Browse our certifications
Find training
Open page navigation
IT GovernanceIT ManagementRisk Management

Though every day is different, this blog highlights some of the regular activities I undertake as a Certified Cyber Professional

Is there such thing as a typical day as a Certified Cyber Professsional consultant? I would argue not. This is because the range of activities you can be involved in is so varied and each client you work for brings different challenges. However, there are certain commonalities between tasks and similarities in the types of deliverables you will be asked to meet. Below is an outline of what I have found to be the most typical aspects of the life of a senior Certified Cyber Professsional (CCP).

What will you be doing?

Firstly, preforming risk assessments. This is the bread and butter of the CCP consultant – because the application of security is a risk management activity. However, the risks assessment methodology you use may depend on the type of work you are asked to do or the type of client you are doing it for.  It may be the case that the client already uses a specific methodology which they would like you to follow, or they may want you to choose the best methodology to fit the situation.  It is always useful if the proposal document states clearly which risk assessment methodology/frameworks are to be used as you may need to spend some time reading up on them beforehand.  

Secondly, you are likely to be involved in taking the risk assessment further and participate in developing (or updating) the client’s accreditation documentation. As with the above, the type of work you are doing, and the nature of the client will likely impact the style of accreditation documents you will be updating.  For example, some government departments still use the old RMADS style documents whereas commercial or private organisations will likely have their own document set based on their idea of best practice.  In any light, most document sets will have the same core aspects; description of the system, asset identification and impact levels, risk assessment, identification of security controls (baseline control set), residual risk register and risk treatment plan. The names may differ, but all those aspects should be there.

Thirdly, you may be asked to preform security audits. Security audits can take several forms; you may be required to help complete the internal audit of an organisation against an international standard (such as ISO27001 or NIST 800 series).  Alternatively, you may be required to preform a gap analysis against a standard – typically if the client organisation is preparing to go for accreditation to that standard. This means that you will need to have a working knowledge of several major standards or frameworks.

Additionally, you may be asked to provide reviews on things such as architecture or policies and provide ad hoc guidance and advice on how the client can better improve their security posture. When preforming these types of activities, it is always important to keep in mind what deliverables you are contracted to do; whereas it is crucial to always be helpful and cater to the client’s needs, preforming ad hoc tasks may affect your ability to deliver other items which are detailed in the proposal.  When in doubt, it is always good to speak to your operations team and the client and clarify what it is they would like you to focus on. It may be the case that the client purchases additional time for you to complete the tasks.

What does the work day look like?

Your work schedule is largely dependent on the types of work you will be doing but can be broadly split into two: long term, full-time engagements with a single client and short term, part-time engagements with multiple clients. Depending on your own personal likes and dislikes, you may prefer working on multiple projects at the same time or just sticking to one larger project for a long time. Neither is objectively better than the other and they both have their strengths and weaknesses.

Typically, long term engagements will last between 6 and 12 months and you’ll be embedded fully within the client’s organisation. The benefits of this are that you have much better access to the key stakeholders you’ll likely need to liaise with to meet your deliverables and you are often far more involved at the earlier stages of the project – something which is extremely beneficial for ensuring security objectives are met. You also typically have more time meet the deliverables. Negatives are that you are much more prone to scope creep, and you can also feel separated from your parent organisation due to you spending nearly 100% of the time working within in the client organisation.

Alternatively, you can be involved with a number for shorter term projects, working for a few clients.  Ideally, you’ll be able to work on one project per day, but it may be necessary to work in ¼ day chunks. The benefits of working on short term projects are that things tend to be faster paced – you’ll only have a set number of days to produce the deliverables and the client will likely have a shorter timeline themselves. You can also work on several different types of projects at the same time.  The negatives are that you are always spinning plates and what you have planned for the week may change several times if clients are late providing you with what you need. You also tend to have less time to meet the deliverables and less access to key stakeholders.  But this is not always the case.

About the Certified Cyber Professional (CCP) assured service

CCP is recognition by the National Cyber Security Centre (NCSC) for competent cyber security professionals. Certified Cyber Professional (CCP) assured service will enable you to demonstrate to an employer your Cyber Security competence, knowledge and skills. 

About Arcanum

Arcanum Information Security is a NCSC Certified Cyber Security Consultancy, formed in 2008.

Arcanum employs a large team of highly experienced CCP consultants, like Sam Stait, who support clients across multiple sectors ranging from Critical National Infrastructure and Defence to SMEs. Our specialist services include Cyber Security Consulting, Digital Forensics and Penetration Testing.

Author

Sam Stait

Sam Stait

Arcanum Cyber Consultant

Sam Stait, is an Arcanum Cyber Consultant.  Sam is a Certified Cyber Professional, which is recognition by the NCSC of competence for cyber security experts . Sam joined Arcanum in 2021. Before joining Arcanum, Sam had worked in Information Security for 10 years, delivering consultancy work to a range of clients from government departments to commercial companies. 

RELATED PRODUCTS

Leopard

CDCAT® - Cyber Defence Capability Assessment Tool

Unrivalled intelligence and agility

View more
NCSC Certified Training - Stand out from the crowd

NCSC Assured Training - Differentiate your course

Stand out. Get your training NCSC-Assured

View more
Hot air balloons ascending into the clouds

Cloud Computing

Smooth ascension into the cloud

View more
Close

Certifications & Solutions

Accredited Training Organizations

Leadership

Accredited training providers

Certifications & Solutions

Seleccione cualquier filtro y pulse Aplicar para ver los resultados