French cybersecurity training: state of play

The vast majority of training schemes takes place in engineering or computer science schools. The few institutions exclusively dedicated to cybersecurity training—Cyberschool, European School of Cybersecurity, the future Guardia schools, or Campus Cyber—are extremely recent.

Among the variety of offers available, ANSSI’s SecNumEdu label can be taken as a a model. It is based on a set of specifications that list the skills deemed necessary for the digital protection of companies or public agencies.

Since 2017—the year when the label was created—the number of recognised initial training schemes has risen from 26 to 66 as of January 2022. Among these are professional bachelor’s degrees, master’s degrees, engineering degrees and specialised master’s degrees.

The content of tuition

To receive the label, a cybersecurity training scheme must include at least 400 hours of theoretical courses and practical work on cybersecurity disciplines that are listed in the table below:

Management: Knowledge of governance, norms, and standards in the field of security; Cybersecurity policy and ISM; Taking security into account in projects; Security of specific and emerging systems.

Hacking: Cyber defence; Post-mortem analysis (Forensic); Intrusion testing.

Security: Security of electronics and hardware architectures; Security of operating systems; Protocols and network security; Security of databases; Security of outsourced services; Physical security.

IS: Fundamentals of information systems; Product evaluations and certifications; Software development and engineering (from a security perspective); Reverse engineering; Contribution of architectures to security.

Other: Cryptology; Steganography and tattooing; Law and regulation; Social and societal aspects; Economic aspects of security.

The training scheme will be predominantly « technical » or « organisational » depending on the type of activities mostly performed.

– Students from a technical background will work on network, software, or operating system configuration or will further develop their skills in disciplines such as forensic investigation or cryptology. Most schemes (63 out of 66) are in this situation.

– Organisational training schemes focus on risk assessment, the definition of digital security measures, and the auditing of existing systems. Three schemes have this speciality.

– Finally, a scheme may be specialised if it devotes at least half of its training time (courses and practical work) to one of the themes of cybersecurity. Twenty-five courses have a specialisation, and the majority of them deal with network security.

To ensure the professionalisation of diploma holders, certain training schemes have the status of a professional certification. This recognises the mastery of skills acquired through the diploma. A professional certification is the proof of the mastery of skills presented in a precise manner in the form of blocks of skills, i.e. of concrete activities to be reapplied in a professional situation. A directory of these certifications is available from the France Compétences body established during the French vocational training reform of 2018.

The list of training schemes registered in this directory can be obtained by entering the code of the training speciality nomenclature corresponding to computer security or the code from the ‘Répertoire Opérationnel des Métiers’ (Operational Directory of Professions and Jobs) published by Pôle Emploi and from the Jobs Register corresponding to information systems and telecommunications professions. Depending on the code entered, the list counts 81 or 101 registered professional titles or diplomas.

Continuing education in cybersecurity

Continuing education for existing workers is also important in cybersecurity. 47% of the people working in the field of cybersecurity have neither a degree nor professional certification in cybersecurity. They were working in information system management or security functions and had to discover this new profession.

To help them, new players such as Le Wagon, Simplon, or Open Class Room have specialised in IT training courses. Partnerships have been set up between these establishments and large groups to train their employees.

Cybersecurity is one of the disciplines studied under these partnerships. In September 2019, the Simplon IT school welcomed eight employees from La Poste for a work-study programme that lasted 10 months and enabled them to obtain the professional title of « Networks and Senior Technician. » And before that, the two establishments had already joined forces to train some fifty web developers. Continuing education courses can also be awarded the SecNumEdu label.

Limitations of current cybersecurity training

The first limitation in terms of training is the difficulty of associating a cybersecurity profession with a list of diplomas. Although ANSSI and Syntec (via OPIIEC, its foresight agency) have defined and classified these professions into categories, the equivalence with the diplomas recognised by the State is only done at the level of the professional field. Consequently, it is not yet possible to know the complete list of diplomas for becoming a cybersecurity analyst or a CISO.

The training offer therefore lacks readability. Obtaining the SecNumEdu label and registering a certification in the French RNCP (Répertoire national des certifications professionnelles) are not mandatory. Thus, these lists of diplomas do not provide an exhaustive overview of the cybersecurity training schemes available in France. The last attempt made by OPIIEC dates back to 2017 and had listed approximately 150 offers.

This problem also concerns continuing education. The nomenclature of training specialities (NSF, for ‘Nomenclature de spécialité de formation’)—which is used to define the offer of organisations present on the market—does not recognise cybersecurity. Those that do address this subject are included in the « IT » category (NSF. 326), which counts over 7,000 organisations.

Another limitation of the existing training offer is the speed with which the knowledge to be mastered evolves. Traditional learning methods are therefore not used by professionals in the sector to update their skills. In a study by ANSSI, 86% of them would like to complete their training, but 84% prefer to do so by monitoring social networks, and 79% by self-training.

The cybersecurity sector must therefore take up two challenges: to structure itself in order to train as many professionals as possible, and to maintain a culture of exchange and transversality in order to allow the collaboration of specialists from very diverse disciplines.