The Department for Business Innovation and Skills released a policy paper on cybersecurity skills in advance of the UK budget last week, outlining specific initiatives to be funded in 2014/2015. Among other things, the report outlined the intent to mandate compliance with the GCHQ-led CESG Certified Professional (CCP) scheme as a foundation to accredit private sector training. The scheme would also form the basis for the development of university curricula, funding incentive schemes through the Higher Education Authority; and to provide guidance for business of all sizes.
Further, only “relevant” courses accredited under the CCP scheme would be eligible to be showcased on the government-recognized education site, the e-Skills UK Cyber Academy Learning Pathways.
Colley said in a statement that the policy makes for an over-reliance on the CESG CCP as a foundation for all skills development in the UK.
“This is worrying. I fear the CCP scheme will not meet the needs of the commercial sector,” he said. “This scheme goes into fine detail to define roles, several levels of competency specific to those roles, and locks everyone into a rigid, expensive and over-complicated process, for maintaining something that is never going to be fit for purpose.”
GCHQ, the UK’s intelligence and security agency, was funded to develop the CCP scheme, and worked to define six roles for government in October 2012. A seventh role was added to the scheme last week and there are plans to define several more. The scheme in general has been developed based on the IISP skills framework published in 2007. Colley said that the potential for the threat landscape to move faster than government updates to the program is one of the largest and most legitimate concerns.
“GCHQ brings a lot to the table, but it is not the only perspective that is relevant here,” Colley said. “It is important to see strong endorsement from government for cyber training and education programs, but one with such a narrow focus is limiting. By the time everything is documented and published, there is a huge risk that requirements will have changed.”
For its part, the government has been nothing but bullish on its plan. “Since its launch [in 2012], the CESG Certified Professional scheme has been warmly welcomed and endorsed by government cybersecurity professionals,” said Chloe Smith, minister for Political and Constitutional Reform, in a statement. “With demand growing from industry to be part of the scheme, now is the right time to open up CCP and set a unified standard for cyber security professionals right across the UK.”
Colley wants to add additional sources of skills development to the mix, like those available from the (ISC)² itself. “We need to cultivate volumes of people with solid foundations to develop and adapt in what is a very dynamic field of practice. People following the CCP scheme will be locked into a focused career path and struggle to move laterally, which is exactly how people develop that all-round knowledge and experience that allows them to advance in the commercial sector today. I would like to see a broader, more inclusive approach that allows market-influenced development to continue to respond to the very fluid requirements of the profession.”