ISC2 recently hosted a roundtable with the European Union Agency for Cybersecurity (ENISA) on its European Cybersecurity Skills Framework (ECSF). The roundtable included ISC2 members from the European Union (EU) across different Member States and sectors. The event highlighted recent use cases of adopting the ECSF to build skilled, resilient cybersecurity teams. This discussion took place within the context of ISC2’s ongoing efforts to work with EU policymakers to address the current cybersecurity skills shortage.
For organizations across many critical industries — including fintech, manufacturing and agriculture — and the public sector, hiring individuals with the right cybersecurity skills is more crucial than ever. According to ISC2 research, nearly three out of four cybersecurity professionals from the EU indicated that the threat landscape is the worst they’ve seen in the past five years. What’s more, 48% say the biggest challenge the industry faces will be emerging technologies. Regulatory requirements are mounting, too, applying additional competency and compliance pressure on both the cybersecurity workforce and the organizations they work for.
It is against this backdrop that ENISA developed the European Cybersecurity Skills Framework to address cybersecurity workforce and skills shortages. Persistent supply and demand gaps are not just about staffing numbers, however; they are also about ensuring that appropriate skills are in place across the cybersecurity workforce to mitigate security risks. ISC2 research found that almost nine out of ten members and other cybersecurity professionals report skills gaps on their organization’s security teams.
Understanding the ECSF
The roundtable opened with a discussion on how the ECSF provides common terminology to ensure a shared understanding across organizations when hiring or training professionals for cybersecurity roles based on certain skills. The framework focuses on 12 individual roles such as Chief Information Security Officer (CISO) and Cybersecurity Architect. The ECSF aims to bridge the divide between what organizations need to build a robust and resilient cybersecurity team and the known lack of specific skills required to perform critical cybersecurity tasks. So far, 16 member states across the EU have adopted the ECSF either as a national standard, a guide for cybersecurity training paths or a taxonomy.
The ECSF is a living, role-based framework, as evidenced by ENISA’s recent review of the framework to ensure its applicability and continued relevance in a world that is adopting and evaluating AI at pace. Fabio Di Franco, cybersecurity expert – Capacity Building Unit at ENISA, explained that while AI introduces new requirements, the ECSF remains a technology-agnostic reference. ENISA’s methodological study shows that the ECSF can apply to AI without fundamental changes to the framework — with AI-related competencies integrated across roles covering legal, security, risk, tools and threat aspects. Organizations may still appoint a coordinator for AI governance, typically a business-level function instead of a cybersecurity-specific role.
ENISA’s AI review reinforces the ECSF’s flexibility and ensures that organizations can continue to rely on the framework as emerging technologies, particularly AI, present new digital and cybersecurity risks. Similarly, as issues such as quantum security and supply chain risk management emerge, ECSF is being revised to align with regulations and trends, while fundamentally remaining a high-level taxonomy that sectors can contextualize.
Three ECSF Use Cases of Building More Resilient Cybersecurity Teams
The roundtable discussion also featured three recent use cases of using the ECSF to build more resilient and robust cybersecurity teams as follows.
ECSF Use Case #1: Addressing Skills Gaps When Hiring New Cybersecurity Roles
During the first use case discussion, Filip Chyla, Cybershepherd at Xebia, indicated that he has been using the ECSF for more than two years across a variety of sectors. The framework gives Chyla’s consulting firm a standardized approach to identifying roles and required certifications, streamlining collaboration with Human Resources (HR) stakeholders, who may not understand the nuances of the required skills. Chyla uses the ECSF as a practical collaboration tool for HR and the cybersecurity team to create more accurate job descriptions to attract specifically skilled cybersecurity professionals.
Rather than focusing on how tasks are performed, the ECSF emphasizes what needs to be done, allowing Xebia stakeholders to align open roles with business outcomes. Chyla, therefore, uses the ECSF to avoid the “unicorn” hiring trap, when one expects a single person to be able to do everything. Instead, the hiring team uses the ECSF to help define realistic roles, sometimes even splitting roles across multiple individuals and clearly communicating workload expectations to non-cybersecurity stakeholders within the organization.
