Globally, there is an increase in labour shortage of skilled cyber security personnel. SOCs and CSIRTs are forced to prioritise the services they offer and rethink their workforce development strategies. The complexity of the domain makes it hard to determine the required competencies of personnel based on the services of a SOC or CSIRT. TNO’s Dutch Cyber Cube Method helps SOCs and CSIRTs to determine those exact competencies.

Do you want to know more about The Dutch Cyber Cube Method and how to improve Human Capital for SOCs and CSIRTs?

Get in touch

Identifying the required skills (of SOC and CSIRT personnel)

In a study commissioned by the Dutch National Cyber Security Centre (NCSC) to support SOC and CSIRT organisations in their workforce development, TNO reviewed existing frameworks that facilitate the identification of the required competencies of SOC and CSIRT personnel. This review showed that there is no single framework that provides a complete solution to identify the required competencies based on the services an organisation offers. TNO therefore introduces the Dutch Cyber Cube Method as a practical tool to combine the strengths of some of these frameworks. This method allows for a step-wise analysis to identify the services an organisation offers, the work roles contributing to those services, and the associated tasks and required competencies.

The Dutch Cyber Cube Method

The Dutch Cyber Cube Method was first developed for use by the Dutch Ministry of Defence. It allows the combination of frameworks in a step-by-step approach while ensuring the link between the work that needs to be performed and the competencies required to do so. When applying the Dutch Cyber Cube Method to SOC/CISRT personnel three frameworks are combined: the ENISA service list, the NIST framework and the GMU handbook. The resulting instantiation of the Dutch Cyber Cube Method is summarised below:


Identify the services offered by the SOC/CSIRT using the service list provided as part of ENISA’s ‘Step-by-step approach on how to set up a CSIRT’.

2. Work Roles (Who)

Specify who provides the services by selecting the appropriate working roles from the NICE Cybersecurity Workforce Framework, developed by NIST.

3. Tasks (Why)

Determine the focus of each selected work role by selecting the core tasks based on the NICE Cybersecurity Workforce Framework.

4. Competencies (What)

Select both the technical and the personal/team knowledge, skills and abilities required to perform the main tasks from the NICE Cybersecurity Workforce Framework and the Handbook ‘Improving Social Maturity of Cybersecurity Incident Response Teams’ published by George Mason University. Determine the required proficiency levels for all these competences.

5. Education, Training, and Exercises (How)

Use the competences as a starting point to identify relevant training, education, and exercise options.

We welcome any feedback on the approach we have described and aim to further refine it into a tool that can readily be used by SOC and CSIRTs.

About the study

The (ISC)2 cybersecurity workforce study of 2018 indicates a shortage of close to 3 million cyber security professionals globally. To deal with this increasing shortage many SOCs and CSIRTs are searching for ways to improve their workforce development strategies. Over the years several renowned organisations have developed frameworks regarding the organisation of SOCs and CSIRTs. To support SOC and CSIRT organisations in their workforce development, the Dutch National Cyber Security Centre (NCSC) commissioned TNO to study these existing frameworks and identify how they can be used in practice.

We have reviewed frameworks and guides published by CEN, ENISA, FIRST, George Mason University (GMU), NIST, SEI-CMU, and QIS. However, all these publications have different purposes or scopes and cannot readily be applied to the challenge of identifying personnel competencies based on the services a SOC and CSIRT offers.

Therefore we have developed practical guidelines on how these frameworks can be combined using the Dutch Cyber Cube Method.

Read more


Ir. Allard Kernkamp

  • cyber security
  • resilience
  • risk management
  • operational analysis