Anne W, Head of Industry Assurance at the NCSC talks about the CCP scheme and how it is helping to make the UK a safer place to live and do business online.
One of the best aspects of my job, is I get to be involved in so many different things that make a difference to the cyber security of the UK. My name’s Anne, and I head up our Industry Assurance team at the NCSC. We are responsible for running the NCSC schemes that provide confidence to UK consumers that the cyber security services they are buying meet the standards we set as the UK’s National Technical Authority for cyber security. From people, professional services through to specialised products, the NCSC sets the standard for what good looks like and assesses industry against those standards.
One of those schemes is our Certified Cyber Professional Scheme (CCP) , and I’m delighted to have been asked by APMG to talk about it a little in this blog.
So what is CCP and why did the NCSC decide to create it?
CCP was envisaged over 10 years ago.
There are lots of people in the UK working in “cyber security”. But from a consumer perspective, it's difficult to identify the good from the 'not so good', particularly if you’re not an expert yourself. This is also true if you’re an employer; how do you know what good looks like for your own recruitment or staff development perspective?
This is where we believe CCP fits in.
The CCP scheme is a recognition of competence, with certification or associate membership awarded to those who demonstrate their sustained ability to apply their skills, knowledge and expertise in real-world situations.
10 years is a long time in cyber security, what’s changed over that time?
When the scheme was first developed, it was primarily focused on serving the needs of UK government. It was, therefore, originally based around certification of practitioners against standards that aligned to specific government roles. We had always intended that it could be applied in a sector agnostic way, however, as the NCSC’s remit expanded to cover critical national infrastructure and the wider economy and society, it became clear that those roles, whilst they made sense to government, didn’t map easily to other sectors and how they operated.
So, we listened to what users of the scheme told us was important for them and discussed with NCSC subject matter experts and other industry specialists working in cyber security how we could reshape the scheme. We also worked with our scheme partners, the Certification Bodies, including APMG, that act on our behalf. This led to us developing new standards based around cyber security “specialisms”, as well as the establishment of foundational knowledge prerequisites and changes to the assessment process.
We believe that specialisms are much more widely understood and should lead to wider recognition of the value of CCP for all sectors. Moving to specialisms also ensures coherence with other work in this area, such as the Cyber Security Body of Knowledge (CyBOK), which provides a guide to the underlying knowledge for specialisms and is more closely aligned to the way that other professions operate.
What does recognition under the CCP scheme signify?
It’s important to remember that those individuals recognised under CCP are not operating on behalf of the NCSC. Recognition by the NCSC under the scheme is a demonstration of a practitioner’s competence and a benchmark for the cyber security profession. Under the new specialism’s framework, where we recognise Risk Management and Security Architecture skills, knowledge, and competence, we can be sure that all our professionals have a comparable level of validated foundational knowledge.
This is important for the NCSC, because it helps to raise standards across the UK and formalises what people wanting to make a career in cyber security need to know. This is a key objective of the new National Cyber Strategy which calls out the need for “a higher quality and more established, recognised and structured cyber security profession “
The NCSC now recognises 2 levels of expertise. Achieving specialist status at either of these levels will inevitably take some time over a career in cyber security.
- Recognition as an Associate Cyber Professional means that the NCSC affirms an individual’s expertise in a range of typical scenarios, and that they are an effective and skilled member of a team or within established organisational processes.
- Recognition as a Certified Cyber Professional means that the NCSC affirms an individual can apply their knowledge and skills in a range of organisations, with an ability to deal with technically more complex scenarios and different environments. In addition, only Certified Cyber Professionals can act as Head Consultants in an NCSC Certified Cyber Security Consultancy. It's also required if you wish to become a CCP assessor.
It's also worth noting that for the Risk Management and Security Architecture, the standards are aligned to the NCSC’s own standards which we use to recognise the expertise of our own staff.
If you are a professional thinking of applying …
…. I’d say read the detailed information on our website, and when you are ready, go for it!!
You will have your professional expertise and competence independently assessed and verified by Certification Bodies approved by the NCSC and your ability to apply your knowledge and expertise effectively to deliver business benefits confirmed. This will set you apart from others and you will become part of a recognised and growing professional community from which employers can recruit cyber security professionals as employees or contractors.
And if you are an employer looking to recruit staff or employ contractors ….
Ask if they have been recognised under CCP. If they have, you can have confidence that the people you are employing have been independently and rigorously assessed and that they have demonstrated their expertise in cyber security and their ability to apply skills, knowledge and experience effectively in a business environment.
You may also want to consider influencing your own suppliers to use the scheme as a benchmark for their staff; this can help to reduce your supply chain risks by giving you increased confidence in your suppliers' ability to effectively manage risks to information — both yours and theirs.
Finally, if you are looking to increase the maturity of your own cyber security workforce, take a look at CCP. It might not necessarily meet your business needs, but looking at the assessment process, standards, and rigour that we apply may help you to think about what you need to do when recruiting and developing your own staff.
A final word on working with APMG
The NCSC has worked with APMG in several places, not just CCP, so this is a good opportunity for me to thank them for their continued support to the NCSC.
Cyber security is a “team game”; the interconnectedness of the world, plus the rapidly changing landscape means that the NCSC can’t possible do what it does on its own. We rely on partners, such as APMG, who are always willing to lean in to helps us when we ask or challenge us to keep us on our toes. They really do help us extend the NCSC’s reach; together we are helping to make the UK a safer place to live and work online.
