The government is offering organisations the chance to bid for a grant to establish a council for cyber-security which would establish a path to Royal Chartered status for the profession.
The grant would initially be for between £1 million and £2.5 million for two years, funded from the National Cyber Security Programme, and cover the expenses of setting up a cyber-security council. Bids are currently being invited from organisations which feel they have the expertise to establish and run a council. The deadline is 28 February.
Raj Samani, chief scientist at McAfee, told SC Media UK he commended the initiative: "Any efforts for students to understand how to become a security professional have to be applauded."
Amanda Finch, CEO of the IISP, said her organisation had been working closely with the DCMS on this initiative and supports the proposal in helping to set out clear career pathways and provide "strong representation" for professionals in cyber-security.
"What is being proposed through this new initiative, is a positive development of governance and representation for the information security profession and we will continue to collaborate with other industry bodies to support the process," she said.
And Kevin Brown, managing director of BT Security, told SC: "The shortage of skilled cyber-security professionals is one of the biggest challenges facing security teams in businesses across the UK. We are delighted that the government has recognised this and is setting up the Cyber Security Council. The Council’s work will raise awareness about the fantastic career opportunities available in the industry. It will also provide clear pathways into the profession for a diverse group of people with different skill sets and from all walks of life."
A document, "Request for proposals – a new UK cyber security council", and the details of the outcome of a consultation can be found on the gov.uk website.
The consultation revealed strong industry support for a council and the development of a code of ethics for the profession. The Royal Chartered status would be a "gold standard of trust and expertise" for professionals to aspire to, the government said.
According to the document, proposals will need to demonstrate they can command broad support from organisations involved in professional development and the wider industry. "The criteria for assessing applications therefore places significant emphasis on how applicants intend to generate the support from the cyber security community and bring the existing landscape of professional organisations together in a more coherent way," it said.
Applications will be assessed by the Department for Culture, Media and Sports (DCMS) with support from the NCSC and others. Applicants could be single organisations or a consortium, but no applications from individuals will be accepted.
Work on the council will commence in April.
Chris Ensor, deputy director of cyber skills and growth at the National Cyber Security Centre (NCSC), described the idea of a council as "excellent".
"The idea of an umbrella council is exciting and has the potential to pull together the existing organisations in this space, providing the coherence and clarity we badly need," he said in a blog post on the NCSC website.
While the response from those we have spoken to has been positive, there were some questions about how the council would interact with existing bodies and how chartered status would apply to people who are experts in cyber-security but lack formal certificates and qualifications.
Alan Woodward, professor of computer science at the University of Surrey, told SC Media UK that he was hopeful that a government initiative will succeed where previous attempts from within the industry have not. "If a government backed institution were formed and had chartered status, certainly in the UK, I think it will eventually sit alongside the chartered status seen in other disciplines, and have real meaning," he said.
He suggested that perhaps initially the council could offer chartered status on a "grandfather" basis to people of long standing in the industry.
"I also wonder where it will leave other ‘institutions’ that have sought to become the gold standard for proving professional standards in cyber-security," he said. "I suspect the UK government version may supersede these others in the UK at least and, as with, say Chartered Engineer, Eur Ing, etc, it may start an international trend to recognise, as part of the ‘establishment’, cyber-security as a proper professional discipline."
Ian Glover, president of CREST, told SC it was an "important step" in the professionalisation of the industry, but added: "We do need to ensure that it does not impact on the strong working relationships that exist between the professional bodies and the work they are already doing."
He said: "It will be important that the Council is both recognised and supported by a very significant part of the cyber-security industry. It will also need to be recognised by employers and purchasers of services and products."