The memoirs of an old consultant.
The Early Years
In the Early days “Information Security” defined as the preservation of confidentiality (accessible only to those authorized to have access), integrity (safeguarding accuracy, completeness, and process), and availability (ensuring authorized user access) for information, was in the purview of the Communications Electronic Security Group (CESG – later named The UK National Technical Authority for Information Assurance), a branch of Government Communications Headquarters (GCHQ), to deliver.
This took increasingly larger budgets and resources, with the right mix of skills and experience to deliver over a wide range of subject areas, to maintain, so it was determined to incorporate 3rd party contractors from the private sector to dispense advice and guidance on behalf of Her Majesty’s Government (HMG) with oversight maintained by CESG. This was the birth of the CESG (Listed) Advisor Scheme.
The CESG (Listed) Advisor Scheme (CLAS)
Several years back (over 30!) when I was first starting out in “Information Security” it was determined by my employer, that I should gain membership of CLAS which, at that time, meant your employer testifying you had been employed in “information Security” for over 3 years, payment of the fees, and attendance on the CESG induction course (which comprised of 1 week of presentations on the multiple CESG standards and guidelines used in the scheme delivered by the document authors). At this time, the majority of scheme members already had experience of working in the IT industry in other roles (design, build and maintenance of Network Infrastructures, IT Management, Service Management, technical support, testing etc.) and many had a military/police background (used to working in classified environments). As already stated, CLAS consultants worked on behalf of HMG rather than the parent company and were overseen by an independent assessor (called the “Accreditor”) and both they and the scheme were managed by CESG.
INFOSEC Training Paths and Competencies Scheme (ITPC)
Throughout the scheme’s continued existence, there were many questions over the standard of skill provided by these CLAS Consultants (whose skill and experience may be anywhere from the range of knowledge, skill, and experience – from the newly qualified to those with years of valued experience), the lack of a career/training path, and the level of professionalism displayed by the scheme members.
One of the sources of unease came from civil servants who were required to attend formal training through the (Now defunct) Civil Service College in order to qualify under the INFOSEC Training Paths and Competencies Scheme (ITPC) which was overseen by the Cabinet Office. Around 2006, it was therefore determined that CLAS consultants would submit a dissertation based on their work in order to also qualify under the scheme gaining the Certificate of InfoSec Competency (Government Practitioner).
CESG Certified Professional (CCP) Scheme
Around 2010-2012, in order to address the wider issue of professionalisation the CESG Certified Professional (CCP) Scheme was devised and CLAS consultants were required to “qualify” in several specific certifications related to the role in which they were employed. The Certified Professional assured service was designed as a recognition of competence that was awarded to those who demonstrated their sustained ability to apply their skills, knowledge. and expertise in real-world situations. The roles included IA Accreditor; Security, and Information Risk Advisor (SIRA); IA Architect; IA Auditor; IT Security Officer; and Communications Security Officer and the competency was assessed at one of three levels:
- Practitioner – entry level suitable for those working on routine Information assurance (IA) tasks and more complex tasks under supervision.
- Senior Practitioner – those able to work independently on complex projects and who oversee the work of other IA Professionals and
- Lead Practitioners – highly experienced individuals who provide advice and/or leadership on complex strategic IA issues to seniors in an organisation.
This scheme relied on three core certification bodies (CBs) – the APM Group, the BCS, and the IISP (later CIISec), CREST, and RHUL consortium – to conduct assessments, interviews, and to suggest a result to CESG, who would then agree (or not) the award. The scheme itself was underpinned by the IISP Skills Framework and was considered HMG’s approved standard for Cyber Security professionals.
CESG becomes NCSC.
In November 2007, following several reports of failings in the provision of Information Security within government, it was reported that the whole public-sector computer-security establishment was no longer fit for purpose. It was further suggested that the next government should replace CESG with a civilian agency staffed by competent people as “ministers need much better advice than they’re currently getting.”
- 2006 – A report on Children’s Databases for the Information Commissioner stated that the proposed centralisation of public-sector data on the nation’s children was not only unsafe but illegal.
- 2007
- HM Revenue and Customs (HMRC) lost the data of 15 million child benefit recipients, and that the head of HMRC resigned.
