Hi,
Here are some notes from the ECSO meetings. As in the previous
meetings, several documents have been presented, but most of them are
not really available (even within ECSO). I will share what I can as
soon as the documents are published on the portal.
Don't hesitate to ask me about a particular subject. Since writing
(or reading) minutes is not always that funny, I tried to send you what
I thought was the most relevant, as soon as I could.
1) Cyber Ranges
ECSO is working on a document defining what cyber ranges (CRs)
are. The document starts by stating that we usually find two different
definitions: one describing the CR as a simulation environment, the
other one describing CR as a platform. Since the latter contains the
idea that a CR is more than a technical piece of software, they prefer
it.
The document then describes different use cases and different features
a CR can have. The idea is to say that, as a car, CRs can be of very
different natures (from Formula 1 to family cars to 4x4s).
Today, a lot of organizations are looking for cyber ranges for
different goals, which can not be done by all cyber ranges. The
prurpose of the document is to shed light on a key/buzz word which is
not clear for many people. It aims at helping consumers of cyber
ranges, but also the providers/researchers to focus on special
features/use cases.
The document is still a draft, and is still supposed to be internal to
ECSO only, but we will have a new version in early November that I
will be able to share with SPARTA partners, to gather feedback.
ECHO (one of the 4 EC pilotes) has been trying to coordinate the
activity. Beyond the survey that was sent earlier, I did not see a lot
on this front from ECSO or from ECHO. The survey collected around 50
answers 3 or 4 weeks ago. It is still open, and it seems it would be
useful to send the link again (we discussed it on the WP9 list, and it
was supposed to have been sent by a Catarina, but I can not find the
message in my archives...).
2) A tool to self-assess one's cybersecurity skills
Georges Ataya presented an online tool for self-assessment and then
see the gap between one's profile and a given role from the NICE
framework.
We are supposed to get a link to this online tool in the weeks to
come. If this happens, I will share it with you.
3) Description of a minimal curriculum for "Cybersecurity for top management and leaders"
ECSO SubWG 5.2 is working on a document to define minimum curricula,
and they started with the top management and leaders.
For now the document has not been shared among ECSO, so we only got
the first elements. As soon as I have more on this European Cyber
Security Education Framework, I will share it with you.
4) Youth4Cyber
A member from Milano presented an initiative to teach cybersecurity
(mostly awareness) to young people, through 5 modules aimed at 6-10
years old, 10-14, 14-18, 18-22 and 22-26. They presented the outline
of the modules, which all contain 6 to 7 sessions of 45 to 2h each.
For now, they only have a 1-slide description for each session, and
are looking for funding/work force to produce the content. Since this
is an Italian initiative, they would then need to translate it.
This initiative may be of interest for T9.4?
5) Awareness campaign by SOGEI
SOGEI presented their work on awareness campaigns. It is similar to
the material I sent last month on the Awareness Workshop ECSO
organized.
6) Women4Cyber
ECSO and an SME have created a fondation to lead this initiative. They
already won an award from the nordic countries and hope to have
chapters in different countries and even regions.
7) Education Map from ENISA
Fabio Di Franco presnted the Education Map: more than 500 degrees (it
is a list of degrees, and not courses as we thought initially). The
website is still under development and should be online in November.
It will be possible with a nice UI to apply multiple filters on the
following criteria: language, country, delivery method, major topic,
deree obtained. Their goal is to get an almost exhaustive list of
degrees updated regularly.
They also have gathered information about the cost of the courses, the
number of graduated people, the maximum capacity of each course, the
very coarsed-grain repartition of ECTS (cybersecurity courses, law
courses, internship, etc.)
They have no intention to produce more detailed information; first
because of a lack of resources (Fabio seems the only person involved
in the data collection and validation); second, because they are not
confortable with a taxonomy of the different topics.
Thus, I believe that we can propose something complementary
here. Fabio seemed interested. Jan, if you believe it is useful I
introduce you to him (electronically), I can do it.
8) Report on Cyber Security Education from ENISA
This report offers a critical review of common knowledge about
cybersecurity education and HR.
It is common knowledge that there is a lack of qualified cyber
security professionals. However, maybe the shortage is dominated by a
lack of understanding. We must be more precise on the jobs needed.
ENISA spots the following issues in cyber security education:
- lack of educators
- poor interaction with the industry
- little understanding of the labour market
Yet, it might be useful to recall the goals of universities, which are
today torn between teaching people with a holistic vision, and
producing market-ready people. We might be mistaken in following the
second path too strictly, since we do not know how cybersecurity jobs
will evolve (some jobs might soon become irrelevant because of some
forms of automation).
[As a teacher, I agree with the vision that universities' goal is not
only/primarily to produce market-ready people!]
ENiSA looked at 387 study programs that were "certified" by a national
body (Autstralia, France, UK, USA).
Most certifications have the following elements:
- check that sufficient hours are put in cybersecurity
- check the teaching body's qulaifications
- describe the teaching modalities
- employment outcomes
- etc.
9) Presentation from the pilots
9.1) SPARTA
Regarding SPARTA, Edumndas and I briefly presented the documents we
(task leaders) prepared together.
Concerning the skills matrix, Edmundas was asked to invite ENISA, ECSO
and the Program Officer to the coming workshop (I sent him the
contacts I had in another mail).
I was asked to send the WP9 contacts (task leaders) to the ECSO
secreatariat. I will do this shortly.
Regarding possible collaborations, beyond the skills workshop, we
proposed to exchange documents between ECSO and pilots as much as
possible (and I believe we should try and share early when we have no
specific constraints).
9.2) CONCORDIA
They have been collecting information on short courses with possible
filters on an online map
(
https://www.concordia-h2020.eu/map-courses-cyber-professionals/). Their
work tracks 60 courses collected in 3 months (31 from within Concordia
and 29 outside). It should be useful to collaborate with them for
T9.3, since we were asked by a representative from the DG Connect not
to do the same things in different EC pilots. I will study what they
proposed to see how we could bring added value.
CONCORDIA also worked on Cyber Ranges (which they would like to also
put on the map). They would like to create an ecosystem, but they are
not after a federation (the woman presenting could not explain more,
but this will be discussed at the next meeting with the relevant
person from the project). They want to share scenarios and work on an
exchange format. Since they were not present the morning for the
discussion about the document on Cyber Ranges, they will contribute to
the document as soon as they get it. Finally, they asked whether there
was interest for an open source Cyber Range. Someone answered that
this was mostly relevant for universities.
9.3) CyberSec4Europe
They quickyl described their work packages (but without slides).
10) Notes
The woman from the DG Connect asked us (pilots) to identify the
possible synergies between project and to clearly define what our
differences are (especially with regards to education and training).
In particular, we were asked not to do the same thing about Cyber
Ranges, which seems to be an especially hot topic.
Best regards,
olivier
--
network.training-awareness mailing list
network.training-awareness@server.sparta.euhttp://server.sparta.eu/cgi-bin/mailman/listinfo/network.training-awareness