A grand Alliance of 17 leading UK organisations impacting cyber-security has been formed in response to a call by the UK government’s Department of Digital, Culture, Media and Sport (DCMS) to develop a national professional body for cyber-security.
The DCMS has only just begun a consultation process - open until 5 pm 31 August, inviting those interested to contribute to how the country can improve the environment to develop people with the right skills, capabilities and professionalism to meet its need for cyber-security professionals.
The move came just as it was being reported how GCHQ had criticised the government to the Joint Committee on the National Security Strategy whose recent report (see end of this story) criticises the government for a "lack of urgency" in fixing the skills gap.
The consultation also follows on from the 2016 National Cyber Security Strategy in which the Government made a commitment to develop the cyber security profession in the UK. This consultation includes what the government says is a clear definition of objectives for the profession to achieve and proposes the creation of a new UK Cyber Security Council to coordinate delivery.
Specific aims for the consultation are to:
The full consultation document can be accessed here and to respond you can use the online portal. For questions on how to respond, or engaging with the consultation process, you can contact firstname.lastname@example.org.
Formation of the Alliance
There has been a swift Industry-wide response to the plans to develop a national professional body for cyber-security, with a new cross-sector alliance incorporating 17 leading UK organisations created. This new Alliance aims to help shape national cyber security standards, drive advances in cyber-education and advise the government on national cyber-security policy.
The Alliance ranges from professional bodies to institutions operating under a Royal Charter granted through the Privy Council. One of the alliance’s key aims is to create a self-sustaining pipeline of talent to fill the skills gap in the UK.
The Alliance has put out a statement explaining its formation, saying: "In recognition of the United Kingdom’s increasing economic dependence on internet-enabled capabilities, a number of established councils, chartered professional bodies, professional certification bodies, academics and industry representative groups have established a collaborative alliance to advance the development of the cyber-security profession.
"With representation from a breadth of disciplines currently active in cyber-security professional practice, including computing, engineering, physical security, CNI and focused cyber-security bodies, the collaborative effort reflects constituent members’ common understanding that professional cybersecurity expertise is relevant to a broad range of disciplines. With an overall aim to provide clarity around the skills, competences and career pathways within this fast-moving area of professional practice, the initial objective is to support commitments expressed within the UK National Cyber Security Strategy to provide a focal point for advising national policy, including the stated intent to recognise professionals through Chartered status."
The Alliance currently comprises, in alphabetical order: BCS, The Chartered Institute for IT, Chartered Institute of Personnel & Development (CIPD), the Chartered Society of Forensic Sciences (CSofFS), CREST, The Engineering Council, IAAC, The Institution of Analysts and Programmers (IAP), The IET, Institute of Information Security Professionals (IISP), Institute of Measurement and Control (InstMC) ISACA, (ISC)2, techUK, The Security Institute, and WCIT, The Worshipful Company of Information Technologists.
The statement adds that Alliance members are encouraging a broad and robust response from the broad community of practice currently working in the field.
Common objectives agreed by Alliance members include:
Further statements were issued by some of the members including:
Deshini Newman, managing director EMEA, (ISC)2 said in his press statement: "We are reaching an important milestone in the maturity of our profession with the intent to develop a nationally-recognized professional body and consideration for chartered status. The UK is taking a leadership role in this effort that may well set an example for governments around the world. We are keen to support their work – ensuring the opportunity to build on the more than 30 years of international front line experience that has been comprehensively documented by (ISC)2 and our colleagues within the Alliance – to inspire a safe and secure cyber-world. While cyber-security was once purely the domain of focused specialists within IT, it has evolved to include a much broader range of governance, risk and policy experts. Still, a recognised skills gap exists which requires attracting more bright minds to the field. Reaching professional maturity and meeting the need will depend on the breadth of perspective and support that the Alliance is working to harness."
Michael Hughes, board director of ISACA commented: "At a time when cyberattacks have emerged as a clear threat to the economic and national security of countries throughout the world, it has been encouraging to see the UK take a leadership role in driving toward a national strategy that will strengthen capabilities and put more robust deterrence in place. We believe objectives such as the prioritisation of benchmarking cyber-capabilities and a sharper focus on the need to fortify the pipeline of highly skilled, well-trained cyber security professionals put the alliance on track to serve as a valuable resource in support of the UK National Cyber Security Strategy.
