Understanding the UK Cybersecurity Professional Standard

As the owner of the Royal Charter for Chartered Cyber Security Practitioners, the UK Cybersecurity Council is the only body in the world to charter infosec pros. In the wake of its successful pilot, Danny Bradbury takes a look at the journey to Charter so far and, more importantly, what happens next

Assured Intelligence makes a simple promise: to keep cyber content as human and acronym-free as possible. The professionalisation of the industry is a topic that’s impossible to write about without acronyms, so on this occasion, we accept defeat. To do justice to this important topic, we’ve dived in with both feet, ugly acronyms and all.

For those who just don’t have the stomach for it, we’ve created a one-paragraph summary in a box at the end of this feature. You are welcome! For everyone else, strap in…

October was a big month for the UK Cybersecurity Council as it ushered the first cohort of 100 people through its cybersecurity professional standard process. They are the first people to be listed on a new register of cybersecurity professionals backed by a Royal Charter.

What exactly is a royal charter? It’s a formal document, issued by a monarch or government agency, that grants privilege, power or rights to a person, group or institution.

Chartered status is often reserved for long-established industries like engineering, accounting, and banking. Cybersecurity is embryonic compared to these professions.

Advocates for the professional standard hope it will do more than give people the right to use letters after their name. They envision creating a clear career path through a complex and disjointed cybersecurity industry.

“You’ve got an immature industry that is growing up in silos with everyone trying to meet objectives that fit their own business needs,” says Debi McCormack, communications director at The Cyber Scheme, a training and examining body for the CHECK penetration testing certification.

“We are very conscious that a lot of the biggest training courses within the cybersecurity industry are the ones with the biggest budgets,” she added, countering: “They’re not necessarily the ones that are the most highly regarded within the industry.”

“You’ve got an immature industry that is growing up in silos” Debi McCormack

The current tangle of cybersecurity certifications creates a problem for professionals planning their careers, she warns: “There’s no real clear pathway around which certification to take. It’s whoever shouts the loudest.”

The problem also makes it challenging to bridge the skills gap, warns Andy Woolhead, head of cyber skills and certifications at CREST, another CHECK examining body. At the time of writing, CREST and The Cyber Scheme were preparing to announce their status as licensee organisations for security testing, one of 16 specialisms under the Council’s professional standard.

HR departments often list every possible certification when advertising cybersecurity jobs because they’re trying to cast their net wide in an industry with a noted skill shortage, explains Woolhead. “It has the opposite effect because people think ‘I haven’t got all those, so I’d best not apply’.”

The road to chartered status

In 2018, the Department for Digital, Culture, Media & Sport (DCMS) began looking for a way to cut through the whole tangled mess. It consulted on creating an independent UK Cyber Security Council as part of its Cyber Security Skills Strategy.

In response, an alliance of UK organisations formed to develop a national professional body for cybersecurity that could apply for chartered status. The alliance included the Institute of Information Security Professionals, the IET, CREST, and (ISC)². It also featured chartered institutions from several sectors, including the BCS (the Chartered Institute for IT) and chartered institutes for forensic scientists and personnel and development.

The alliance’s creation led to the ISSP securing a Royal Charter in 2019, making it the only cybersecurity-focused organisation with this Royal assent. It subsequently changed its name to the UK Cyber Security Council and launched its professional standard for cybersecurity.

In 2022, the Council took over running the National Cyber Security Centre (NCSC’s) CCP cyber certification scheme. This summer, the NCSC announced that it was closing this certification to new applicants. Current CCP titles are valid until the last one expires on December 31, 2026.

How exactly does it work?

A Royal Charter is granted to an organising body by the Privy Council on the monarch’s behalf. The UK Cyber Security Council was the last charter awarded by Queen Elizabeth II before she died. The professional standard will register practitioners at either Chartered Cyber Security Professional (ChCSP) level, Principal (PCSP), or Associate (ACSP) level, in decreasing order of seniority across 16 specialisms.

