This training course is intended for non-technical professionals who are responsible for establishing, managing, modernising, and expanding cybersecurity teams (such as CSIRT/SOC/CIRT/CERT/PSIRT/ISAC) in both government and private sectors. These leaders must have a strong understanding of the unit's objectives, requirements, duties, and effective performance and be able to apply this knowledge in practice.

Upon completion of this course, participants will be able to: 

• Lead security team establishment activities
• Clearly define the position, role and responsibilities of cybersecurity team within an organisation or the state 
• Elaborate and measure the services provided by cybersecurity team 
• Demonstrate an understanding of the technologies used by cybersecurity team
• Set up the requirements and timelines for cybersecurity team establishment

This training course is designed to provide practical, real-world insights into cybersecurity team establishment and modernization. Participants will have the opportunity to learn from illustrative case studies and analysis, delivered through a range of teaching methods, including lectures, roundtable discussions, and group play activities.

All necessary course materials, slide sets, and additional resources, will be provided through the ITU Academy platform.

To ensure maximum engagement and retention, the 4MAT teaching methodology will be utilized in all sessions. This involves interactive discussions on a topic, practical exercises, discussions to identify learning points, and individual note-taking to reflect on relevant habits that can be changed moving forward. At the end of each day, individual notes will be reviewed to reinforce the key takeaways.

Finally, participants will be evaluated through a final test conducted on the ITU Academy platform at the end of the course. This approach ensures that participants leave the course with a comprehensive understanding of the material and are able to apply their newfound knowledge in practice.

Besides the final test score (80% of total), participants will be evaluated according to their active participation in roundtables, exercises sessions and other course activities (20% of total). 

A total score higher than 70% is required to obtain the ITU certificate.

Module 1: Cybersecurity Monitoring & Incident Response Teams

An overview of the different types of cybersecurity teams: similarities and differences. Essential elements for national incident handling capabilities. Use cases for centralized and decentralized models. Different CSIRT/SOC stacks.

Module 2: Process of Building the CSIRT or SOC Team

Detailed explanation what stages elements are mandatory and what must be done during these stages. Typical implementation roadmap drawing.   Initial idea and purpose.

Module 3: CSIRT Mandate

What it is and what content: Authority given to a CSIRT to serve and act in their constituency. Responsibility for what a CSIRT will be accounted for. Requirements, Objectives, and Tasks.

Module 4: CSIRT Services 

Best international practice for cybersecurity team services models. Services typical sets. What services in addition to incident management to introduce and how? Free or charged services. 

Module 5: Incident Management

Incident management workflows and variations. CSIRTs alternatively use. Classification of incidents.

Module 6: Automation of CSIRTs and SOCs

Scrutiny of principal architecture for CSIRT stack, integrations and managerial (not technical) look into technologies, automation vs manual, and technology trends. RTIR, MISP etc. 

Module 7: Applied Threat Intelligence

Introduction to and discussion about Cyber Threat Intelligence. 

Module 8: Reporting

Simplified “6W” method: What (objectives and content), When (how often), how (attractiveness of report) ant to whom (the audience).

Module : Maturity Models of CSIRTs

Presentation of the best international models measuring the maturity of cybersecurity team: SIM3 model, SOC-CMM model. Various components of cybersecurity team maturity assessment, advice on how to use them and how they help in operational environment.

Use cases: Adjusting own growth to a reference model; Diagnosis and planning for improvement; Certification.

Module 10: Upskilling of People and Partnering

What skills are needed. How decrease the gaps between your team current competence level and desired level. Training plan. Overview of actual possible on the market training courses.

Guidance on partnerships. Best practices overview: service models and implementation guidelines.