“I’m over the moon about joining NCC Group, and I’m confident that they’re the right place for me, and I’ll be right for them. I’d also like to say a huge thank you to The Cyber Scheme for making the introductions”. Richard Evans, Security Consultant, NCC Group.
We’ve known for many years that the individuals coming through our doors to sit their technical assessments are the best in the market at what they do – our rigorous exams demonstrate the highest levels of knowledge, skill and competence, and are recognised as such by NCSC, who use our CSTM and CSTL exams as mandatory assurance checks undertaken before CHECK Team Member or Leader Status can be awarded.
We have also seen, especially in the post-pandemic years, that demand for testers who have achieved a pass in one of our assessments has regularly outstripped supply. Against the backdrop of a skills shortage that has come about partly because academic knowledge has trumped practical skills within many educational and training institutions, we are now seeing problems emerge in the employment landscape.
Not enough competent people entering the industry, pressure on those who do, and a lack of the actual technical skills employers are looking for in their consultants means organisations are coming under growing stress when procuring team members for upcoming projects. Add to that potential burnout for the testers themselves and, in some cases, predatory poaching and salary inflation driven by recruiters desperate to meet the needs of their clients, and it’s not surprising we are regularly contacted by consultancies wanting to know if we have any recently qualified testers we can introduce them to.
Traditionally, the vast majority of testers who are assessed by The Cyber Scheme are already in employment, and it would be unethical and unprofessional of us to engage in recruitment methods that would exacerbate poaching practices. But there are exceptions – the more people understand that The Cyber Scheme’s assessments are seen as ‘what good looks like’ in industry, and that holding a certification from us leads to gaining employment, the more people are making the decision to self-train and self-certify. Which means that, when they receive a pass from us, we can help them directly into employment due to our extensive network of Sponsors, bypassing stressful recruitment processes and assuring consultancies that the candidates put forward by us have met the technical standards they need to get them up and running as quickly as possible.
We have proven success in this area, as shown by the following case study. Richard Evans, now a Security Consultant with NCC Group, approached The Cyber Scheme in 2024 to discuss possible training and employment opportunities, and his story is proof that tenacity and the right advice can lead to success. Here, he talks to The Cyber Scheme’s Debi McCormack about his experience.
“With a background in Linux servers, networks and Windows desktops dating back to the late 90s, followed by a career in managed IT services, my career path led to a Head of IT Operations role. Whilst my experience was very hands on and I gained multiple certs, as my career in management developed my technical exposure diminished. My interest in cyber security was ignited during this time by my engagement of an external pen testing company, and in 2024 I decided to take time out and retrain to go into cyber security. I really wanted to become a pen tester and get back to the techy side I enjoyed.
“I went through all the basic training with HackThe Box and then made the decision to take the CSTM exam shortly followed by the KCLP and OSCP.
“I reached out to someone I used to work with who had moved into a security consultant role. He recommended that I went for CSTM and explained why this would be beneficial to gain CHECK status for the UK market. He described other routes, but based upon his experience The Cyber Scheme CSTM was the best one. I initially read the comprehensive information on The Cyber Scheme’s website, and then called and spoke to Debi, who answered all the questions I had. Booking the course and exam was very easy, and Debi recommended I took the exam a few weeks after the end of my training to allow me time to review my course notes, not leaving it too long so that the knowledge faded in my mind. This was the best approach as it happens, because I passed!
“The training course was excellent, and the trainer Paul Richards was a great teacher. The course covered all areas of pen testing, not just the technical side, but the regulatory, ethical and legal aspects which are so important. It covered how to engage with clients, and the importance of having a clear scope agreed before testing begins. Report writing was covered, and also remediation recommendations for common vulnerabilities that you’d come across.
“The practical labs we had access to were great; I can imagine the initial design and setup of these must have taken considerable time and expertise behind the scenes to make them appear so simple to operate during a class. Very impressive.
“Also, during my week’s course, I met Debi in person and, because she knew I was self-funding, she suggested that when I was ready to start looking for my first role in cyber security to reach out to her and she may be able to help with introductions to sponsors of The Cyber Scheme”.
After you passed the CSTM, what were your next steps in obtaining a role?
“After I obtained my CSTM, I gained OSCP, and continued my journey on HackTheBox, gaining Pro Hacker rank on there (almost killed me!), lots of late nights… I also continued with additional tasks and research into tools that my mentor suggested.
