In my last blog about our commitment to the Certified Cyber Professional (CCP) scheme I spoke about how the scheme needed to be reshaped to keep it relevant for the wide range of customers the NCSC now works with. I signalled two key changes:
- a move from the assessment of roles to assessment against specialisms
- the need for candidates to show a broad foundation level of underpinning knowledge in cyber security, prior to being assessed as a specialist.
We have continued consulting with our Certification Bodies (CBs) and the NCSC technical community to start putting some substance onto those proposed changes. This blog is the update I promised on the next steps in taking those changes forward.
From roles to specialisms
Just to recap on why the change. We want CCP to be relevant to all NCSC customers, not just government. However, the current assessment based on government-centric IA roles doesn’t really resonate with wider industry and business. We want to change this by focussing the assessment on the specific skills that really matter, rather than the context in which they are being applied.
We have decided to initially concentrate on assessing against two specialisms: risk management and security architecture. In time we expect the number of specialisms which professionals can be assessed against to increase. However, we need to begin 'small' and validate the assessment process and wider changes to the scheme before we expand it. We’re going to do this by running a pilot and we’re currently talking with our CBs about how we might conduct this.
My expectation is that the pilot will begin in the New Year and run for several months. This work will help us refine and streamline the evidence requirements for specialism as well as the assessment and application processes. Until we’ve had some feedback from the pilot, there isn’t much more to say about this now other than I’ll blog again on this subject at a future date.
What about foundational knowledge?
We want to have confidence that all our professionals have a comparable level of validated foundational knowledge before applying for specialisms. This helps to raise standards and, just like other professional communities, provides a means of formalising what we need to know. I should stress that we won’t be assessing foundational knowledge; instead we will recognise industry certifications and other qualifications and will ensure that these meet certain criteria in terms of topic coverage and testing.
We’ve given this quite a bit of thought over the last few months. Obviously, people acquire professional knowledge in very different ways, so we’ve consciously tried not to limit options whilst ensuring that they are of the right standard. Our current thinking is that there will be three possible ways to demonstrate foundation knowledge:
- Holding an NCSC-certified degree
- Full membership of the IISP
- Holding a CISSP certification and full membership of ISC2
Why have we chosen these three?
The NCSC has invested a lot of time and effort into our certified degrees initiative and are therefore confident that anyone holding one of these degrees will leave with the right depth and breadth of foundational knowledge to meet our foundational knowledge requirement. Some individuals may hold the same degree from an academic institution prior to NCSC certification and we’ll assess these on a case by case basis.
There are many cyber security related professional certifications out there, but not all are equal in terms of knowledge covered and the way it is tested. We wanted to avoid the scenario of individuals simply attending “boot camps” and passing an exam, so our criteria for recognising a professional certification is that it should: provide the right breadth and depth of cyber security knowledge; be vendor neutral; require an examination; require evidence of professional practice; and require continued learning or periodic recertification. As you’d expect, we’ve spent a lot of time reviewing professional certifications and currently the only one we think meets our criteria is the International Information System Security Certification Consortium’s (ISC2) Certified Information Systems Security Professional (CISSP). Consequently, we’ll recognise CISSP plus an ISC2 endorsement of being in good standing as evidence of foundational knowledge.
Finally, like professional qualifications, the criteria for professional membership can vary. Institutions that offer professional membership must define and validate a suitable breadth and depth of cyber security knowledge; be vendor neutral; and require evidence of professional practice. We believe that full membership of the IISP meets this and again will recognise this as suitable evidence of foundational knowledge.
I want to stress that the above is not a closed book; it’s our starting position. We’ll continue to review qualifications and certifications to see if we can expand what we recognise. For example, we are exploring expanding our recognition of degrees to include courses supporting the new degree apprenticeship standard. In the longer term we would expect the Cyber Security Body of Knowledge (CyBOK) to become the standard against which the gaining of foundational knowledge will be judged.
If you think we have missed something, let us know.
The experience-only route
Whilst we believe that what has been laid out above is a fair and inclusive way of recognising foundational knowledge, we are also aware that there are good professionals out there who do not fall into any of these categories. We are therefore devising an experience-only route.
We still need to ensure that people choosing this route can demonstrate that the experience they have gained in the workplace has the right depth and breadth. We are planning on using the CyBOK as the basis for this. Our current thinking is that individuals would elect to demonstrate how their work experience demonstrates they have acquired foundational knowledge in an agreed number of the 19 Knowledge Areas. NCSC will publish the number of areas at a future date. This would be documented in a technical CV that they would submit for review and if accepted the applicant would then go on to be interviewed. If they are successful at interview they’ll meet the criteria for foundational knowledge and will then be eligible to apply for their chosen CCP specialism(s).
We’ll be providing further information on this as the pilot work informs our thinking.
A word to the Head Consultants of our Certified Cyber Security Consultancies
If you are one of these, you’re probably thinking you’ve seen this before. Head Consultants will have been through a very similar assessment as part of their company’s application to the Certified Cyber Security Consultancy scheme. Part of this process includes assessment of foundational knowledge by the NCSC as well as an interview by senior members of our technical community. If you fall in to this category, and you are a Head Consultant in either Risk Management or Security Architecture, you will automatically qualify for CCP certification in that specialism. We’ll be contacting all our Head Consultants in due course to discuss.
We do recognise that these are big changes, and we want to get them right. The pilot will help us do this and inform how we plan to transition from the old roles to the new specialisms. This will be a major focus for our planning work in the New Year. We’ll blog again as things progress.
As before, if you have any thoughts on the above, you can let us know in the comments below or by contacting us directly.