In her statement, Amanda Finch, general manager, Institute of Information Security Professionals (IISP) said her organisation has been a champion of professionalisation and career development and so: "Therefore, we are delighted to ...support the Government-backed initiative to harness the valuable knowledge and experience that exists across the various, well-established industry bodies. Working together with common goals is increasingly vital as we face growing cyber security threats and global disruption."
Ian Glover, President of CREST reiterated the industry’s need for a wide range of skills and capabilities, saying: "Therefore, it is important that the professional organisations representing different facets of our industry work together to harness knowledge and experience. While these bodies have worked together for many years, the formalisation of the relationships is a significant step forward in the professionalisation of the industry."
For techUK, Talal Rajab, head of programme – Cyber and National Security, commented: "Through bringing together these Professional Bodies and harnessing the full range of established cyber-security professional expertise, the Alliance will go a long way to providing a focal point for the sector on the cyber-security skills, competencies and standards needed to ensure that the UK has the skills needed to remain resilient to the growing cyber-threat."
The Security Institute
Mahbubul Islam, Director, The Security Institute said: "We are fully committed in propelling the delivery of convergence between Physical Security and Cyber Security, by working on common security principles and objectives with the Collaborating Alliance we will continue to support the UK Government’s Cyber Security Strategy including our own.The Register of Chartered Security Professionals (RCSP) support the CSyP (Cyber) which will allow us to fulfil our vision for the cyber security profession through this Collaboration Alliance."
Professor Roy Isbell, ITC Security Panel (Chair), WCIT, The Worshipful Company of Information Technologists said: "Cyber has been recognised as a discipline that is impacting all aspects of business and society. ...we need to identify the underpinning skills and expertise to meet the challenges of the current and fast-evolving digital era. The coming together and formation of an alliance of leading organisations already working in information and cyber security is a robust and significant step forward that provides the focal point to both guide the development of the profession and advise National Policy."
Jeremy Barlow, director of standards, BCS, The Chartered Institute for IT adds: "This collaborative development is not only a functional necessity, but speaks to a necessary culture change for organisations and individuals working in cyber. As with other established professions, there will be places where we compete, but we must collaborate and share as a diverse professional community for the good of everyone to ensure we do not let down the people we ultimately serve. It’s fantastic to be able to declare this with such a large field of distinguished organisations, and perhaps surprising to see for many who have worked in cyber security. This is a true reflection on a new culture and a new level of public need for the best in cyber security."
Lord Arbuthnot, Chairman, Information Assurance Advisory Council (IAAC) expressed support for a clear, comprehensible career path for those entering cyber security, and establishment of an authoritative voice for the Profession. IAAC particularly welcomed: " the breadth of its (the Alliance’s) composition, reflecting the wide range of skills and aptitudes demanded to ensure a safe and secure information society able to benefit from the many opportunities of the Information Age. We believe this will underpin the objective of making the UK the best place to do business online and to enhance UK resilience, while also setting a standard for others to follow."
Ahmed Kotb, IET cyber lead also said that: "It’s fundamental that cyber-security is seen as an established profession and we are in support of the need for a professional body to recognise the breadth of expertise within the industry.
The Alliance offers the integration and coordination of existing Chartered and professional bodies across a range of cyber-disciplines, that can provide credibility and knowledge to help deliver this work."
Peter Cheese, chief executive of the Chartered Institute of Personnel and Development CIPD added: "Access to and use of data and technology is as much about the people as it is about the technology itself, and we need to ensure that people are properly aware and trained to understand and mitigate cyber risks for themselves and for their organisations."
Critical National Infrastructure sector warnings
The initiative somewhat steals the thunder of another new report accompanying a statement from the Joint Committee on the National Security Strategy which has been warning that the gap between the demand and the supply of suitably skilled cyber-security workers in the Critical National Infrastructure sector is a cause for alarm, adding that the UK Government has no real sense of the scale of the problem or how to address it effectively. ( report summary; full report ).
