Certified Cyber Professional – a candidate's journey

My CCP certification was due to expire when I realised NCSC were re-defining the entire Certified Cyber Professional (CCP) scheme, moving away from role based certification to specialisms. Whilst I was already CCP certified in the previous role-based scheme, my natural preference was to be recognised as a risk management specialist (rather than renewing my certification through the existing scheme) – as a result I applied to be part of the pilot. 

Although I have had other industry accreditations and affiliations with APMG, ISACA, IAPP, the Engineering Council, CIISEC, an attestation that I am a Certified Cyber Professional from a government body such as NCSC adds further proof of my professional expertise and competence. CCP is also independently assessed to the highest standards. I was grateful to NCSC and APMG to be able to participate in the pilot, which I later realised, also allowed me to feedback in the wider process. 

As a pilot, APMG was testing the new process. The overall process for the risk management specialism evaluation was an independent and a rigorous assessment that was evaluated in two stages. First was the demonstration of foundational knowledge; and second was the assessment of specialist knowledge through a case study and interview. To be successful, the requirement was to pass both stages. 

To start with and qualify for the specialism a pre-requisite is to evidence foundational knowledge of cyber security that demonstrates a breadth of application within the cyber security field. This can be done in various ways by either having relevant academic qualifications, industry accreditations along with membership in good standing or professional memberships of Cyber Security Professional bodies that are recognised by NCSC. 

For me, personally, I could demonstrate the first step in various ways, but one thing to note, is the academic qualification pre-requisite must be a NCSC-certified degree (undergraduate or postgraduate).

Once, the foundational knowledge of cyber security prerequisite is satisfied, the next stage is to demonstrate work conducted for customers in the real world, in the context of the cyber risk management specialism. Determining the extent of my technical knowledge in the specialism and my ability to effectively apply this in a consultative capacity.

As a part of the next stage, I was asked to provide case studies to show my industry experience. The criteria was to provide a maximum of two case studies, as it was recognised that in some cases one case study was not sufficient to cover all the criteria comprehensively. If I was able to provide enough evidence comprehensively in one case study, it would have been great, but, considering the comprehensive criteria, domains within risk management that needs to be considered, along with the format requirements (e.g. not be more than two sides of A4 in arial 10-point text size or equivalent), it isn’t easy to fit everything into a single case study. I was given feedback through the pilot which resulted in a couple of rounds of iteration of the case study to ensure it fitted into the requirements. 

Personally, what I liked about the case study aspect was that it was very comprehensive and holistic approach that included all aspects from technical to non-technical. Meaning, it covered an individual’s understanding and experience on the subject with considerations to its size, value, complexity, strategic importance, technical abilities and interpersonal skills with stakeholder management at various levels. It also revealed my capabilities through knowledge and experience and my experience holistically including business knowledge, security knowledge, how I apply my technical security and risk knowledge to the relevant business in its industry sector. The consideration I gave to business need, cost, people, process, products, as well its supply-chain. It also required I demonstrate the knowledge and application of my specialisms (Risk Management) principles and how these were applied in the specific scenario with details to approach and methodology. After going through all the hard work of drafting the case study, you need to note that the assessors can come back for more clarification and depending on the assessment the case study could be rejected or approved. So, one needs to make sure that the case study fits the requirement and that it actually happened. 

A further rigorous process added to this is that the case study needs to be and was supported and validated by appropriate referee’s, who can confirm the content of the case study and that I actually described the work that I did in the provided case study. Only after the assessors were satisfied with the content and verification of the case study, was I able to progress to the next and final stage of the rigorous process, the interview! 

To give a flavour of how long it takes to get here – It almost took about four weeks to get to this stage and I couldn’t imagine the excitement as well as the nervousness to get to this stage. As the interview was going to be a long two hour interview on the scheme specialism (risk management) application. I wasn’t sure what to expect. and had a long day ahead of me, considering where I was based and the location of the interview, I just made it in time with the time considered to travel and the travel disruptions on the day (as this was before COVID when in person travel was possible)!  The good thing now is that these are likely to happen remotely. Though the rest of the criteria won’t change. e.g. the interview length and the assessment criteria. 

I think it is important to empathise the assessment process is rigorous, it is not as easy as one might think. The interview lasted the complete two hours with two assessors / interviewers checking my  technical, security, business and risk management knowledge in the context of  the case study submitted. 

Believe it or not, it started with me being asked to set the scene by making a statement about the business and the problems faced. Then we chatted about the methodology of the chosen risk management principle and technique taken, how I went about it, how I took technical and non-technical stakeholders on that journey, key issues I faced and how I overcome these issues, to my technical security knowledge on a wide range of subjects ranging from physical and network layers to data, security controls, concepts of coding, security concepts of people, process, technology as well as supply chain and relevant regulations. Not just this, how the risks were identified, assessed, mitigated, and tested to provide assurance on the treatment but, also, if there were risks that couldn’t be treated, what else could be done differently! 

I couldn’t believe the relief I felt at the end of those two intense hours. The relief turned into an excitement, the happiest moment after the assessment results were shared. I was honoured that I was a Certified Cyber Professional (CCP) in the Risk Management Specialism. The level of high standards the new scheme is set is due to the holistic, intensive and rigorous process involved. Being CCP Certified I also believe didn’t just verify my level of expertise and competence but also, sets me apart in the wider Cyber Security community with an independent attestation from a government body such as the NCSC.

Yes, there is the element of cost. So is it worth the cost, time and effort? 

Certification does not guarantee precision but provides a degree of validation of one’s skill and knowledge in the chosen field, attests one as a trusted advisor in that chosen domain especially when the certification comes from a body like NCSC, its trusted. So, would I endorse going through the whole process for someone who can demonstrate the skills knowledge, experience? Absolutely, it’s worth the money and value in the long run!