- the Health Select Committee made a number of recommendations to improve safety and privacy of electronic medical records, and to give patients more rights to opt out. Ministers dismissed these recommendations,
- a poll indicated doctors were so worried about confidentiality that many would opt out of using the new shared care record system.
- The report of the Lords Science and Technology Committee into Personal Internet Security also pointed out a lot of government failings in preventing electronic crime – which ministers dismissed.
- 2017
- GCHQ suggested that the outcome of the report of the Lords Science and Technology Committee into Personal Internet Security was not a failing of CESG (accused of failing in its provision of policy, procedures, guidelines, services etc) but rather a failing of the CLAS scheme and the quality of its membership. GCHQ determined to move CESG services from Cheltenham to London and to rebrand the service as the National Cyber Security Centre (NCSC) – which Her Majesty the Queen officially opened on 14 February 2017.
- The immediate impact of this reshuffle/re-emphasis on the professional was the closure of the CLAS scheme which meant that the need to dispense advice on behalf of HMG was removed and information security professionals were once again incorporated fully in the corporate machine answerable to the business, not the government. In the worst-case scenario, this led to the development of systems/solutions based on poor requirements rather than the need to deliver appropriate security, the business need, integration with existing systems, and that a solution functions as planned and designed. The drive to make additional income based on corrective action later down the line potentially outweighing the need to deliver appropriate secure solutions.
- Although NCSC was a new creation, many milestones (many heavily influenced by the GCHQ organisation) led up to this point and drove preparation for many more changes (See Annex B). Government awareness of the pressing need to stay protected has been around for centuries, with National Archive examples from as far back as the 16th century of encrypted official dispatches, particularly those being sent to and from diplomats. The volume of telecommunications has increased significantly in the last 100 years and has been accompanied by a huge rise in public awareness of the importance of staying protected. This spirit was intensified in the 20th and 21st centuries, with many technological developments coming from Bletchley Park and beyond that helped to create the current booming digital economy in the UK.
NCSC is a part of GCHQ and is the UK’s authority on cyber security. Its main purpose is to reduce the cyber security risk to the UK by improving its cyber security and cyber resilience. NCSC brought together and replaced three existing cyber security organisations – the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK) and CESG (GCHQ’s information security arm) – and includes the cyber-related responsibilities of the Centre for the Protection of National Infrastructure (CPNI).
Recognising that, despite all our efforts to reduce risks and enhance security, incidents will happen then NCSC was established to provide effective incident response to minimise harm to the UK, help with recovery and learn lessons for the future. NCSC working together with UK organisations, businesses, and individuals provides authoritative and coherent cyber security advice and cyber incident management underpinned by world-class research and innovation.
Since its launch NCSC has been working with the public and private sectors in building cyber security skills, developing innovative defences, and helping to manage cyber incidents. But, more than this, embedding good practice among all computer users is a key target, and the strategy (as stated by NCSC) is to ‘use government as a guinea pig for all the measures we want to see done at national scale.’ One key element of NCSC’s work to help reduce cyber-attacks is the Active Cyber Defence programme. This is intended to tackle, in a relatively automated way, a significant proportion of the cyber-attacks that hit the UK. It is hoped to demonstrate to the government that these measures have been effective and dependable, before encouraging the private sector to adopt them.
A professional Institute for Information Security
In 2006, The Institute of Information Security Professionals (IISP), a not-for-profit organisation and owned by its members, was formed, and dedicated to raising the standard of professionalism in the information security industry through accrediting skills and competence, by sharing best practice, and by providing a network of support and guidance on individual skill development. It spoke with an authoritative voice and its competency-based memberships were widely recognised in the information security industry.
By 2018 the IISP worked closely with the Information Security community and had a growing membership of over 2,600 individual members across private and government sectors, forty-four Corporate Member Organisations and seventeen Academic Partners
The heart of the Institute was the IISP Skills Framework 2012 – widely accepted as the de facto standard for measuring competency of Information Security Professionals. CESG had also taken this framework to underpin a range of certification schemes including the Certified Professional Scheme (CCP), for which the IISP is the leading certifying body, and to develop syllabuses for master’s degrees. Corporate members extensively use the skills framework to benchmark and develop capability of their employees it has also been adopted by e-Skills UK to develop a National Occupational Standard for Information Security. The IISP also accredited training courses offered by commercial training providers against the Institute’s Skills Framework. This enables attendees to build knowledge in areas of the skills framework where they might have gaps and to gain firsthand experience.
