possible subjects:
- ICS security
- Cyberrange
- 5G and its applications ?
- IoT ?
- Focus on bridges between existing operational positions and
security-oriented ones (what I have in mind here is the development
positions for example, where security should definitely take a
bigger role today, but this is also the case for network and system
administrators, or for database admins)
Ideally, we should identify several domains and be able to define the
broad objectives/skills a training course should reach.
= November-Some time in 2020 =
Specify training courses in one or several domains identified in the
previous phase. The output would be a set of more precise syllabus, and
even
when possible pedagogical resources.
= Further in 2020 =
Test our training courses in real conditions, and evaluate its impact
(developed skills, professional insertion, etc.).
= Next steps (beyond March 2020) =
Repeat the 2 or 3 last steps: re-identify relevant domains to improve,
specify training courses, test them with real students. Obviously, we
can run several instances of this cycle in parallel.
Standardize training courses if possible. If we find (or produce) a
relevant framework to label our training course specifications, the
produced and evaluated courses would clearly be candidates to such
standardization.
I would be happy to discuss this very first proposal. If we manage to
converge, I will transform this into a more formal roadmap and discuss
the possible contributions of everyone involved.
In the SPARTA proposal, it is said that we should work tightly with
T9.4, aiming at raising awareness in cybersecurity. Indeed, some of
the courses we might end up specifying and evaluating may not aim at
producing cybersecurity experts but also security-aware professionals.
We might add such topics in the possible subjects to explore.
Best regards,
Olivier Levillain
--
network.training-awareness mailing list
network.training-awareness@server.sparta.euhttp://server.sparta.eu/cgi-bin/mailman/listinfo/network.training-awareness