The Joint Committee has published report into Cyber Security Skills which concludes that the shortage in specialist skills and deep technical expertise is one of the greatest challenges faced by the UK’s CNI operators and regulators in relation to cyber-security. The Joint Committee says it is concerned by the Government’s lack of urgency and calls on ministers to step forward and take the lead in developing a strategy to give drive and direction.
A lack of detailed analysis of which CNI sectors and specialisms are most acutely affected is impacting on the Government’s ability to understand, and therefore address the gap between skills supply and demand. But a standalone skills strategy, promised by Government in November 2016 and which would frame and give impetus to its various efforts, will not now be published until December 2018.
The Chair of the Joint Committee, Margaret Beckett MP, said: "Our Report reveals there is a real problem with the availability of people skilled in cyber-security but a worrying lack of focus from the Government to address it. We’re not just talking about the ‘acute scarcity’ of technical experts which was reported to us; but also the much larger number of posts which require moderately specialist skills. We found little to reassure us that Government has fully grasped the problem and is planning appropriately.
"We acknowledge that the cyber-security profession is relatively new and still evolving and that the pace of change in technology may well outstrip the development of academic qualifications. However, we are calling on Government to work closely with industry and education to consider short-term demand as well as long-term planning. As a very first response, Government must work in close partnership with the CNI sector and providers to create a cyber security skills strategy to give clarity and direction. It is a pressing matter of national security to do so."
Responding to the report, Talal Rajab, head of cyber and national security, techUK said in a press statement: "The Joint Committee’s report rightly recognises that a lack of cyber-security skills in the UK is unduly affecting the ability of CNI operators to protect the critical sectors that we rely on in our daily lives. techUK welcomes the many initiatives that Government has conducted in this space from the classroom to the boardroom. This includes the recent announcement pertaining to the creation of a Cyber Professional Body that will establish career pathways for cyber professionals to enter the sector. We also commend the ongoing work of the NCSC’s Cyber First programme inspiring young people, especially girls, to consider a career in cyber. We look forward to working with Government as it increases activities to plug the cyber skills gap and protect the UK’s critical services."
David Kennerley, director of Threat Research at Webroot also emailed SC Media UK to comment saying: "Many organisations report that there is a scarcity of skilled engineers who are trained in cyber-security, and it’s become a bidding war to retain the critical talent needed for security operations. To manage this skills shortage, CISOs should work with their HR Departments to understand how to recruit cyber-security talent. Cyber-security is a growing field and sometimes it’s better to spot specific qualities in junior candidates that can be nurtured and mentored. This allows the organisation to retain talent who are more embedded within the organisation’s culture.
"Another approach is for organisations to become proactively involved in the cyber-security community, by sponsoring hackathons, internships or presenting at security conferences. Getting the organisation involved in the community helps candidates to understand the opportunities available and will help attract the sharpest minds to the industry."
Andy Kays, CTO at Redscan, almost preempting todays moves said: "Professional qualifications which reflect evolving security needs are hugely important. That said, the current qualification and certification landscape can be hard to navigate, particularly for businesses that don’t clearly understand the skills they need. It can also be difficult for cyber-security pros to assess the careers options available to them and make informed decisions. A chartered standard would help to make the situation clearer for all."
Adam Maskatiya, General Manager, UK & Ireland at Kasperksy Lab agreed, saying: "Businesses need security professionals with adequate skills to defend the likes of nuclear plants, hospitals and every imaginable critical infrastructure, which we depend upon, but our education system and the industry are not inspiring young people’s interests and talent in the field of cybersecurity –which is leading to a skills shortage.
"This issue needs to be addressed by the industry as well as the government. It’s increasingly important to equip children with cyber-security skills at an early age to give them an idea of what cyber roles entail with an onus on us as an industry to excite and encourage students to pursue a career in cyber security. One of the biggest reasons that this shortage exists is that security businesses have recruited people with traditional technology credentials. IT businesses should consider applicants whose non-traditional backgrounds mean they could bring new ideas to the position and the challenge of improving cyber-security."