One of the aims of IISP was to drive chartered status for its members. To do this IISP had to become a charted organisation and, on the achievement of this changed its name to the Chartered Institute of Information Security (CIISec). The IISP was founded by leaders of the profession in 2006 to address the problem of how to recognise a competent information security practitioner and in 2007, the first Skills Framework was devised to measure skills and competency in cyber security. From here the Skills Framework was used to accredit the growing membership as CIISec collaborated with corporate members, Academia, and Government. With over a decade of accredited individuals and benchmarking the profession CIISec grew to where it stands today representing over 8,000 individuals in the cyber security industry. On 12 December 2018, Her Majesty the Queen graciously granted the organisation a Royal Charter of Incorporation and CIISec came into being.
Security Certifications
Whilst the government considers a drive towards improved professionalisation, many more “security professional” certifications and schemes have arisen covering just about every product, methodology, role, professional institute, and organisation driven topic of which you can think. During this process the government was determined that any academic and government professionalisation development should not just be a simple “rubber stamp” of any of these already developed courses and certifications leading to a dilemma for each practicing professional – to go with recognised professional standards in the marketplace, or to go with those prescribed by government and academia. In the end most opted for a mix of both (myself included)
At Annex A there is a table that provides a small portion of one compiled list of a few certifications a practitioner might consider (from one American practitioners’ viewpoint)
For me this has led to fellowships of multiple Institutes, memberships of associated institutes (such as management), qualification under government, the various schemes, and certification to some of the well-known commercial schemes (ISC2, Microsoft, Novell etc). It also led to additional associated business training such as Spartans, FAST, and Export Licencing/Control.
The current UKCSC Entry Level certifications (https://www.ukcybersecuritycouncil.org.uk/careers-and-learning/entry-routes-training/) are a little less daunting and are partnered with suggested on-line learning Resources and cyber Security Bootcamps.
| Organisation | Cert Title |
| CompTIA | ITF+ |
| CompTIA | A+ |
| (ISC)2 | Certified in Cybersecurity |
| BCS | Foundation Certificate in Information Security Management Principles |
| ISACA | Information Technology Certified Associate |
| SANS/GIAC | GIAC Information Security Fundamentals |
| SANS/GIAC | GIAC Security Essentials |
| EC Council | Network, Ethical Hacking & Digital Forensics Essentials |
| APMG | IT Security Foundation |
| AWS | Cloud Practitioner Foundational |
| IT Governance | Certified Cyber Security Foundation Training Course |
Recent History
Deliver Focus Shift
It was becoming evident that the current model of concentrating on design and development for delivery of Information Security was resulting in shortfalls in the operational aspects of security to, generally left to operation teams, with less information security knowledge, skill, and experience, to deliver. This led to the Development and Operations (DEVOPS) and later Development, Security, and Operations (DEVSECOPS) – a development regime in which the Operations and Security teams work with the Development teams throughout the project in order that the security team can provide constant, ongoing feedback to help developers get the operations and security aspects of the system right. This then led to the rise in popularity of the Security Operations Centre (SOC), its new associated roles, and the birth of “Cyber Security.”
The roles identified for a SOC Team Structure include a SOC Manager, L1 Monitoring team, L2/L3 Analysts, Incident Responders, Service Desk, Forensics, SIEM Administration, Threat Intelligence, and Threat Hunter, but, depending on the size and need of the business, the staffing of a SOC may contain some or all of these roles, or even be provided by a third party (especially, in a hybrid cloud environment for example).
Cyber Security was defined by ITU-T Recommendation X.1205 in 2021 as the defence of information held and processed on digital systems against unauthorised access, damage, or misuse. It includes the protection of the hardware, software and associated infrastructure, the data that is held, and the services provided, and encompasses both technical and non- technical defence mechanisms.
Education, Diversity, and Inclusion
More recently, there has been a lot of conversation about skills shortages in the industry. In an effort to address this, NCSC has been encouraging Cyber Security skills training in schools, apprenticeship schemes, diversity initiatives, and recognising several university Courses in Cyber Security Subjects. This also led to Accademia starting a conversation on how one course could be measured against another without a Common Body of Knowledge.
