Guardians of the Galaxy…
Custodians of the profession, top dogs, unicorns. All phrases that were used to describe the applicants we encountered at The Cyber Scheme, as we undertook a pilot in the Security testing specialism for the UK Cyber Security Council looking to recommend Chartered status on individuals in August last year.
The task: using the STANDARD FOR PROFESSIONAL COMPETENCE & COMMITMENT (UK CSC SPCC) v4, go and look for, assess and if successful, recommend Chartered Status on a number of individuals in the Security Testing (Penetration testing, pen testing) industry. Oh, and on the way, devise and test a number of different approaches to investigate whether there is more than one way to achieve the task.
With a top-down approach, we were looking for a number of individuals who would be willing to step into a new paradigm in an industry that is used to certifications and ‘badges’. There is a plethora of existing badges and the industry debates at length their relative merit and utility; I won’t step into the debate here for my own safety. The new paradigm is the UK Cyber Security Council, a relatively new organisation which “…….. has been granted Royal Chartered status, the UK Cyber Security Council now has the power to set industry standards and award professional titles for those working in the cyber profession. “
It’s crucial to remind ourselves that this new paradigm is about recognising an individual’s body of work and their ongoing contribution to the Pen Testing corner of the Cyber Security Industry.
The SPCC describes it as competence and commitment and describes five areas in which these are to be evidenced; these are the competences as known as ‘A-E’, which are then further broken down into eighteen criteria.
Since The Cyber Scheme is expert at assessments and well known to the CHECK community, we were able to identify individuals who might be interest in taking part in the pilot.
Twenty-eight people applied and after two were unable to take part, we were left with twenty-six individuals who were assessed, following two different assessment routes through the process. Twenty-five of these had applied for Chartered status and just the one for Principal status.
Pilot outcomes
The 3-step process (Application Review, Assessment, Panel Review) has built in checks and balances to ensure not only adherence to the standard, but also to reduce and normalise subjectivity. All three stages carried out by Council endorsed and experienced assessors.
Application Review
Firstly, it was clear that this new paradigm was not well understood by the applicants, which was illustrated by the wide variety of quality of application forms, from poor to really very good. 40% of the application forms would have been returned were this not a pilot, so this was the first lesson identified – education about the level of detail required.
Assessment
Eleven people were interviewed (the interview only applicants were already holders of the prerequisite technical certifications), and the interviews afforded them the chance to bring to life the words they had used as evidence against the 18 criteria of the standard in their applications. Interviews, while somewhat subjective in nature offer the assessor the chance to investigate more thoroughly the nature of an individual’s experience, the complexity of the work undertaken, communication skills and leadership experience etc.
Interestingly and as one might expect, interviews sometimes brought to light experiences that the applicant had omitted from the application form and conversely occasions where individuals had made the most of their experiences in the written word that were not as deep or wide as required by the standard for them to be recommended Chartered status; they were either deemed to have the relevant evidence to be offered Principal.
Twelve of the cohort who did not hold the pre-requisite certification at the time of application, came to The Cyber Scheme for a technical assessment with associated Chartership interview on top.
From this assessment phase the original twenty-six applicants were now assessed as follows: 14 at Chartered level and 12 at Principal level.
Panel review (Final Decision)
All the assessors gathered for a face-to-face panel review of all the candidates. Each assessor presented their findings against each of their applicants and the debates raged! The outcome of this stage was interesting in that there was a shared sense of purpose and a determination to get it right for the candidates and the professionalisation of the industry.
From the Review Panel the original twenty-six applicants were now assessed as follows: 18 at Chartered level and 4 at Principal level and 4 declined.
The movement of applicants between the levels goes some way to illustrating that the meta data from the pilot pointed to the potential need for another professional level.
For the pilot, The Council then reviewed all the evidence and collated data as a final review and moderation.
From the Review Panel the original twenty-six applicants were now assessed as follows: 15 at Chartered level and 4 at Principal level and 7 still in moderation. This final small number of applicants fall into the category of being the candidates that potentially provide the evidence for the need for another professional title. At the time of writing that debate is still working its way through the Council’s panel process, so watch this space.
Ultimately 15 people are now carrying the post nominal ChCSP in the Security Testing Specialism and 4 carrying PCSP – the very first in the Country (and World!) to do so and we’re very proud to have played a part in this.
