Training at Fraunhofer SIT: Strengthening resilience against cyber attacks
Rapid technological progress, an increasing attack surface, cyber criminals are arming themselves. These risks can no longer be countered with technology alone. People with specialist knowledge are needed. But knowledge in cyber security is evolving faster than in almost any other technical field; knowledge on which a great deal can depend. This is why continuous training in cyber security is important. An article by Dr. Markus Schneider, Deputy Director & Head of Cybersecurity Training at Fraunhofer SIT & National Research Center for Applied Cybersecurity Athene.
The Federal Office for Information Security (BSI) describes the cyber security situation in Germany as tense. For companies and authorities, the question of attacks is less a question of if and more a question of when. For some years now, cyber attacks have been considered the greatest business risk, impacting competitiveness and even the very existence of a company.
The digital transformation is constantly leading to new applications and functions; technological progress brings many advantages, e.g. efficiency gains. However, this also increases the attack surface and poses major challenges in terms of protection.
Arming includes technical measures for protection, processes and knowledge. Due to its scope, cyber security is becoming an issue that affects more and more different levels in organizations and roles, from operational tasks in IT administration to strategic issues at management level. The fast pace of technological development inevitably leads to the rapid further development of relevant cyber security knowledge, and relevant new legal acts demand a response.
In view of the immense professionalization of cybercrime and the resulting threat, it is important to keep the relevant knowledge in organizations up to date at all times. However, even very good training can no longer cover the required knowledge over longer periods of time; further training is essential, especially due to the immense shortage of cyber security specialists. Due to the cross-sectional nature of cyber security, further training is becoming increasingly differentiated.
Cybersecurity knowledge - why so special?
The framework conditions for cyber security knowledge differ significantly from other areas. While market requirements and new functions are the evolutionary drivers in other ICT areas, the threat situation is the driving force in cyber security. Predictability is usually much lower here than in other areas. Cybersecurity knowledge becomes outdated and is replaced by new findings. The half-life of tactical knowledge is a few months, in other ICT areas a few years; in strategic knowledge, a few years compare to many years
The required response times can be very short, while longer periods are accepted in other ICT areas. Obsolescence is also pronounced differently: abrupt abandonment in cyber security versus gradual transitions in other ICT areas. Furthermore, due to the need to act at short notice, documentation relating to cyber security is often incomplete, whereas in other ICT areas it tends to be more comprehensive and structured.
Today, cyber security is one of the fastest evolving fields in ICT technology. This has huge implications for what organizations need to know in cyber security and how they keep this knowledge up to date. What was right yesterday may be obsolete tomorrow. These discrepancies in knowledge in cyber security and other ICT areas result from various influencing factors: Shortage of specialists, overload, technological complexity, enlargement of the attack surface, asymmetry between attacker and defender side, new attack methods, new regulatory requirements, differentiation of various roles and tasks, application orientation versus fundamentals.
In addition to long-term knowledge (e.g. basic principles, cryptographic primitives), medium-term (e.g. threats from new application technologies, tools) and short-term knowledge (e.g. new vulnerabilities, patches) also play an important role in cyber security. Short-term knowledge can become relevant on an ad hoc basis, but can also quickly become outdated again. Solid medium and long-term knowledge helps with the independent classification of current reports.
It is often challenging for universities to keep pace with their curricula. In addition, it takes time for students to enter the labor market as skilled workers. In order to protect themselves better, companies need to focus on further training in cyber security, preferably on an ongoing basis. Last but not least, they also help the management to prove that it is responsible for risk prevention.
INFO-BOX: Further information
◾ Further training: www.sit.fraunhofer.de/weiterbildungen-allgemein
◾ Teletrust Information Security Professional (T.I.S.P.): www.sit.fraunhofer.de/de/tisp
◾ Athene Cyber Range: www.athene-center.de/cyber-range-trainings
◾ Cyber Security Learning Lab: www.sit.fraunhofer.de/de/llcyber
Obligations for organizations
To protect their own interests, organizations must do what is necessary to stay up to date with cyber security. If they do not do this and do not take the necessary measures, there is a risk of organizational failure. This becomes transparent at the latest after attacks have occurred.
Further training in cyber security, e.g. in the form of courses or training, is mandatory for organizations under various legal acts. This applies to organizations either directly (e.g. GDPR, IT Security Act) or indirectly in accordance with the due diligence obligations for board members or management (e.g. AktG, GmbHG). They are also responsible for providing the necessary resources (e.g. time, finances).
Needs
The shortage of cyber security specialists is not limited to Germany. Companies and authorities around the world are looking for suitable specialists whose expertise meets the application-oriented requirements. This requires good training and appropriate further training.
A study conducted in the USA a few years ago found that even Ivy League university graduates no longer met the content requirements of organizations. As the lack of specialists and content deficits were seen as a national security problem on the government side, the National Initiative for Cybersecurity Education (NICE) was launched; it has developed a competence framework for training and further education. Other countries, such as China, also see education and training in cybersecurity as a pillar of their national security. In line with NICE, Europe has responded with the EU Cybersecurity Skills Framework (ECSF).
Companies need further training that can be easily integrated into the practical world of work in terms of content and process. Practical components in knowledge transfer are expected to lead to faster and more effective learning success. Important new findings must be incorporated into training curricula without delay.
Knowledge over short distances
Fraunhofer SIT is a contributor to the National Research Center for Applied Cybersecurity Athene, the largest research center for cybersecurity in Europe. In addition to R&D, Fraunhofer SIT has an extensive range of training programs. The proximity to applied research is very valuable, as new findings are quickly adopted:
TISP: The content covers practically relevant knowledge on technical, organizational, legal, and economic topics, which is based on national and international standards.
Athene Cyber Range: Here you can train the detection and defense of real cyber attacks.
Cyber Security Learning Lab: Content is taught using practical exercises and compact theory. The practical application of newly acquired knowledge leads to better learning success.
To protect against cyberattacks, organizations must enable their employees to continuously learn about cybersecurity. Lifelong learning is important, as cyber security is evolving rapidly. Because content and offerings vary greatly, it is crucial to select the training and courses that are relevant to your own needs.
