Trust is good, certificates are better - Protecting CRITIS (Critical infrastructure) and utilising cost potentials

Sebastian Kremer
A portrait of Sebastian Kremer.

As an industry with critical IT infrastructures (KRITIS), companies in the transport and traffic sector rely every day on all the IT systems and tools they use to function flawlessly. Certifications are a valuable tool for ensuring this. They serve as a neutral instrument of quality assurance - after all, an independent body confirms that the trained persons handle the programmes safely and efficiently. This creates a win-win situation: employees continue to develop professionally and the customer receives the best possible support.

What is critical infrastructure?

The BSI defines the term critical infrastructures (or CRITIS) as facilities, systems or parts thereof that are essential for the functioning of the society. The transport and traffic sector also counts as critical infrastructure and is therefore subject to the Critical Infrastructure Act (BSIG). However, this only applies if a company in this sector reaches certain threshold values for annual shipments, which can be found in Annex 7 of the Critical Infrastructure Act. To provide a rough overview, the threshold values for logistics companies are shown below.

Facility or system for operating a logistics centre/facility or IT system for logistics control or management (various sectors):

  • Transport volume: 17,550,000 tonnes/year
  • Number of consignments: 53,200,000 consignments/year

How does the certification of employees relate to the maintenance of your critical infrastructure?

Further training and certification of employees in the logistics industry is essential when it comes to maintaining critical infrastructures - through targeted training and certification, you can ensure that your employees are not only technologically competent, but also security-conscious.

As mentioned later in this article, the certification of your employees not only harbours great cost-saving potential, but also helps you to ensure business continuity. Developments in the field of cyber security in recent years have shown that investing in security-related measures is of great importance for business continuity. Below we will give you an overview of what certifications are and what you need to consider when certifying your employees.

What are certifications?

In the broadest sense, certifications are a certificate of a certain level of knowledge. There is always a special form of quality assurance behind it. This ensures that a product or service fulfils certain standards or norms.

CISSP, CISA, AWS and co. – all of these abbreviations stand for certifications that are particularly important in the IT sector. For example, CISA stands for “Certified Information Systems Auditor”, a globally recognised certificate that distinguishes IT specialists as experts in IT auditing, security and control.

There are also valuable certifications in other areas that are not directly related to technical products, but rather take place at an organisational level. The PMI certificate, for example, provides knowledge in the area of project management.

What types of certification are there?

As already mentioned above, a general distinction is made between manufacturer certifications and manufacturer-neutral certifications. The name already indicates roughly what the distinction is: Is it about products from a specific manufacturer, for example Microsoft software, or the AWS cloud (Amazon Web Services), or is it about a more global topic such as project management, which is not dependent on products from one manufacturer?

A distinction is made not only according to the type of certification, but also according to the level. There are the beginner level (Associate) and the further levels Professional and Expert. Some manufacturers deviate from this structure and only differentiate between one or two levels of knowledge for their products, while some vendor-neutral topics can also be divided into five or six levels.

A distinction is also made between the contact persons for whom training is intended: for example, different training content is provided for technicians, who need to understand all the details in depth, than for sales staff, who need a more general understanding of the product.

What is the certification process like?

Regardless of whether it is an Associate certification or an Expert level: Certifications are generally becoming increasingly complex and demanding. On the plus side, this also makes them much more valuable. Nevertheless, there are of course differences between the various levels in terms of the effort involved and the process.

Your own work experience is sometimes enough to pass the exam in beginner training courses. This is not the case for the higher levels: candidates are usually prepared in detail for the exam content in a training course for one to two weeks before the learning period begins. To ensure that there is enough time to internalise the material, the exam often takes place a few weeks after the training – in the case of the large enterprise training courses, there are sometimes even nine to twelve months between the training and the exam.

At beginner levels, the test is sometimes held remotely, but is usually taken at a test centre. It varies whether the manufacturers rent a neutral test centre for this purpose, where the test takes place under controlled conditions, or conduct the test in-house.

How a company organises this “training budget” with its employees often varies. However, as both sides always benefit when team members are certified as comprehensively as possible, the best possible solution is always sought – for example, employees can receive a certain quota of “learning hours”.

How often do you have to renew a certification?

