CESG certification scheme aims to boost public-sector consultants

New certifications from CESG, in partnership with CREST and IISP, plan to standardise the assessment of skills for public-sector security consultants.

A new set of certifications is being launched to help raise standards among security professionals working for the public sector.

[The certification] provides a way for people working within government and the pubic sector to be certified to the same level as the outside consultants.

Ian Glover, president of CREST

The move is backed by CESG, the UK government’s technical arm for information assurance, and is being developed by a consortium that includes the Council for Registered Ethical Security Testers (CREST), the Institute of Information Security Professionals (IISP) and Royal Holloway College.

The CESG certification, called the CESG Certified Professional Mark, allows government employees, or individuals providing services to government bodies, to achieve practitioner, senior practitioner or lead practitioner status across six roles: security and information risk advisor, information assurance (IA) accreditor, IA security architect, IA auditor, IT security officer and communications security officer.

The roles have been closely modelled on the skills framework developed by the IISP in conjunction with industry, government and higher education, and, for the first time, will provide a detailed certification framework for information security practitioners working on government contracts.

The current CESG Listed Adviser Scheme (CLAS) qualifies people for public-sector work, but does not specify their particular skills or specialities. “This new scheme gives employers more granularity and understanding of the skills the consultants are offering,” said Amanda Finch, general manager of IISP.

In order to become a certified public-sector consultant under the new scheme, candidates will be asked to assess their own specialities and skills, and then undergo a process of peer review, interview or examination, according to the level of certification. “Our processes are very challenging, and we are confident our scheme will identify people that are true professionals,” Finch said.

Royal Holloway has a long-established Masters course in Information Security, and its role, said Finch, will be to oversee the examinations and structured interviewing procedures.

CREST, which currently has 25 member companies, will set the technical examinations for areas such as penetration testing and network forensics. Ian Glover, president of CREST, said the new scheme will provide an opportunity for public-sector employees to gain the same qualifications as consultants.

“It provides a way for people working within government and the public sector to be certified to the same level as the outside consultants,” Glover said. “There may be work that could, in theory at least, be done by government officials. With a common examination and assessment scheme, officials can now be assessed to the same standards.”

He also explained that the new certifications are much more specific regarding a person’s skill set. “Previously as a consultant, you would submit a CV to CESG who would review it without seeing you, and you could become a CLAS consultant and be able to do any form of CLAS work. Now we can differentiate between, say, a security architect and someone who does risk assessments.”

The government’s aim, said Glover, is to generate well-qualified people to help protect the critical national infrastructure against cyberattacks. Details of the certification scheme will appear in the government’s full cybersecurity policy document, which was due to be published last week, but which has now been delayed until some time in October.

However, according to Chris Batten, managing director of Acumin Consulting, a recruitment consultancy that specialises in the security field, public-sector consultants have been struggling to find work in recent months as a  result of public-sector cuts. “Many of the 800 CLAS consultants are not working at the moment, and I expect the number to go down because some will not re-register at the end of the year. It’s been a bad year for them,” he said.

But that situation could change, Batten added. “In the last three or four weeks, we have seen a sudden new demand for public-sector security people. I’ve not seen that for at least a year. Many of the big consultancies are now recruiting again.”

Read more on Security policy and user awareness