June 27, 2022
The consultation was published on 19 January 2022. It was used to gather feedback as to whether the UK Cyber Security Council needs to be empowered further to fulfil its role as the professional authority and standard setting body. The consultation considered both legislative and non-legislative interventions.
Several key concerns were reflected in the responses. Respondents noted that the profession has evolved to be complex and career pathways are not always clear. The Council has now identified 16 specialisms in cyber security and has created a career route map, which will offer information on these 16 specialisms and the skills and qualifications needed to pursue them. This will simplify professional pathways for those already working in cyber security and demystify it for those wishing to enter, thereby attracting more people into the profession.
Respondents also noted that cyber security is of increasing importance, but at the same time it is increasingly difficult for those hiring cyber security professionals to know whether a candidate is suitably qualified. The Government says that the launch of associate, principal and chartered standards for the 16 cyber specialisms identified by the Council will help with this problem.
While there was consensus from respondents that titles and role definitions within the cyber security profession are inconsistent, it was observed that artificial division of responsibilities within roles was not useful either. To address this, the Council will pilot professional standards based on specialism, rather than role type, which will give more flexibility to practitioners.
Respondents urged the Council to consider existing qualifications and how their equivalence with Council standards could be articulated in order to create a coherent overall framework. The Council is currently developing a qualifications framework which will map the equivalence of existing qualifications against Council standards as far as possible. It was also emphasised that individuals with extensive experience did not hold certifications and should not be excluded on this basis. A competency-based assessment process for standards will now consider the experience of those without qualifications.
The importance of international alignment of standards was emphasised in many responses. The Government notes that cyber security is international in nature and that attracting talent is important for the sector. Respondents highlighted the need to recognise and map international qualifications against UK standards. As well as looking at UK qualifications, the Council’s qualifications framework will map established international accreditations against Council standards on an iterative basis.
Respondents supported proposals for alignment between the Council’s standards and government recruitment, procurement and schemes. The Government will work to map the Council’s professional standards to existing recruitment, procurement and other schemes as far as possible.
The question of regulatory intervention was a key part of the consultation. Respondents were asked whether regulation by activity should be explored in future and, separately, whether regulating by title should be brought in at this stage. Overall, respondents were opposed to the idea of regulatory intervention (though overall there was more support for regulatory intervention among organisations than individuals).
Commonly expressed concerns were that the Council is at an early stage in its development and that regulation would exacerbate the current shortage of cyber security professionals and introduce barriers to entry. Considering this feedback, the Government says that it will not regulate at this time. Instead, it will promote the Council’s standards where appropriate opportunities arise. This might include guidance for organisations on their cyber resilience, guidance from regulators to assess their security posture, best practice in procurement, recruitment and staff retention. The Government will also work with certification bodies to ensure they transition to align with the Council’s standards. It will observe the uptake of the Council’s professional standards and if the level of uptake is not sufficient to embed the profession it may revisit the idea of regulatory intervention in future.
The proposal for a register of practitioners was met with a mixed response. Just over half of respondents disagreed with this proposal (though most of the organisations that responded agreed with the idea of a register). Some respondents said that any register should be voluntary. The Council intends to create a voluntary register for those who meet their professional standards, listing individuals who are accredited at associate, principal and chartered level. To read the Government’s response in full, click here.