This led to the birth of the Cyber Security Body of Knowledge (CyBOK) funded by the National Cyber Security Programme. CyBOK is a comprehensive Body of Knowledge that informs and underpins education and professional training for the cyber security sector thus bringing cyber security into line with the more established sciences by distilling knowledge from major internationally recognised experts.
The UK Cyber Security Council (UKCSC)
The Council was conceived initially as part of the UK Government’s National Cyber Security Strategy (NCSS) 2016-2021 document, which set out ambitions to develop and accredit the cybersecurity profession.
This was developed further in the Initial National Cyber Security Skills Strategy (2018). This declared intentions to establish a new, independent, UK Cyber Security Council to function as an umbrella body for existing professional organisations and drive progress against the key challenges the profession faces.
The Department for Culture, Media, and Sport (DCMS) undertook a public consultation exercise which helped identify the characteristics of the profession and the need for a body to form this new identity. Through this and DCMS funded the creation of the UK Cyber Security Council. Government will look to this body as the authority on the cyber profession, bringing together the existing work of professional and certifications organisations in this space, to meaningfully communicate and assure consistency across standards and pathways.
The UK Cyber Security Council (https://www.ukcybersecuritycouncil.org.uk/) was to be the self-regulatory body for the UK’s cyber security profession developing, promoting and stewarding nationally recognised standards for cyber security. This is to be provided in support of the UK Government’s National Cyber Security Strategy to make the UK the safest place to live and work online. The UKCSC core values are integrity, innovation, inclusion, collaboration, and excellence.
Following a competitive tender process, awarded the contract to design and deliver the Council in September 2019 to a consortium of cybersecurity professional bodies known as the Cyber Security Alliance. The Alliance is a consortium of cybersecurity organisations representing a substantial part of the cybersecurity community in the UK. It brings stakeholders together in the interest of advancing a healthy cybersecurity sector for the UK, from the development of professional recognition to the collaboration around acknowledged priorities to move the workforce and skills base forward. Its original members include: (ISC)², BCS, The Chartered Institute for IT, Chartered Institute of Information Security (CIISEC), Chartered Institute of Personnel and Development (CIPD), CompTIA, CREST, Chartered Society of Forensic Sciences (CSFS), Engineering Council, Information Assurance Advisory Council (IAAC), The Institution of Analysts and Programmers (IAP), The Institution of Engineering and Technology (IET), Institute of Measurement and Control (InstMC), ISACA, Security Institute (SyI), techUK, and the Worshipful Company of Information Technologists (WCIT).
Annex D indicates the continuing UKCSC development Timeline and work undertaken.
Migration and Subsequent Closure of the CCP Scheme
In 2022 The UK Cyber Security Council (UKCSC) commenced stewardship of the NCSC’s CCP scheme, as one of the steps on its journey towards the creation of a new professional standard for cyber security, and its long-term goals for individual specialisms within it. Eventually, the UKCSC determined to close the CCP scheme with the following announcement:
- It is the UKCSC’s mission to ensure and maintain the UK’s global leadership in the cyber industry, through the development of this series of professional standards. This is not just about defining standards: the Council are ensuring that our cyber security practitioners receive the recognition they richly deserve – be it through Associate, Principal or Chartered title, in parity with other chartered professions. They are also ensuring that businesses can make the best, informed decisions when it comes to their cyber recruitment and provision under the new scheme.
- The Chartership title has now been piloted for the Governance and Risk Management, and Secure System Architecture and Design specialisms and as a result, UKCSC will be closing the CCP scheme, in preparation for the launch of the Council’s Chartership Title Specialisms on 30 June 2023 meaning that CCP certifications will continue to be recognised until the last ones through the scheme expire in December 2026.
- It is anticipated that the UKCSC route for Risk Management and Security Architecture specialisms will be formally launched by the Council in late July 2023. Therefore, candidates can choose to apply for CCP before 30 June 2023, or wait for the launch of Chartership. Candidates who choose to take the CCP route before its closure may apply to go through a ‘top-up’ assessment to qualify for Chartership as well. They must do so within the first six months of CCP certification or at the point of revalidation.
