Lessons contained in the Cyber Book of Knowledge project will help the education sector and businesses improve the hiring and training of cyber security professionals.

Cyber security has become an increasingly important and challenging part of the world of education and enterprise. Official statistics from the UK Government show that a third of British businesses suffer a cyber-attack on average once a week.  In the higher education (HE) and further education (FE) sectors, increasing numbers of sophisticated threats, combined with an unprecedented squeeze on budgets, mean it has never been more important to develop internal talent.Education organisations can’t compete with big businesses for salaries – especially when talent is at such a premium – but they are experts in helping individuals develop skills and knowledge.CyBOK, the Cyber Security Book of Knowledge, is a repository of foundational knowledge on cyber-security practices and techniques. We believe it can support colleges and universities, and the wider industry, in developing existing professional cyber-security teams.[#pullquote#]The CyBOK team is excited to see how it can help private and public sector organisations globally to support their cyber security skills mapping and enhance cyber security hiring practices.[#endpullquote#]The CyBOK team is excited to see how it can help private and public sector organisations globally to support their cyber security skills mapping and enhance cyber security hiring practices.What is CyBOK?The Cyber Book of Knowledge (CyBOK) project was set up in 2017 by the UK’s National Cyber Security Centre (NCSC) under the leadership of an independent editorial board and with funding from the National Cyber Security Programme.The aim was to bring together the world’s experts to create a definitive and constantly evolving home for knowledge in the cyber-security space.How has CyBOK been used in education?CyBOK is based on the experience of cyber-security academics and professionals. Besides its relevance for enhancing staff’s knowledge, it also provides a foundation for lecturers wanting to design courses.We’ve seen it used to create NCSC-certified programmes that prepare students for the realities of a career identifying and countering sophisticated threats.[#pullquote#]It codifies the discipline’s 21 key areas: from deeply technical to non-technical subjects focusing on human factors as well as law and regulations.[#endpullquote#]I think that CyBOK is the best available guide to building the skills and knowledge necessary to succeed in cyber. It codifies the discipline’s 21 key areas: from deeply technical to non-technical subjects focusing on human factors as well as law and regulations.How CyBOK can help education and enterpriseOne of our objectives is to increase awareness about CyBOK and facilitate its use by industry and education sector practitioners.The NCSC uses CyBOK as the basis for its own training certification for cyber-security professionals, the national standard for cyber certifications.There are several areas in which CyBOK can contribute most towards best practice and create the most impact, helping as many organisations as possible to build their resilience to – and readiness for – cyber-attacks:Evaluation, training and hiring proceduresWe encourage organisations to use CyBOK as a framework to help understand their cyber-security knowledge. Using CyBOK and its 21 knowledge areas (KAs) as a basis, companies can evaluate: knowledge within a cyber teamwhether the team’s knowledge is broad or narrowwhich areas are most pressing for training and developmentThrough a structured evaluation, organisations can then create a prioritised plan for development, hiring, and further investment in talent.CyBOK can underpin the mapping of available knowledge to company needs, building a stronger cyber team and more robust positioning.TrainingUsing the CyBOK Knowledgebase can help training teams build development schemes quickly and efficiently. We encourage organisations to engage with our resources and send feedback to help with their development.Implementing regular team reviews and using the 21 KAs as a basis allows organisations to adapt dynamically. Through this agile approach, they can ensure they are maintaining skills internally and responding to the developing cyber-security landscape.HiringRecruiters, especially in education, often find filling cyber-security positions a challenge because they lack clarity on the requirements of a role.CyBOK can be a useful tool for job agencies and HR teams: it clearly outlines the knowledge expectations for candidates and defines job requirements. For example, a job description can include a list of KAs, stating which knowledge is mandatory, which is desirable and which practical expertise is required.The HE degree(s) and professional certifications that a candidate has can also be mapped and compared to the role expectations using CyBOK. It’s already possible to compare how some of the most popular professional certifications measure up against CyBOK.CyBOK industry championsThe increasing understanding that industry practitioners have a low level of awareness about CyBOK and do not benefit from these free resources prompted the creation of a new role within the CyBOK team: industry champion.These ‘ambassadors’ will be industry experts with detailed knowledge of the requirements of the cyber profession.They will use their knowledge to work with the CyBOK team to develop industry-specific resources, help organisations use them effectively, and leverage their network to spread knowledge of CyBOK within the wider business community. We’re also encouraging them to take every opportunity to speak publicly about CyBOK and how it can help organisations.ConclusionI have been part of CyBOK since 2021, and I’ve personally used it to achieve NCSC certification for two master’s programmes which I lead at Cardiff University – MSc cyber security and MSc cyber security and technology. I believe that it is the most detailed and comprehensive cyber-security curriculum framework available. To find out more about CyBOK, visit the CyBOK website.I’ll be speaking at the Jisc Security Conference in November about the CyBOK project. Find out more about the Jisc Security Conference.