UK Plans to Create a Register of Cyber Security Professionals
The council was launched in March 2021 with aims include promoting recruitment and professional development in its field. These match up with the published goals of the consultation. This in turn implies more high calibre jobs becoming available and a boost to the UK economy.
The planned infrastructure is based on that of professional bodies such as in law, engineering and medicine. There will be a professional body setting standards of knowledge and keeping a register of those who have met them. Consider a ‘chartered cyber professional’ like a ‘chartered accountant’ or ‘chartered surveyor’. For some government work chartered status would be required. In other fields it would be assumed that the chartered professional will be more able than a non-qualified equivalent. The consultation document proposes that existing practitioners be allowed until 2025 to produce evidence that they possess appropriate knowledge and to achieve certification.
It is recommended that rather than create a new set of qualification existing standards will be brought into line with certification. Certified Cyber Professional and Cyber Essentials are suggested as suitable guidelines. Cyber Essentials and Cyber Essentials Plus are audits of equipment and procedures not professional standards. It is probable that the standards required to become an assessor for Cyber Essentials are what are being referred to. Certified Cyber Professional is an industry (rather than academic) recognised set of standards.
The Certified Cyber Professional (CCP) path is not one that can be achieved from scratch in the short time span suggested by the UK government. There are 3 steps:
- A NCSC certified degree (there are only a handful of these mostly MSc) or membership of named existing bodies with their related hoops and hurdles to overcome. Certified Information Security Professional (CISSP) for example requires 5 years of work experience and an exam.
- A case study
- An on-line interview
There are several bodies permitted to award CCP. The British Computer Society (BCS) for example charges £2550 + VAT and certification lasts for 3 years.
While standards such as these can be achieved they are aimed at professionals already in place and generally provide proof of skills that they already possess. Achieving certification requires experience and an industry willing to devote the time and money required to their employees’ professional development. This is clearly the realm of government and big business. It is a pathway involving significant investment and risk to a small business or self-employed consultant. The goalposts for certification are achievable but may not bring in enough future income to justify their expense.
In the introduction (section 4) to the UK proposal a skills shortage is discussed together with aims to encourage more young people into a cyber security career. The actual proposals presented will improve opportunities at the very top of the career ladder and ensure that high paying organisations can contract reliable staff. This could mean more income for the already well paid top end professionals but will not necessarily create more of those jobs or better pay and opportunities at entry and middle level positions.