Cybersecurity professionals will need to jump through new hoops to get ahead, says Jamal Elmellas, Chief Operating Officer for Focus-on-Security.
Certification has always been important in the cybersecurity industry as a way to demonstrate expertise and to meet contractual obligations. But the entire sector is about to become standardised and expertise graded with the introduction of the new Cyber Security Profession Chartered Standards (CSPCS) by the UK Cyber Security Council. So, what are these standards, why do we need them and what will they mean in practice?
For starters, the standards will replace the CCP (Certified Cyber Professional) qualification developed by NCSC in 2018. The CCP has already undergone substantial change – it went from a role-based to a specialism focus, with the previous three levels being replaced by Certified and Associate only two years ago. But, following its handover to the UK Cyber Security Council in April 2022, the scheme will be retired altogether. Professionals will then have their certificate commuted to the Chartership Title, while organisations that currently make CCP sta-tus a condition of employment will also change this to require the Chartership Title.
It would appear the reason for this is because the CCP is too narrowly focused. It only covers two specialisms: Risk Management or Security Architecture. The CSPCS incorporates and expands upon these to cover 16 career specialisms in total, offering three certification levels in each: Associate and Principal (the “Professional” titles) and the pinnacle achievement of Chartered status.
Plan of execution
So far, the UK Cyber Security Council has only rolled out pilot schemes on three specialisms (Cyber Security Governance and Risk Management, Secure System Architecture and Design, and Security Testing) which are being accredited by industry bodies (ISC)2, the Chartered Institute of Information Security (CIISEC) and CREST, respectively.
Later this month, Cyber Security Audit and Assurance will be added, to be followed by Cyber Security Specialist, Secure Operations, Secure System Development, and Cyber Security Management over the next 12 months. This means that, by Q2 2024, only eight of the special-isms will be in pilot, although the Council aims to have all 16 stood up by 2025.
It’s a time scale that gives some indication of just how ambitious an undertaking this is. But do we really need these standards? After all, there are plenty of well-respected certifications out there, from the entry level SSCP, GSEC and CompTIA Security+ to mid and senior level qualifications such as CRISC, CIS, CISA, CISSP and CASP+. There are also specialist qualifications such as CEH for ethical hacking, CHFI for those in digital forensics and CCSP or CCSK for those working in cloud security. So, it’s not as though the industry doesn’t already assess and grade expertise and recognise specialisation.
Why do we need it?
Where the CSPCS differs, is that it appears to be an attempt to standardise the whole industry, across the board. According to the UK Cyber Security Council, which has stated its intention to become “the standard setter for the industry”, the new standards are holistic, responsive and inclusive. They will not create unnecessary barriers to entry or progression and will generate a pipeline of candidates and produce individuals who demonstrate a Gold Standard of expertise, excellence and professional conduct. So, it looks very much like the standard will be a way of encouraging new entrants and ensuring retention in the industry by providing a framework to catalogue skill levels. This will make it far easier for those who engage with cyber security professionals to ascertain suitability and create greater transparency.
It’s no coincidence that the CSPCS has been developed at the same time as the Cyber Career Framework by the UK Cyber Security Council. It mirrors the 16 specialisms and aims to allow new and existing practitioners to develop their careers by providing details on job titles, responsibilities, remuneration and associated roles. Like the CSPCS, the framework is still in development, with not all the information yet in place, but it does provide some much needed transparency. Moreover, the Council launched a Career Mapping Tool in February to help new entrants explore where their transferable skillsets could take them and which cyber security discipline would be the best fit.
These endeavours are by no means unique, however. In the US, the National Initiative for Cybersecurity Education (NICE) has provided extensive career mapping for some time with the framework further revised in 2020. Closer to home, ENISA launched the European Cybersecurity Skills Framework (ECSF) in September which is already being promoted by ISACA and the ECSO (European Cyber Security Organisation). So, the Cyber Career Framework as a concept is being used worldwide to both standardise and facilitate a bigger cybersecurity workforce in a bid to address the widening chasm that is the cybersecurity skills gap (the ISC(2) 2022 Cybersecurity Workforce Study claims there are 3.4million vacancies worldwide and given that the global cybersecurity workforce itself totals 4.7million, that means a deficit of 42 percent.)
Issues to iron out
Yet questions remain. Will the CSPCS be internationally recognised or mapped to these other frameworks? The rollout of the specialisms will take at least another 18 months to achieve and during that time those holding CCP will need to revalidate (valid for three years, revalidation of CCP is required every 18 months) so will this still happen? And what are the requirements for applicants? We know they will need to undertake an interview to verify their skills and experience and applications will be peer reviewed but little else. Only the Chartered level is likely to follow the CCP application process and require a NCSC-certified degree/CISSP/CISM/CIISec/proof of having passed a NCSC internal skills assessment/proof of completing an NCSC professional development framework/being NCSC security architecture certified. If the requirements for the Professional Titles aren’t stringent enough, this could shake confidence in the standard.
Yet despite these caveats, the undertaking by the UK Cyber Security Council marks a serious step change. The Council promises the CSPCS will provide proof of skills, improve credibility, and enable career progression and increase earning potential. It has the power to transform the industry by putting in place a uniform structure which will facilitate career progression and bestow upon Chartered individuals the kind of recognition we only hitherto seen in professions such as accountancy and law. This could well see the sector become much more respected, with top professionals able to command the appropriate remuneration. So, for anyone looking to enter the industry or progress their cybersecurity career it’s a case of watch this space and be prepared to jump through those hoops because the rewards may well be worth it.
Background; visit https://www.ukcybersecuritycouncil.org.uk/news/news/chartering-the-cyber-security-sector/.
