CESG defends CCP as UK cyber security skills foundation

CESG has defended the validity of its CCP scheme as a foundation for cyber skills development in the UK

GCHQ’s information assurance arm has defended the validity of its cyber security professional certification scheme as a foundation for cyber skills development in the UK.

Government plans to establish an “approved standard” for UK cyber security professionals are set to recommend compliance with CESG's Certified Professional (CCP).

The draft plan is outlined in the recently published Cyber security skills business perspectives and government next steps report by the Department for Business, Innovation & Skills (BIS).

The draft plan also recommends compliance with the CCP scheme as a foundation to accredit private sector training, as well as the development of university curricula, funding incentives and guidance to business.

Security professional association and certification body (ISC)2 has called for a review of the plan to allow for a broader, more inclusive approach that allows market-influenced development.

The organisation has expressed concerns that anyone following the CCP scheme will be locked into a focused career path and will struggle to move laterally to develop all-round knowledge and experience.

But CESG has defended CCP, saying it is still in the early stages of development and that it will continue to evolve, guided by industry, academia, professional bodies and government departments.

Competency testing

“What sets CCP apart from the great number of existing industry schemes is that it is a certification of an individual's competence in applying a particular set of skills in a real-life environment,” said Chris Ensor, deputy director for the national technical authority for information assurance (CESG).

“Candidates are required to provide detailed evidence to support their application,” he told Computer Weekly.

Candidates are assessed by three certifying bodies and require re-assessment every three years, with continuing professional development (CPD) evidence provided after 18 months.

The certifying bodies are the Institute for Information Security Professionals (IISP), the CREST & Royal Holloway University London consortium, the APM Group and BCS, the Chartered Institute for IT.

“The scheme has been developed to recognise the growing need for specialists within the broader security profession. Specialists that are needed to help organisations meet today's risks,” said Ensor.

The competency-based approach adopted by the CCP scheme is supported by the findings from the recent BIS report, he said.

The report showed that companies usually look to recruit experienced cyber security professionals and tend to value experience over qualifications.

“Clearly there is a balance to be struck between gaining the right level of skills through qualifications and having evidence of competence in applying these skills in the workplace; and this is what the CCP scheme sets out to do,” said Ensor.

While the original six CCP roles have a very public sector flavour, he said the recent addition of the penetration tester role signals the government’s intent to make CCP more applicable to industry.

“And at the same time, establish a more unified standard across both government and industry to help employers choose the right people with the right level of competence for the job,” said Ensor.

Security training courses

In support of CCP, CESG will be launching the CESG Certified Training (CCT) scheme in the summer of 2014 to certify training courses that meet a “good standard” for both course content and delivery.

Training courses will be assessed against the relevant areas of the IISP Skills Framework, which Ensor said will help individuals identify which training courses are most relevant for their current role as part of an overall learning pathway into a part of the profession.

According to CESG, a number of established UK and international training providers have expressed a wish to submit their courses for certification.

“The success of both schemes will rely very much on their ability to make themselves an essential requirement for a fledgling UK cyber security profession,” said Ensor.

“CESG, as the national technical authority for information assurance, is committed to providing standards and guidance that cyber security professionals and businesses can rely on.

“Our goal with our partners across both public and private sectors is to raise the standard and increase the number of cyber security professionals that can help the UK manage its information and cyber risks.

“To achieve this, we need both individuals with a broad understanding as well as those with in-depth expertise in specialist areas of cyber security.

“The ability of the CCP and CCT schemes to remain flexible, dynamic and relevant to a rapidly changing environment will be key to their success,” he said.

CESG is currently seeking involvement from industry, academia and professional bodies in developing additional roles for the CCP scheme and is inviting interested parties to make contact.

Read more on Privacy and data protection