In the complex digital ecosystem, the constantly growing IT threats prove to be increasingly insidious and are opposed to the ever-increasing lack of professional figures engaged in their fight.
So in September last year, ENISA (the European Cybersecurity Agency) elaborated the European Cybersecurity Skills Framework - ECSF containing the guidelines for training and identifying 12 professionals typical of the sector.
The problem of cybersecurity in the company
The problem of corporate IT infrastructure security is growing in criticality and relevance, as the dependence of organizations on IT systems for their daily activities makes them increasingly exposed. The loss or unauthorized access to sensitive company data can cause serious financial, reputational and legal damage. In the first six months of 2022, cyber attacks defined as serious were 45% of the total, and those with impact defined as critical were around a third of the total. In this context, the human factor continues to emerge as the real weakness, not only due to the lack of specific professional figures but also due to the lack of attention and awareness of all operators.
The framework developed by the European Union goes far beyond raising employees' awareness of good IT security practices, defining the skills necessary to deal with cyber criminals and related professionals.
The professional figures defined in the European Cybersecurity Skills Framework
The ECSF brings together all the roles of operators involved in IT security in 12 professional profiles with their own responsibilities and competences but interdependent with each other, designed to operate in synergy. A choice that arose from two years of work of analysis, understanding and dialogue with all the actors involved.
Here is the list:
- the CISO (Chief Information Security Officer);
- the Cyber Incident Responder;
- the Cyber Legal, Policy and Compliance Officer;
- the Cyber Threat Intelligence Specialist;
- the Cybersecurity Architect;
- the Cybersecurity Auditor;
- the Cybersecurity Educator, dedicated to raising awareness on the subject;
- the Cybersecurity Implementer;
- the Cybersecurity Researcher;
- the Cybersecurity Risk Manager;
- the Digital Forensics Investigator;
- the Penetration Tester, the person who carries out the Penetration Test.
The Cybersecurity Educator
If it is true that many of these profiles are already quite well known, the figure of the Cybersecurity Educator emerges, whose specificity is precisely that of increasing knowledge and skills in the field of cybersecurity. It therefore takes care of promoting and realizing that much-desired cybersecurity culture among employees to reduce human error that still plays such an important role in successful attacks.
Specifically, the Cybersecurity Educator must grasp the training and awareness needs by designing tailor-made programmes, defining continuous training strategies, verifying and simulating the personnel's skills, motivating and encouraging them in acquiring the necessary knowledge to deal with information security.