IFIP IP3 (International Professional Practice Partnership) kicked off its involvement in the 2021 WSIS (World Summit on the Information Society) Forum this month with a moderated panel discussion on professionalism in cybersecurity on 13th April 2021.

Caption: Moira de Roche, Independent Consultant, IITPSA non-executive director, Social & Ethics Committee Chair, Chair of IFIP IP3, and IFIP Board Director.

The event, entitled: Building Resilience with a Professional Workforce”, was moderated by IP3 Chair, Moira de Roche, with the panel comprising:

  • Steve Furnell, Chair of IFIP Technical Committee 11,
  • Fred van Noord, President of the Netherlands Association for Information Security Professionals,
  • Anthony Wong, IFIP Vice President and former ACS President, and
  • Bob Weisman, CEO/Chief Enterprise Architect of Build the Vision and Professor of Digital Transformation, University of Ottawa.

Steve Furnell

Steve Furnell talked about international skills shortages, pointing to the (ISC)2 Cybersecurity Workforce Study which found two thirds of organisations are experiencing some level of skills shortage, with an estimated shortfall of 12 million practitioners.  He also highlighted issues relating to current approaches which rely on qualifications when hiring staff or contractors, saying that they don’t guarantee experience or competence.

Fred van Noord detailed the approach being taken by the Netherlands Association for Information Security Professionals to initiate a structured approach to qualifications, sharing key lessons learned along the way:

Fred van Noord

  1. To build a resilient, professional CS workforce, it is necessary to train on three levels: secondary vocational, higher vocational and university;
  2. Based on the detailed e-CF Knowledge and Skills elements, it is possible and feasible to develop new and officially recognised CS education;
  3. The professional profiles and the detailed e-CF Knowledge and Skills elements can be used to determine whether existing approaches and frameworks can be used to develop the required competencies worldwide; and
  4. ENISA plans to have a final version of the European Cybersecurity Skills Framework by the end of 2021.

Anthony Wong

Anthony Wong discussed how governments around the world are developing policy and legal frameworks aimed at security key infrastructure and engaging in workforce planning to build cybersecurity capability. He also referenced the ACS Cybersecurity Specialism launched in 2017, which was designed to raise professional standards for people working in that area, raising questions about how to effectively assess qualifications and competency frameworks, and how to allow people with expertise in cybersecurity to move across boundaries and practise in different regions.

Bob Weisman took an architecture perspective, warning that most organisations are compromised and leaking data, and highlighting the need for a consistent and measurable approach.

In the panel discussion that followed, Mr Wong highlighted the work of IP3 in mapping skills for ICT professionals across Japan, Australia and the EU, suggesting this was an opportunity to IP3 to play a key role in facilitating the transfer of knowledge and skills.

“IP3 could work with different frameworks around the world and offer our services to the UN and UNESCO to set up a taskforce to align the frameworks and map different skills. This would help ensure the freedom of skilled professionals to go across boundaries and move around the world,” he said.

Bob Weisman

Bob Weisman endorsed this approach, referencing his own experience in working with tiger teams comprising diverse people from all over the world. “Having a common lexicon and skillset really helps so you know what you are dealing with,” he said, suggesting that the SFIA framework might be enhanced with a UN skills framework as a subset of SFIA.

All three panellists supported the idea of skills harmonisation and the inclusion of a strong ethical component to support the development of a more professional and resilient cybersecurity workforce.