What should the cyber security profession look like? That is among the questions posed by a DCMS consultation document.
In a foreword, junior DCMS minister Julia Lopez points to the UK Cyber Security Council, a professional body launched in March 2021, which she says has to be ’empowered’ as the voice of the sector. She admits that ‘we have not yet made it easy enough for businesses to know what specific skills they need’. She writes: “The term “cyber professional” encompasses many different specialisms covering those who design systems to be more secure, those who test security, those who research threats, those who detect intrusions, those who respond to incidents and many more. It is hard enough to establish what sort of specialist you need but even harder to establish if a specialist has the skills you need, and the qualifications or experience to demonstrate those skills.” As Lopez, Minister for Media, Data, and Digital Infrastructure, says, that council will, in time, ‘raise the bar, acting as a force to raise standards and to ensure that people working in cyber are properly equipped to protect us from criminal gangs and hostile states’.
She sets out how a better organised cyber profession will also make it easier to attract and retain people – including a more diverse workforce – in cyber, as a career. “People need a clear understanding of the pathways available to them.”
Inside the consultation, the document admits that the UK has ‘an annual shortfall of 10,000 professionals entering the UK cyber workforce’; and that the sector has ‘diversity shortcomings’ as (like other arms of security) few workers are women. As the document says, we know what the shortcomings are; such as, the ‘qualification and certification landscape is hard to navigate’. In other words, to make a start in cyber, and to progress, what degree or other exams ought you to pass – or is it better to go by experience?
Among the questions posed in the document: ‘how we can more readily recognise expert practitioners’? Should there be a ‘centrally-held Register of Practitioners’? If so, should those practitioners on the register have to periodically meet their continuing ‘competence and ethical requirements’? More assertively, should ‘under-qualified professionals should be prohibited from carrying out activities related to a specialism until they are qualified’?
The UK Cyber Security Council recently applied for Royal Charter status. But how to embed professional standards and pathways, so that businesses take up cyber and act on known online vulnerabilities, for ‘organisational resilience’? The document explicitly asks if government intervention is required, or if the market can define professional standards; and if DCMS intervention is required, would it take a law, or something short of law such as guidance? And should a law be made to make the UK Cyber Security Council the standard-setter, or to regulate the use of professional job titles? Or would that only make the skills shortage worse?
Speaking more practically, the consultation asks employers if they would be ready to pay more to cyber people, if they can show ‘an assessed competency based on a regulated professional title’. And should public procurement require ‘competency requirements’ for cyber security?
You have until March 20 to respond to the consultation, titled ‘Embedding standards and pathways across the cyber profession by 2025’. For the document in full visit the DCMS website.
Separately, the DCMS is consulting to April 10 on proposals for new law about cyber resilience, particularly in organisations which play an important role in the UK economy, like managed IT service providers. Here the DCMS has in mind the high-profile cyber attacks on SolarWinds, the US Colonial Pipeline, and managed service provider Kaseya, which although based in the United States had effects on UK users.