Current “Cyber Security” Professionalisation
Since 2019 the UK Cyber Security Council initially concentrated its efforts in the development of the council, its frameworks, the consortium, trustees, and working groups and on seeking charter status. It has developed much guidance material for those seeking employment in cyber security, in three key areas: Careers and Learning (the entry routes, minimum training requirements, career development), Ethics, and professional standards. Annex C, for example, shows the Cyber Career Framework’s pathways for the 16 specialisms in Cyber Security. See:
- Routes to and through a Cyber Security Career at (https://www.ukcybersecuritycouncil.org.uk/careers-and-learning/),
- ethical declaration, Guiding Principles for individuals, and Ethics Scenarios at https://www.ukcybersecuritycouncil.org.uk/ethics/, and
- Professional Standards at https://www.ukcybersecuritycouncil.org.uk/professional-standards/.
UKCSC are designing schemes to award the professional titles of Chartered, Principal and Associate, which began with a pilot in Autumn 2022 for the Cyber Security Governance and Risk Management and Secure System Architecture and Design specialisms. Subsequently, UKCSC have welcomed the first Chartered cyber security professionals through this programme.
UKCSC anticipates that by 2025, all agreed specialisms are to have been stood up, underpinned by a holistic, responsive, and inclusive Standard, to represent the Cyber Security Life Cycle.
These initiatives and tools are all supported and enhanced by the professional organisations within the Cyber Security Alliance that underpin the UKCSC, their purposes, values, governance, and career support functions.
Annex A: An American Eye-View of Certifications (partial list)
| Acronym | Certification |
| Apple ACSP | Apple Certified Security Professional |
| AWS SAA | AWS Certified Solutions Architect Associate |
| Azure SAE | Azure Solutions Architect Expert |
| Azure SEA | Azure Security Engineer Associate |
| CCSA | Check Point Certified Security Administrator |
| CCSE | Check Point Certified Security Expert |
| CCSM | Check Point Certified Security Master |
| CCAr | CISCO Certified Architect |
| CCNA CyberOps | CISCO Certified Cyber Operations (SOC) |
| CCDE | CISCO Certified Design Expert |
| CCIE Sec | CISCO Certified Implementation Expert – Security |
| CCIE Ent | CISCO Certified Internetwork Expert – Enterprise Infrastructure |
| CCNA | CISCO Certified Network Associate |
| CCNP Ent | CISCO Certified Network Professional – Enterprise Infrastructure |
| CCNP Sec | CISCO Certified Network Professional – Security |
| CCT | CISCO Certified Technician |
| A+ | CompTIA A+ |
| Linux+ | CompTIA Linux+ |
| Net+ | CompTIA Network+ |
| Server+ | CompTIA Server+ |
| CSA CGC | CSA Cloud Governance and Compliance |
| EXIN PCSA | Exin Professional Cloud Solution Architect |
| EXIN PCSerM | Exin Professional Cloud Service Manager |
| F5 CSE Sec | F5 Big-IP Certified Solution Expert – Security |
| F5 CA BIG-IP | F5 Certified Administrator BIG-IP |
| F5 CTS DNS | F5 Certified Technology Specialist, BIG-IP DNS |
| F5 CTS APM | F5 Certified Technology Specialist, Access Policy Manager |
| NSE 4 | Fortinet Network Security Expert (Cybersecurity Technical Certification) |
| GCWN | GIAC Certified Windows Security Administrator |
| GCUX | GIAC UNIX Security Administrator (Retired) |
| Google PCA | Google Professional Cloud Architect |
| Google PCSE | Google Professional Cloud Security Engineer |
| CCSP | ISC2 Certified Cloud Security Professional |
| JNCIA Sec | Juniper Networks Certified Internet Associate – Security |
| JNCIE Sec | Juniper Networks Certified Internet Expert, Security |
| JNCIP Sec | Juniper Networks Certified Internet Professional, Security |
| JNCIS Sec | Juniper Networks Certified Internet Specialist – Security |
| LPIC-3 Sec | Linux Professional Institute v3 Security |
| LCE | Linux Certified Engineer |
| LCM | Linux Certified Master |
| LCP | Linux Certified Professional |
| LPIC-1 | Linux Professional Institute 1st Certification |
| LPIC-2 | Linux Professional Institute 2nd Certification |
| CECS | Lunarline School of Cyber Security Certified Expert Cloud Security |
| MCSA | Microsoft Certified Software Associate |
| MCSE Core | Microsoft Certified Software Engineer – Core Infrastructure |
| MTA | Microsoft Technology Associate |
| NSE 7 | NSE-7 Fortinet Network Security Architect |
| NSE 8 | NSE-8 Fortinet Network Security Expert |
| PCNSA | Palo Alto Networks Certified Network Security Administrator |
| PCNSE | Palo Alto Networks Certified Network Security Engineer |
| PCCSE | Prisma Certified Cloud Security Engineer |
| RHCA | Red Hat Certified Architect |
| RHCE | Red Hat Certified Engineer |
| RHCSA | Red Hat Certified System Administrator |
| Sales Force SA | Sales Force System Architect |
| Splunk ECSA | Splunk Enterprise Security Certified Admin |
| SCA | SUSE Certified Administrator |
| SCE | SUSE Certified Engineer |
| SEA | SUSE Linux Enterprise Architect |
| VCIX NV | VMWare Certified Advanced Professional – Network Virtualisation Deploy |
| VCDX DCV | VMWare Certified Design Expert – Data Centre Virtualisation |
| VCP DCV | VMWare Certified Professional – Data Centre Virtualisation |
The list continues for about 3-times the length shown here, but you get the picture!
