UK plans to professionalise infosec are too rigid, says (ISC)2

(ISC)2 has raised concerns about aspects of government plans to professionalise information security

Government plans to establish an “approved standard” and to potentially underwrite “chartered” status for UK cyber security professionals are “worrying”, says John Colley, managing director for (ISC)2 Europe.

(ISC)2 is the largest membership body of information security professionals, with nearly 100,000 members across 135 countries.

Colley is calling for a review of the plans outlined in the Cyber Security Skills Business Perspectives and Government Next Steps Report, released by the Department for Business Innovation and Skills last week.

The paper details the government’s support for cyber skills development and specific initiatives to be funded in 2014/15.

Of particular concern, said Colley, is an over-reliance on the GCHQ-led CESG Certified Professional (CCP) as a foundation for all skills development in the UK.

The plan intends to mandate compliance with the CPP scheme as a foundation to accredit private-sector training, as well as the development of university curricula, funding incentives and guidance to business.

Also, only “relevant” courses accredited under the CCP scheme would be eligible to be showcased on the government-recognised Sector Skills Council site: e-Skills UK Cyber Academy Learning Pathways.

Over-complicated process

“This is worrying,” said Colley. “I fear the CCP scheme will not meet the needs of the commercial sector. This scheme goes into fine detail to define roles, several levels of competency specific to those roles, and locks everyone into a rigid, expensive and over-complicated process, for maintaining something that is never going to be fit for purpose.”

Colley said the CCP scheme, originally launched for government in October 2012, was based on the IISP skills framework published in 2007 and there has been no communication around how the CCP scheme is to be kept up to date.

GCHQ, the government’s intelligence and security agency, was funded to develop the CCP scheme, and worked to define six roles for government in October 2012. A seventh role was added to the scheme last week and there are plans to define several more.

“GCHQ brings a lot to the table, but it is not the only perspective that is relevant here,” said Colley. "It is important to see strong endorsement from government for cyber training and education programmes, but one with such a narrow focus is limiting.

“By the time everything is documented and published, there is a huge risk that requirements will have changed.”

Colley, who has 16 years’ experience as a hiring manager for cyber security in the financial sector, said the priority is to develop people with a good level of all-round security knowledge, rather than develop different areas of focused specialist skills.

He welcomed the government’s intent to address university curricula at all levels and to encourage greater collaboration between industry and academia, but said it is important to cultivate people with solid foundations to develop and adapt in what is a very dynamic field of practice.

“People following the CCP scheme will be locked into a focused career path and will struggle to move laterally, which is exactly how people develop that all-round knowledge and experience that allows them to advance in the commercial sector today,” he said.

“I would like to see a broader, more inclusive approach that allows market-influenced development to continue to respond to the very fluid requirements of the profession.”

Read more on Hackers and cybercrime prevention