CESG (the information security arm of GCHQ), in partnership with APM group, launched the CESG Certified Training (CCT) scheme today, which Chris Ensor, deputy director for the National Technical Authority at CESG, explained to SCMagazineUK.com, is part of the wider National Cyber Security Programme Objective 4: Building the UK's cyber security knowledge, skills and capability – a programme that also saw accreditation for six out of 27 UK cyber-security Masters degrees earlier this year.
Ensor told SC that there was no specific target for numbers to be trained under the CESG accredited courses, but a primary purpose was that those in the industry seeking to improve or demonstrate their skill level would have independent criteria to help them navigate through the cyber-security training landscape and choose from the options available.
“Professionalising this space is long over-due – it's been the preserve of gifted amateurs for too long,” Andrew Fitzmaurice, chief executive, at Templar Executives, one of the first training companies accredited under the new scheme, commented to SC at the event.
Ensor told delegates that there is a need to understand the roles involved in cyber-security, as, unlike say medical specialisations, it is a less mature profession that is still developing. Hence the importance of agreeing its common skills framework and how to assess competence, test to manage risk and provide confidence in the abilities of practitioners. This included the fact that many organisations didn't have the skills to know what skills were needed as they did not have the initial base line – which external accredited qualifications would go some way to remedy.
Richard Pharro, CEO of APM Group concurred telling SC: “(CESG accredited courses).. let the board know if they are getting the right advice. Previously you could ask, who says that the Risk Officer knows anything? Now, as a professional filling a role, they can demonstrate they are meeting standards established by CESG. And this demonstration of capability is equally good for the wider private sector.”
It is acknowledged that the CESG approach has been public-sector oriented, but the view is that the roles and skills are common between public and private sector, and thus it is appropriate to share the approach and development pathways it has created to provide a blueprint for companies to develop their own training, having identified the skills needed to do the job.
Ensor was also asked by SC about the difficulty of attracting suitable staff to CESG itself given the skills shortage and perceived differences in private and public sector remuneration, but Ensor insisted that staff did get suitable recognition, and that the issue was monitored, commenting: “We have a lot of people coming to us from industry because they recognise that what we do is very important – and they also recognise that we are a very tech-savvy organisation,” hence the job itself provided an attraction for many. He added: “At CESG we are focussed on the top-end specialists, but there are opportunities all the way down and we look at multiple supply routes to fill our own staffing requirements including apprenticeships.”
The CCP certification bodies are APM Group, BCS, and IISP whereas APMG is the only certification body for CCT and the only CESG approved independent certification body for training in the UK, and it will manage the scheme. Pharro of APM Group, explained to SC that these new courses are not in competition with the professional bodies, noting: “Some CESG courses lead to ISACA or ISC(2) or other qualifications, so where we have assessed against our criteria, we can approve. It's not a competition. (in most cases) It's for people with something (a training course) that doesn't lead to a qualification, so how do people know if it's good?”
Sarb Sembhi, a director of Storm Guidance agreed, telling SC: “It's not competing with say ISACA or ISC(2) as the process has been inclusive – as has the work with academics – with people invited to participate and contribute, with things such as drawing up the skills framework.”