Annex B: 100 years of “Security” Milestones
Annex C: Cyber Security Pathways for 16 Specialisms
Annex D: Timeline – recent development of council and work undertaken.
2021
January – The UKCSC proposal for the UK Cyber Security Council Standard for Professional Competence and Commitment (UK CSC SPCC) was issued for review by the community.
A paper entitled “Disciplines and specialisms in Cyber security” set out to provide a high-level view on a potential way forward in identifying specialisms for the UKCSC. The paper described some existing approaches already in use elsewhere, a proposed hierarchy specific to UKCSC, and then outlined a potential approach to implementation that would allow the Council to get to its goal of properly defining the professional requirements and (potential) registered status of its practitioners (including, but not limited to, Chartered status).
The UKCSC formation Project issued a further survey (entitled “Community Challenge”) to obtain wide feedback on key elements of the project. This information gathering was based some proposals being made available for “community challenge.” This survey was aimed at informing members of the Cyber Security Alliance in the creation of the UKCSC and its role to champion the profession nationally and internationally.
The Council devised a set of Standards which, if met by individuals, would allow them to be registered as either “Chartered”, an “Associate” or “Principal” cyber security professionals. The UKCSC Contract for Licensees Businesses asked licensees to express their wish to enable their members to be entered on the Register. The Council, subject to the terms of that agreement, would then authorise the Licensee to undertake assessments of individuals against the relevant Standards and make recommendations to the Council for the entry of individuals on to the Register.
February – The UKCSC Formation Project consultation on professional qualifications for UK cyber security professionals released.
March – The UK Cyber Security Council (UKCSC) is publicly launched.
December – At the launch of the UK’s National Cyber Strategy, it was announced by the Cabinet Office that the UK Cyber Security Council was granted the honour of Chartered status.
2022
January – The UKCSC consultation document on embedding standards and pathways across the cyber profession is published with a ministerial foreword by Julia Lopez MP, Minister for Media, Data, and Digital Infrastructure and a closing date in Mar 2022.
September – UKCSC paper on the Council’s Route to Chartership and the “Minimum Qualification Level (standard) for the UKCSC’s Professional Registration titles including Chartered” are released.
December – The UKCSC consultation document on Ethnic Minorities in Cyber is published following an Ethnic Minorities in Cyber Symposium in Oct 2022.
The Head of Industry Assurance Services NCSC announces the formal closure of legacy role based CCP Certifications and outlines the changes. Following UKCSC completion to formally establish the council’s Risk Management and Security Architecture specialisms, those with the relevant CCP qualification may then apply to be transitioned to either the Certified or Associate Council recognition.
2023
January – The UKCSC pilot of specialisms for Cyber Security Governance and Risk Management and Secure System Architecture and Design is launched.
April – The UKCSC pilot of Audit and Assurance Specialism is launched.
May – The UKCSC Professional Standards and Titles Survey is Launched.
Any views, thoughts, and opinions expressed in this article are solely that of the Author and do not reflect the views, opinions, policies, or position of The Institution of Analysts and Programmers