In October 2022, the Council officially announced its first pilot specialisms: Cyber Security Governance, Risk Management and Secure System Architecture and Design. (ISC)² and the Chartered Institute of Information Security (CIISec) served as licensee organisations. Almost a year later, on Oct 5 2023, it awarded titles to the first 100 chartered cybersecurity specialists under these specialisms.

The Council is already lining up other specialisms. It announced the Cyber Security Audit and Assurance specialism pilot in May 2023, with ISACA acting as the licensing body. Security Testing will be the fourth, followed by Incident Response.

What it takes to attain a charter

To be listed on the register, a cybersecurity professional must be a member of a licensee organisation. They must also hit requirements in five other competence areas: knowledge, understanding, and experience; communications and interpersonal skills; collaborative management, leadership, and mentoring; integrity; and personal commitment.

McCormack said that ACSP titles would concentrate heavily on the accrual of Continuing Professional Development (CPD) points in cybersecurity, primarily through training. The more senior ChCSP title will examine how experienced individuals are giving back to the cybersecurity industry. This includes the creation and publication of original content in the sector. An extensive application process will also assess past jobs and querying references. While ACSPs will focus on one specialism, ChSCPs will be expected to have experience in multiple specialisms alongside their core expert specialism, demonstrating their breadth of knowledge.

What happens to the other industry certifications?

The Council’s professional standard doesn’t operate in a vacuum. What happens to the other certifications that professionals have already paid for and continue to pursue?

“Mapping the charter’s principles and requirements to relevant certifications can provide clarity and promote consistency in the cybersecurity profession” Javvad Malik

“Mapping the charter’s principles and requirements to relevant certifications can provide clarity and promote consistency in the cybersecurity profession,” says Javvad Malik, lead security awareness advocate at training company KnowBe4. “This alignment can enhance the value and relevance of certifications and help professionals navigate their career paths more effectively.”

There will be correlations between the Council’s professional standard and some industry certifications, such as the CHECK pen testing certification framework. The Council is mapping various qualification frameworks in different specialisms against its standard, which will help ensure that other certification holders can get a head start on the route to inclusion on the registry. However, McCormack anticipates that some certifications will not be mapped.

“There will be certifications that will not align with the intentions of the Council,” she says. “That might be because they are not providing the knowledge, skills, and behaviours that a cybersecurity professional needs.”

Sustainability challenges

Creating a single professional standard requires a lot of heavy lifting for an organisation. One of the biggest is the project’s sustainability, funded by DCMS until 2025. The onus is on the Council and the licensing bodies to make the initiative financially self-sustaining, as renewed funding is always uncertain.

While there has been lots of volunteer support in the initial stages of building the charter initiative, that is not sustainable, Woolhead warns. For the venture to succeed, it must scale to become more popular. This means driving both the demand and supply of candidates.

“Scaling comes at a cost. We’ve got to work out how we keep those costs down so we don’t raise the barriers to entry,” he says, adding that the Council will charge licensee organisations, which will have to pass some of that cost to candidates while trying to keep things inclusive.

Individuals must also be persuaded of the value of registration to provide the supply of professionals. While Woolhead says that while the private sector is still cautious, the Council has had encouraging conversations with every regulator in the UK, who have universally pledged support.

“If the regulators won’t let anybody come and pen test their water plants unless they are chartered, that is going to drive the demand for standardisation, and that is exactly what is needed,” he continues.

More specialisms are coming. At the time of writing, the Council was lining up Incident Response; Secure Operations; Cyber Security Generalist; Secure System Development; and Cyber Security Management. The others in the pipeline are Digital Forensics; Cyber Threat Intelligence; Network Monitoring and Intrusion Detection; Secure System Architecture and Design; Cryptography and Communications Security; Data Protection and Privacy; and Vulnerability Management.

Developing the underlying intellectual property to support the professional standard is a gargantuan task, but that is just the beginning. Encouraging adoption will involve a lengthy education process as the Council convinces the UK industry of the standard’s value. This is critical for the project to become self-sustaining should the government fail to renew the funding at any point. The Council has a tough job ahead of it, but it also has some of the most influential bodies in the cybersecurity market behind it.