As an industry with critical IT infrastructures (KRITIS), companies in the transport and traffic sector rely every day on all the IT systems and tools they use to function flawlessly. Certifications are a valuable tool for ensuring this. They serve as a neutral instrument of quality assurance - after all, an independent body confirms that the trained persons handle the programmes safely and efficiently. This creates a win-win situation: employees continue to develop professionally and the customer receives the best possible support.
First of all, it should be clarified what the term critical infrastructure is all about. Therefore, the definition of the BSI for the term will be shown below:
"Critical infrastructures (KRITIS) are organisations and facilities that are important for the state community, the failure or impairment of which would result in lasting supply bottlenecks, significant disruptions to public safety or other dramatic consequences."Source: BSI (German Federal Office for Information Security)
In this context, critical infrastructure therefore means KRITIS. The transport and traffic sector also counts as critical infrastructure and is therefore subject to the Critical Infrastructure Act (BSIG). However, this only applies if a company in this sector reaches certain threshold values for annual shipments, which can be found in Annex 7 of the Critical Infrastructure Act. To provide a rough overview, the threshold values for logistics companies are shown below.
Facility or system for the operation of a logistics centre/facility or IT system for logistics control or management (various sectors):
Further training and certification of employees in the logistics industry is essential when it comes to maintaining critical infrastructures - through targeted training and certification, you can ensure that your employees are not only technologically competent, but also security-conscious.
As mentioned later in this article, the certification of your employees not only harbours great cost-saving potential, but also helps you to ensure business continuity. Developments in the field of cyber security in recent years have shown that investing in security-related measures is of great importance for business continuity. Below we will give you an overview of what certifications are and what you need to consider when certifying your employees.
In the broadest sense, certifications are a certificate of a certain level of knowledge. There is always a special form of quality assurance behind it. This ensures that a product or service fulfils certain standards or norms.
CISSP, CISA, AWS and co. – all of these abbreviations stand for certifications that are particularly important in the IT sector. For example, CISA stands for “Certified Information Systems Auditor”, a globally recognised certificate that distinguishes IT specialists as experts in IT auditing, security and control.
There are also valuable certifications in other areas that are not directly related to technical products, but rather take place at an organisational level. The PMI certificate, for example, provides knowledge in the area of project management.
As already mentioned above, a general distinction is made between manufacturer certifications and manufacturer-neutral certifications. The name already indicates roughly what the distinction is: Is it about products from a specific manufacturer, for example Microsoft software, or the AWS cloud (Amazon Web Services), or is it about a more global topic such as project management, which is not dependent on products from one manufacturer?
A distinction is made not only according to the type of certification, but also according to the level. There are the beginner level (Associate) and the further levels Professional and Expert. Some manufacturers deviate from this structure and only differentiate between one or two levels of knowledge for their products, while some vendor-neutral topics can also be divided into five or six levels.
A distinction is also made between the contact persons for whom training is intended: for example, different training content is provided for technicians, who need to understand all the details in depth, than for sales staff, who need a more general understanding of the product.
Regardless of whether it is an Associate certification or an Expert level: Certifications are generally becoming increasingly complex and demanding. On the plus side, this also makes them much more valuable. Nevertheless, there are of course differences between the various levels in terms of the effort involved and the process.
Your own work experience is sometimes enough to pass the exam in beginner training courses. This is not the case for the higher levels: candidates are usually prepared in detail for the exam content in a training course for one to two weeks before the learning period begins. To ensure that there is enough time to internalise the material, the exam often takes place a few weeks after the training – in the case of the large enterprise training courses, there are sometimes even nine to twelve months between the training and the exam.
At beginner levels, the test is sometimes held remotely, but is usually taken at a test centre. It varies whether the manufacturers rent a neutral test centre for this purpose, where the test takes place under controlled conditions, or conduct the test in-house.
How a company organises this “training budget” with its employees often varies. However, as both sides always benefit when team members are certified as comprehensively as possible, the best possible solution is always sought – for example, employees can receive a certain quota of “learning hours”.
Updates are the order of the day in software. Some are bigger, some smaller, but one thing is certain: the programmes are constantly being developed further. The logical consequence of this? Employees also have to familiarise themselves with the updates time and again. Your firewall is constantly exposed to new threats, which is why it is important that your employees continue to educate themselves in the field of IT security. This will ensure that your critical infrastructure remains protected. To ensure that this happens regularly, the certificates are therefore usually only valid for a certain period of time. A validity period of two years is usual. If a product develops particularly quickly, this period may be reduced to one year or less.
If the old certificate has expired, there are two options: In around 50 % of cases, it is sufficient to complete recertification. This is usually a short training course in which the most important new features are presented, at the end of which the necessary signature is obtained. However, if a lot has changed in the product, a completely new training course may be required, including an examination.
Sales certificates are the exception here: They usually only need to be purchased once and are then valid forever. The background to this is that it is assumed that the sales staff have a vested interest in keeping themselves informed in order to be able to market the products well.
As an IT service provider, you must ensure that the necessary competences are available in the company to be able to implement the software for customers. For example, some manufacturers only grant partner status to an IT provider if they can prove that the team members have the necessary qualifications to correctly implement and maintain the product for the end customer. The easiest way to ensure this: Certifications.
The company can usually decide for itself how many people should have the same certification – in any case, it always makes sense not to equip just one person with the necessary knowledge, but to build up certain redundancies. It can also make sense for employees to go through different stages of the certification process and, for example, for three people to be Associates, but only one to be the absolute "specialist" and have the Expert level.
Certifications are not only useful for a company and its customers, who know that the team members are very familiar with the products. Certifications are a real benefit, especially for the employees themselves, because they are a valuable addition to their CV and represent a great opportunity for further training and networking.
It can also be financially worthwhile for a company to enable its employees to obtain certifications. If they have cyber insurance, for example, the insurance policy is often cheaper if certified employees work for the company. That makes perfect sense – the insurance company can then assume a qualified network, which makes cyber incidents less likely. This ensures that everyone involved in IT is highly trained and fulfils certain quality standards. It is worth proactively enquiring with insurers whether such a reduction in the insurance policy is possible.
Incidentally, companies and potential employers should not blindly trust the statement "Employee XY is a certified project manager": Each certification is linked to a specific code and the person’s name. The company at which a person is currently working must also be stated there – this ensures that an employee does not use their certification at five different companies at the same time. These codes expire when it is time for recertification. Even if the person’s actions do not comply with the guidelines, for example if someone is suspected of hacking, the code can be deactivated and the certification recalled. In this way, everyone involved can be sure that the certification is sound and actually serves the purpose of quality assurance.
Certifications therefore offer many advantages for customers, employees and companies: in a way, they are a win-win-win tool. Even if a company has to develop part of its team in a certain direction for a tender, it pays to be as versatile as possible when it comes to certifications. They are becoming increasingly important as a neutral instrument for quality assurance. Certifications are also usually necessary in order to be awarded partner status by certain manufacturers. It is important to keep an eye on the balance within the team: It is not advisable to build up “knowledge monopolies”, as a change of personnel can then quickly cause problems.
These continuous training programmes are also beneficial for the team dynamics: the exchange with external parties provides valuable contacts who can provide support in the event of a problem in the future. If the certified colleague then passes on the new knowledge internally, this also strengthens team cohesion and ensures even greater expertise. You also protect your critical infrastructure if your IT security is always up to date. A good thing!
Add a comment