ECSF Use Case #2: Budgeting and Cybersecurity Provisioning
Dimitris Georgiou, CISSP, CPFE, CPSP, founder and CSO of Athens-based Alphabit Cybersecurity, discovered the ECSF last year and found it invaluable for communicating cybersecurity needs to stakeholders outside the cybersecurity function, especially in the context of budgeting and project delivery.
Since many cybersecurity roles didn’t exist 20–25 years ago, it may be difficult to explain their importance to decision-makers across a project, many of whom may not be cybersecurity professionals. Fortunately, the ECSF provided Georgiou and his team a common language to describe competencies and justify the roles needed to deliver full-service cybersecurity projects. Even if some of the ECSF role titles differ from industry norms (e.g., “implementer”), the framework provides a complete picture of what’s required to meet the full scope of a client’s project.
In sectors such as agriculture, where drones and AI-driven systems are fast-transforming operations, the ECSF proved to be highly adaptable and valuable to Alphabit Cybersecurity. Georgiou used it to help define how to secure systems that provide data to autonomous tools, reinforcing the idea that cybersecurity must evolve alongside technological advancements.
ECSF Use Case #3: Training and Existing Workforce Development
Michael Adekanye, CISSP, CCSP, CGRC, CISM, PMP, ITIL, a cybersecurity risk and risk management leader with Miba Group in Austria, emphasized the ECSF’s value in training and professional development. His organization has incorporated the framework into its annual training plans, using it to identify the skills needed for each role and align certification pathways accordingly.
Despite the need for the ECSF to continually evolve to reflect emerging technologies, according to Adekanye, the framework has been a step forward for the organization, helping to guide training decisions and prepare Miba Group’s workforce for both current and future cybersecurity demands. As a cybersecurity leader, Adekanye also relied on ISC2’s framework mapping efforts to provide a standardized approach to role-based training.
Mapping ISC2 Certifications to the ECSF and Beyond
At ISC2, we’ve taken a methodical, top-down approach to mapping certifications to the ECSF and other frameworks around the globe, including the Skills Framework for the Information Age (SFIA) Version 9 and a renewed Cyber Workforce Framework released by the U.S. Department of Defense (DoD), DoD Manual 8140.03.
As ISC2 Standards Development Manager Damon Drake explained during the roundtable, cybersecurity professionals can use ISC2’s framework mappings to determine how specific ISC2 certifications such as the Certified Information Systems Security Professional (CISSP), Certified Cloud Security Professional (CCSP) and Certified in Governance, Risk and Compliance (CGRC) align with the tasks and competencies required for each role.
This process begins at the organizational level, where objectives — whether financial, regulatory, or operational — are translated into tasks. These tasks require individuals with the right knowledge, skills and abilities (KSAs), acquired through professional education, training, certifications and experience.
Mapping ISC2 certifications to the ECSF provides clarity for:
- Educational Institutions: Ensuring curricula align with real-world roles
- Cybersecurity Professionals: Identifying pathways to advance from entry-level and practitioner roles such as penetration tester to leadership positions such as CISO
- Organizations and Governments: Demonstrating alignment between cybersecurity workforce capabilities and strategic goals
ISC2 mapping efforts span global frameworks and regulatory requirements. For example, while the NIS2 Directive outlines what organizations should do, the ECSF translates the legal cybersecurity requirements into actionable workforce responsibilities. ISC2’s fine-tuned mapping helps organizations determine whether certified individuals are truly fit for specific roles. At the same time, cybersecurity professionals can plan their career path based on skill requirements, pursuing certifications to validate their skills and knowledge.
The ECSF: A Strategic Enabler for Forward-thinking Organizations
As the roundtable discussion emphasized, the ECSF is more than a framework. It is a strategic enabler. Whether used for hiring, budgeting, training or innovation planning, the ECSF enables organizations to better align cybersecurity roles with business goals, regulatory requirements and emerging risks such as AI.
ISC2’s mapping efforts ensure that certifications remain relevant and actionable, supporting cybersecurity professionals and organizations alike. As the cybersecurity landscape continues to evolve, frameworks like the ECSF will remain even more critical in shaping a resilient, skilled, appropriately sized and adaptable workforce.