“I reached out to Debi again when I felt ready. She asked for my CV and introduced me to eight well known cyber security companies; within days all but one reached out to me, and I began the application process with five of them. I ended up with two offers and accepted the one at NCC Group!”
Did you benefit from the offer of help from The Cyber Scheme?
“I am positive that I would not have had nearly as much interest or success had I not been recommended by The Cyber Scheme. I know how hard the job market is currently after reading so many posts on LinkedIn. It is very common to not even hear back from an application, sometimes not even an automated one. I did apply to one cyber security company outside of the recommendations, and I’ve still not heard a thing so I can only assume I was unsuccessful.
“I had heard of several of the companies I was recommended to, and had planned to apply to them, but I doubt I’d have even got a first interview with the current amount of applicants. I’m sure that the recommendation from The Cyber Scheme at the very least got me to the top of the pile.
“Almost all the job roles I saw advertised, and the ones I applied for wanted CSTM. It is clearly and understandably respected within the UK cyber industry. I’m certain I would not have got the Security Consultant role at NCC group without CSTM and the ability to gain CHECK”.
Do you think having a CSTM exam helped in the interview process with potential employers?
“Absolutely. I was asked during several interviews about the ethical, legal and regulatory aspects of pen testing. In addition, in two of the applications I had to conduct a live hacking session whilst being watched, and asked questions about what I was doing and why. On another application I had to perform an assessment on their environment and then write and submit a report detailing the vulnerabilities I discovered, including recommendations and an executive summary along with a more detailed one.
“The CSTM course and exam definitely made me focus on the right areas and the business impact, backed up by the technical detail and recommendations for remediation”.
How did you find the recruitment process with the employers who interviewed you?
“I had some great experiences, all of which helped me on with the next interview, even where I was unsuccessful. I actually don’t mind being interviewed, and I’m a big believer in being yourself; if you get the job it was meant to be. I got great feedback from the companies I was unsuccessful with too.
“From the outset, the recruitment process at NCC was excellent. They put me at ease and were very encouraging to me throughout the interview and practical, showing empathy for the pressurised nature of the live assessment. I can say that even if I had not been offered the job at NCC Group, I had a really positive experience throughout the recruitment process to this point.
“I’m over the moon about joining NCC Group, and I’m confident that they’re the right place for me, and I’ll be right for them”.
Do you think the CSTM is well regarded with the employers you spoke to?
“Yes, that definitely comes across. This makes me even more confident that taking CSTM was the right approach as part of my retraining”.
Would you recommend The Cyber Scheme’s approach to recruitment to other people in a similar position?
“Yes! I believe the focus could be on helping people start out their career in cyber, and perhaps for those who may be struggling to find their next role due to redundancy or other unforeseen events.
“The recommendations The Cyber Scheme did for me to prospective employers really helped me secure interviews, where a direct application may not have done due to volume of applicants and potentially automated screening tools which may have rejected me based upon my CV”.
In Conclusion:
The Cyber Scheme have built excellent relationships with the majority of technical cyber consultancies in the UK, not least with NCC who have over many years been supportive and constructive sponsors.
Charles White, CEO of The Cyber Scheme reflects: “NCC and The Cyber Scheme collaborate closely on a number of issues affecting our industry, and are jointly invested in closing the skills gap, improving recruitment pathways and providing key practical skills to those looking to start a career in security testing. I’m delighted this case study highlights how working together can provide efficient, targeted results and is a successful outcome for Richard, for NCC and for the technical community.”
Duncan McDonald, UK Regional TAS Lead at NCC Group commented: “At NCC Group, we are proud to support initiatives that help bridge the cyber skills gap and create meaningful career opportunities. Collaborating with The Cyber Scheme has allowed us to connect with exceptional talent, like Richard, whose journey from exam success to employment is a testament to the impact of accessible, high-quality cyber security education. As sponsors, we remain committed to empowering the next generation of cyber security professionals and ensuring they have the support they need to thrive in this ever-evolving industry.
“We are always looking to bring new talent into NCC Group and would be delighted to speak with anyone who is taking the same path to transition their career into a cyber role.”
Please get in touch with The Cyber Scheme if you’d like to discuss recruitment and employment opportunities for your organisation.