Updates are the order of the day in software. Some are bigger, some smaller, but one thing is certain: the programmes are constantly being developed further. The logical consequence of this? Employees also have to familiarise themselves with the updates time and again. Your firewall is constantly exposed to new threats, which is why it is important that your employees continue to educate themselves in the field of IT security. This will ensure that your critical infrastructure remains protected. To ensure that this happens regularly, the certificates are therefore usually only valid for a certain period of time. A validity period of two years is usual. If a product develops particularly quickly, this period may be reduced to one year or less.

If the old certificate has expired, there are two options: In around 50 % of cases, it is sufficient to complete recertification. This is usually a short training course in which the most important new features are presented, at the end of which the necessary signature is obtained. However, if a lot has changed in the product, a completely new training course may be required, including an examination.

Sales certificates are the exception here: They usually only need to be purchased once and are then valid forever. The background to this is that it is assumed that the sales staff have a vested interest in keeping themselves informed in order to be able to market the products well.

Who in the team should be certified?

As an IT service provider, you must ensure that the necessary competences are available in the company to be able to implement the software for customers. For example, some manufacturers only grant partner status to an IT provider if they can prove that the team members have the necessary qualifications to correctly implement and maintain the product for the end customer. The easiest way to ensure this: Certifications.

The company can usually decide for itself how many people should have the same certification – in any case, it always makes sense not to equip just one person with the necessary knowledge, but to build up certain redundancies. It can also make sense for employees to go through different stages of the certification process and, for example, for three people to be Associates, but only one to be the absolute "specialist" and have the Expert level.

Certifications are not only useful for a company and its customers, who know that the team members are very familiar with the products. Certifications are a real benefit, especially for the employees themselves, because they are a valuable addition to their CV and represent a great opportunity for further training and networking.

Why can certifications also be useful for customers?

It can also be financially worthwhile for a company to enable its employees to obtain certifications. If they have cyber insurance, for example, the insurance policy is often cheaper if certified employees work for the company. That makes perfect sense – the insurance company can then assume a qualified network, which makes cyber incidents less likely. This ensures that everyone involved in IT is highly trained and fulfils certain quality standards. It is worth proactively enquiring with insurers whether such a reduction in the insurance policy is possible.

Incidentally, companies and potential employers should not blindly trust the statement "Employee XY is a certified project manager": Each certification is linked to a specific code and the person’s name. The company at which a person is currently working must also be stated there – this ensures that an employee does not use their certification at five different companies at the same time. These codes expire when it is time for recertification. Even if the person’s actions do not comply with the guidelines, for example if someone is suspected of hacking, the code can be deactivated and the certification recalled. In this way, everyone involved can be sure that the certification is sound and actually serves the purpose of quality assurance.

Checklist: These are some of the advantages of certifications

  • Quality management: Quality standards can be reliably verified and checked with the help of certifications.
  • Learning new things and increasing adaptability: With every new training course, an employee acquires knowledge that makes them more innovative in their day-to-day work.
  • Competitive advantage: Those with more qualified employees also win more customer projects.
  • A win-win situation: The company benefits from the employee’s knowledge, while for the employee it is a valuable addition to their CV and helps them to develop professionally.
  • Sensible investment: If a company can prove that its employees are certified, the insurance policy is often cheaper.
  • Maintaining business continuity: By investing in the certification of your employees in the area of IT security, you protect your critical infrastructure from attacks.

Win-win-win: Certification pays off for everyone involved.

Certifications therefore offer many advantages for customers, employees and companies: in a way, they are a win-win-win tool. Even if a company has to develop part of its team in a certain direction for a tender, it pays to be as versatile as possible when it comes to certifications. They are becoming increasingly important as a neutral instrument for quality assurance. Certifications are also usually necessary in order to be awarded partner status by certain manufacturers. It is important to keep an eye on the balance within the team: It is not advisable to build up “knowledge monopolies”, as a change of personnel can then quickly cause problems.

These continuous training programmes are also beneficial for the team dynamics: the exchange with external parties provides valuable contacts who can provide support in the event of a problem in the future. If the certified colleague then passes on the new knowledge internally, this also strengthens team cohesion and ensures even greater expertise. You also protect your critical infrastructure if your IT security is always up to date. A good thing!

Sebastian Kremer
Sebastian Kremer
Business Developer | Senior Consultant

As an administrator and senior consultant, it has been his passion for 20 years to identify the IT problems of our customers and partners, to derive necessary measures and to provide custom-fit solutions. The prodkurist loves new technologies, has internalised the entire software-defined stack and goes all out when it comes to virtualisation techniques and storage technologies.

Add a comment

What is the sum of 5 and 5?