Why Get a Cyber Certification? Identifying the Genuine Article

In any trade, business sector or profession there will be charlatans – those who falsely claim to have a special knowledge or skill.  In equal number, it seems, there will be schemes to prove that the people who pay to join their organisation are really the best and worthy of using, employing or trusting.  The cyber security world is no different.  There are countless people and organisations who purport to be the world’s leading authority in this, that or the other and, occasionally, in everything.  As a layman, it can be difficult to differentiate between expertise to invest in and very little knowledge whatsoever.

As an individual who specialises in cyber security it is important to know how to tell people that you are a genuine expert who can be trusted and how to stand out from the crowd.  This is important if you are self-employed but equally important to your employers if they are going to trust you and hopefully promote you when you do well.  If you are a business (large or small) and need some specialist expertise, how do you select the right person with the right skill set and experience to undertake the specific task with which you need help?

Firstly, you might look at qualifications of which once again there are plenty. The CISSP has become the de facto standard for many, seen as a good grounding in general cyber security.  It is sometimes criticised for being the width of the ocean and as deep as a puddle, but that is not to diminish its benefit to those who have endured the arduous training course.  There are plenty others, though, from ISACA mainly in the form of role specific qualifications best suited of course to those roles.  It should not be assumed that if someone has a qualification in the secure management of IT systems that they will be equally good at designing a security strategy or new IT systems.  Look for an IA architecture qualification in that situation. Some of the qualifications seen as setting the gold standard are those run by SANS but they come at a substantial price.

The problem though with all qualifications is, that whilst they are good at defining those who have achieved a certain level of learning by passing an examination of some sort, they are less good at defining those who have good experience and are actually competent.  Competence assessments are far fewer in number than qualifications and the main reason for that is that they take much more effort to assess and gain.  GCHQ recognised this about 6 years ago when they designed and established the Certified Cyber Professional (CCP) now run by the National Cyber Security Centre (NCSC).  This is very much a competence assessment of those who work in cyber security and it is a combination of checking the validity of qualifications claimed, and an interview with an approved assessor who checks their experience and competence in the specific role for which the apply.  More details for those wanting the certification or to find someone who has it can be found HERE.

Organisations face the same problem when they start to use a partner, to outsource, to trade with a new client or to share information with anyone in a number of different ways in the electronically-connected world in which we now operate.  How can we trust that company?  How can we prove they can trust us?  How do we make sure we reduce the risk of those substantial GDPR fines for losing personal information?  These are just some of the questions to be answered by organisations large and small.  Fortunately, there are fewer certifications in this field in the UK and perhaps just a couple that are really worth considering.

The UK government is keen that all businesses, regardless of size, sector, standing or anything else, have the very basic cyber security safety precautions in place.  They created the Cyber Essentials scheme, and this is the very first step along the lengthy journey of effective cyber security.  The basic level is a self-assessment against a standard that has been set by GCHQ which is then verified by an experienced assessor.  This will be rewarded with a certificate usually valid for a year.  The next level is Cyber Essentials Plus where a validation check is made in the form of a scan of vulnerabilities both internally and external to the organisation.  Neither of these prove the organisation is never likely to suffer a security breach, but it does at least reduce that possibility very significantly – the NCSC say by about 80%. The difference between Cyber Essentials and Cyber Essentials Plus can be found HERE .

Once Cyber Essentials is established and working well in an organisation, they should move on to the 10 Steps to Cyber Security recomended by the National Cyber Security Centre - NCSC, Part of GCHQ again issued by the government.  It specifies additional areas (on top of the Cyber Essentials basics) that should be addressed.  Whilst there is no certification here, it does help organisations gain confidence in their security status. 

For larger organisations, and for those where higher levels of security are critical, the next step up is probably to gain the international cyber security standard ISO/IEC27001:2013.  This standard is assessed by experienced external auditors and they will expect to find good practice and procedures, and evidence that they are working effectively.  Naturally there is an organisational overhead to gaining and maintaining this certification, and so it is more likely to be larger organisations who feel it is worthwhile, although there is nothing to stop any organisation obtaining it.

These certifications though, often engender a feeling of compliance complacency.  Those with less detailed technical knowledge, such as perhaps senior managers, feel that having achieved the standard and gained the certification they must then be secure and need not worry too much more – the “tick in the box” mentality.  In the case of many standards, getting the certificate is no guarantee that the organisation is actually delivering the required level of performance.  The maturity of the way the cyber security controls are implemented is critical and in this respect, cyber security differs slightly from other management type standards. 

The nature of cyber attacks is such that they are constantly evolving at an ever-increasing rate with new attack methods being invented all the time.  If the controls are not implemented in a way that allows them to be reviewed and revised in a timely manner, they will be overcome by the attackers’ latest attempts.  An assessment of an organisation’s maturity with regards their cyber security controls can be undertaken by an independent evidence-based tool developed by Dstl on behalf of the Ministry of Defence. The Cyber Defence Capability Assessment Tool (CDCAT) is based on a wide range of international frameworks and standards, and uses real-world evidence to provide a comprehensive report showing where the controls are lacking maturity and hence are organisational vulnerabilities.  With assessments of any system being completed typically in less than half a day, the organisation gets a clear indication of where their limited financial resource should be used.  

One of the activities that is very commonly undertaken by most organisations and is seen as a critical component of effective cyber security, is that of training.  Training for staff in general and for experts and specialists in particular is one way most organisations seek to address the ever-present cyber threat.  Once again there are many training courses all promising the best outcome of educated staff and well-qualified specialists.  The choice can be bewildering and there is no clear way to compare the claims from the different training organisations.  GCHQ recognised this and developed a scheme to help people to differentiate between the OK and the best training.  The scheme, called the GCHQ Certified Training scheme (GCT) set a standard for technical content. Based on those standards, APMG certifies the course material, the trainers and administration processes surrounding the course – forming a truly comprehensive assessment process.  There are now over 60 courses certified from a wide range of training organisations, in a variety of formats including online, and at prices starting at free.  

Look out for courses and training offering an APMG Exam and digital badge.  Successful candidates can share their credentials online with a secure, digital badge via social media, or as part of a digital CV