So, let me say right up front: the NCSC has not turned its back on CCP. Quite the opposite in fact. In his recent blog about the launch of the government’s consultation paper on Developing the Cyber Security Profession in the UK, Chris Ensor emphasised that we "are committed to supporting and developing the CCP scheme".
There are lots of people in the UK working in “cyber security”. But from a consumer perspective, it's difficult to identify the good from the 'not so good', particularly when you’re not an expert yourself. We believe CCP can fill this knowledge gap, and have been working behind the scenes on a plan to address the known shortcomings of the scheme, ensuring that it remains fit for purpose and valued by the cyber security community.
So, what have we been doing?
We know from our own observations, and the feedback that we get from the cyber security community, that the scheme isn’t perfect. That’s hardly surprising given that it's over 5 years old now, but this doesn't mean that CCP isn’t needed.
So, we've been listening to what users of the scheme tell us is important for them. We’ve been talking internally with NCSC subject matter experts, about how we want to reshape the scheme based on that user feedback. And we’ve been working with our scheme partners (the three certification bodies who act on our behalf) to determine what is and isn't working from their perspective - and how we might want to go about implementing change.
As a result of all of these discussions, a number of decisions have been made about the way forward and we've now initiated the project which will begin transforming CCP.
Two key changes
There are two key changes we want to implement.
The first is a move from the certification of roles to the certification of specialisms (e.g. Risk Management, Security Architecture etc). We've not defined in detail what these specialisms will be yet, and we will want to test our thinking, to ensure that it chimes with the wider cyber security community.
Why the change? Well, because CCP was always intended to be sector agnostic, but the role structure makes it look too government-oriented. We believe that specialisms are much more widely understood and should lead to wider recognition of the value of CCP for all sectors. Moving to specialisms also ensures coherence with other work in this area, such as the CYBOK, which will provide a guide to the underlying knowledge for specialisms.
The second change is in the assessment process itself. Today we have multiple levels of assessment against the roles - practitioner, senior practitioner, lead practitioner. We want to move away from this, instead, recognising specialists. This means we will need to redesign the assessment process.
To be able to apply for assessment as a specialist, individuals will be expected to demonstrate a broad foundation level of underpinning knowledge in cyber security. It's anticipated that this will be satisfied by holding a relevant degree, apprenticeship, professional qualification or certification. Once pre-requisite knowledge has been judged as sufficient, applicants will go on to be assessed against their chosen specialism(s).
When’s this all happening?
Well, it’s already started. We’ve begun looking at the assessment criteria for foundation knowledge. We're working with the certification bodies to develop the assessment criteria for applicants AND the criteria for assessors, to ensure that they (the assessors) can carry out the new assessments. And we will continue to consult and seek feedback on what we're doing as the work progresses. We hope to have this preliminary work completed by late 2018, with a view to running a pilot in 2019.
We know this is a big change and that it might be unsettling for individuals who are either planning to apply for CCP, or who currently hold a certification. We expect and would encourage role certification to continue whilst we are redesigning and piloting the revised scheme. And we will ensure that there are transitional arrangements in place to allow appropriate time for those certified in roles to understand the criteria for specialisms, as we publish them.
When will we hear more?
As we begin the process of implementing changes to the scheme, you can expect more regular updates. I’m not going to speculate when these might be, as we're still in the early planning stages. But I will commit to an update in September, bringing you up to speed on what’s been going on over the summer.
In the meantime, if you have any thoughts on the above, you can let us know in the comments below or by contacting us directly.
Head of Commercial Cyber Security Assurance Schemes