The UK Cyber Security Council – the self-regulatory body for the UK’s cybersecurity profession – has announced the launch of a pilot scheme for introducing a new chartered professional standard for the sector.
The scheme would give UK cyber practitioners the opportunity to become chartered professionals for the first time, bringing cyber in line with other established professions such as accounting, engineering, and law. The pilot is being launched in the specialisms of Cyber Security and Governance and Risk Management and Secure System Architecture and Design, with industry bodies (ISC)² and the Chartered Institute of Information Security (CIISec) confirmed as initial partners.
A number of security professionals say a chartered standard for cybersecurity would benefit the UK’s industry whilst the latest (ISC)2 Cybersecurity Workforce Study reveals that the global cybersecurity workforce shortage has reached 3.4 million.
Chartered standard aims to bring cybersecurity in line with other industries
The aim of the pilot is to test the introduction of a universally recognised professional standard for three professional titles: Associate, Principal, and Chartered, the Council stated. “By doing so, the Council aims to create a clearer career route map for those looking to enter the cybersecurity industry, as well as professionals already working in the sector.” It also aims to address the fact that several cybersecurity qualifications, certifications, and degrees currently exist without any uniform equivalency or defined pathway linking them, the council added.
At this initial stage, (ISC)² and CIISec will be responsible for assessing applications from their membership base against the new standard, which seeks to present those working in the profession with an independent seal of approval and recognition of their competence.
Professor Simon Hepburn, CEO of the UK Cyber Security Council, said the council is committed to working with stakeholders from across the industry, with the aim of creating a world-class cyber sector in the UK. Key to achieving this is the establishment of a framework and aligned professional standard across the industry’s disciplines, he added. “We will also need a better understanding of skillsets and experience and a way of demonstrating an adherence to industry best-practice and ethical standards.” The pilot programme will be a significant step in the right direction, Hepburn said, and will be crucial to the council’s objectives of crafting a new framework for a clear and robust professional standard in the sector.
Chartered standard could be “very powerful” but must stay relevant
Cybersecurity professionals agreed that a chartered standard for cybersecurity would benefit UK companies and the wider sector, as long as it is relevant and kept up to date. “This scheme is set to bring cybersecurity in line with other already very established professions, which is exactly what is needed for not only the industry but for all companies and organisations in the country,” Jake Moore, Global Cyber Security Advisor at ESET, told CSO.
“Many companies of all different sizes are often left in a quandary of what is expected of them or what the right level is in terms of protection and mitigating risk and therefore look to the government for support.” Designing a standard helps those who need support and could path out a direction for those unable to do it alone, he added. “If this is done well, it could be the start of something very powerful, but the only downside could be the potential that it won’t be kept fully up to date as time goes on. Many schemes have been created in the past, yet they have fallen by the wayside and ultimately businesses lose faith in them and have lower confidence in their replacement schemes.”
Paul Watts, Distinguished Analyst at the Information Security Forum (ISF), welcomed the Council’s ambitions to create more clarity around career pathways into and across the UK’s cybersecurity landscape. “Harmonisation is long overdue; clear abstraction of the skills, experience, qualifications, and knowledge required for each specialism will provide much-needed clarity for practitioners to plan their future careers in a structured way and will allow learning and development entities to ensure they are aligned to a common competency framework, providing the best possible outcomes for their students and setting them up for future success,” Watts told CSO. He was particularly pleased to see that Cyber Security Governance and Risk Management and Secure System Architecture and Design are the two specialisms initially selected in the pilot, both of which he says suffer from a sprawl of differing methodologies and learning pathways.
Establishing UK as a global centre of cybersecurity excellence
This would set the stage for the UK to become a well-respected, trailblazing community of practice that protects our national interests as well as those of the global economy, Watts added. “The UK has, for some years, declared an ambition to establish itself as a global centre of excellence for the cybersecurity industry. Establishing a community of chartered cybersecurity professionals across the UK who align to standards and competencies supports this agenda and is a pivotal part of the strategy.”
Javvad Malik, Lead Security Awareness Advocate at KnowBe4, said he found it encouraging to see increasing professionalisation of the cybersecurity field: “Having a chartered status should make the profession more accessible through better defined career paths.”
However, he added that it is important to bear in mind the broad nature of cybersecurity, which covers many fields and many skillsets. “Some areas are easier to learn and measure, whereas other aspects are not – simply having a certification or professional qualification alone is not enough to fill cyber gaps. Many times, organisations are looking for experienced professionals. Beyond that, organisations should do more to have apprenticeships and other entry level routes into the industry where those who haven’t got a formal education or qualification can enter the industry.”
In an age when cybersecurity is critically important across the globe and will only become more so, it’s a great initiative from the UK Cyber Security Council, said Neil Thacker, CISO EMEA at Netskope. “Not all sectors and/or domains require chartered status. However, many employers will be looking at existing qualifications and which qualification is suitable for the role. A chartered cybersecurity professional within a specific specialism will be more suited for a specific role, rather than trying to piece together existing qualifications and experience. It’s a good foundation for the professional to also base their hiring and career path progression on.” The standard has the potential to deliver more opportunities for cybersecurity professionals to move amongst the many specialisms of the profession and should support the UK cybersecurity industry to develop a clearer strategy on bringing new people into the sector, he added. “I hope the pilot is successful and more domains are included in future iterations.”
Could standard have limited global value?
Whilst most UK security professionals spoke generally positively about the proposed standard, cybersecurity author and advisor Raef Meeuwisse raised questions over its value from a global perspective. “A national standard in a fast-moving, shortage global market is not something I would sign up for because such standards have extremely limited value to international organisations,” he told CSO. “It is also difficult to see how it could be a hiring criteria, as it would automatically put off international and non-chartered candidates from applying – but then I think there are too many standards right now.”