By Peter Lannon, Technical Director – Assure Technical
What is a Cyber Advisor?
The Cyber Advisor scheme was set up to provide small to medium sized organisations (SME’s) with a way to identify providers that can support them with cost-effective advice and guidance. The Cyber Advisors have proven consultancy skills and experience. The National Cyber Security Centre (NCSC) have named this flavour of advisor ‘Cyber Advisor (Cyber Essentials)’, hinting that there may be Cyber Advisors with different disciplines in future. Importantly, it also showcases that Cyber Advisors under this scheme are able to assist organisations with the implementation of the Cyber Essentials requirements.
Why did I decide to do the exam?
Having delivered Cyber Essentials and Cyber Essentials Plus for over four years now, I decided that it would be a good way to convince clients that I’m not actually just talking a load of rubbish or making it up as I go.
By getting this certification, the organisation I work for has also been able to become an NCSC Assured Service Provider for the Cyber Advisor Scheme. This means that future clients will be able to see that we are able to help them make good choices when it comes to cyber security and assist with any practical implementation that they don’t have the in-house knowledge or skills for.
How did I prepare for the exam?
I read a lot of NCSC guidance… A lot. More than I needed to, if I’m being completely honest. That wasn’t wasted effort though, as I now know more on various best practice recommendations than I did before. I also compiled a large quantity of notes which has been useful to refer to since, but that I didn’t use at all during the exam.
The main items that were beneficial to me for the exam were things I already had a fairly good understanding of. For anyone else looking at taking the exam, I would recommend getting a solid understanding of the Cyber Essentials Requirements for IT Infrastructure, familiarising yourself with the latest and greatest Cyber Essentials Self-Assessment Questionnaire (if you’re a Cyber Essentials Assessor, it wouldn’t hurt to also brush up on the marking guidance!), and looking into different practical ways of implementing the Cyber Essentials requirements.
Remember, this exam is to certify you as an Advisor, so you need to be able to tailor solutions for different scenarios. The Cyber Scheme provides an example scenario so that you can understand the sort of questions you might be faced with.
How was the exam?
Before I talk about the exam itself, I’d first like to say that I did not make it easy for myself. I left my wallet behind (you need ID for the exam) and only realised about 45 minutes into a 3 hour drive that this was the case. After turning around, collecting said wallet, and driving back the way I had come, I was pretty well behind my original schedule. I had planned to arrive about an hour early to get some lunch and settle in. I actually arrived 15 minutes late to the exam having had no lunch and, because I don’t usually get hungry until about 10am, no breakfast either. Plan your journey in advance and check you have everything you need to take with you the night before!
The examiners themselves were very accommodating of my lateness and, fortunately, were still giving the initial brief. The brief consisted of some general advice for the exam on how to answer and a request to please not use ChatGPT to do the exam for you. Internet connectivity was allowed as the exam was open book and we could refer to external sources in our answers.
The exam itself consisted of a series of multiple-choice questions, each accompanied by a “short-form” written question for the first stage. The second stage was a Viva style discussion with one of the examiners. A key part of the exam is that it’s not just about being able to regurgitate technical knowledge, it is about being able to tailor your knowledge and experience to an audience. Each question either specified or otherwise guided you toward who your intended audience was and you then needed to provide advice for your client in a manner that could be understood by them. The biggest challenge for me during the first section of the exam was time management, as there was about 10 minutes allocated to each question (very rough allocation based on whether or not I remembered to look at the clock). I know that other candidates found this to be a challenging element too, due to some under-the-breath mutterings.
The discussion stage of the exam was about 30 minutes long and was very similar to conversations I have had with actual clients. The examiner was role-playing and asking questions about how best to approach some of the challenges that SME’s typically face when trying to implement the Cyber Essentials requirements.
Overall, I thought the exam was quite well thought out for what it was trying to achieve. Simple knowledge of cyber security controls wouldn’t be enough to pass this, as what’s actually being assessed is your consultancy skills in combination with an understanding of Cyber Essentials. It’s my biased opinion that those skills should be built up through experience and exposure to various scenarios, allowing the consultant to approach problems pragmatically and in a way that works for their client.
I was lucky enough to have passed the exam and am now a certified Cyber Advisor for Cyber Essentials.