The UK cyber security council- what is it and why was it brought about?
The UK Cyber Security Council was introduced in March 2021 to be an independent body that sets standards and define career and learning paths for the cyber security industry. The UK Cyber Security Council provides a “single governing voice for the industry to establish the knowledge, skills and experience required for a range of cyber security jobs, bringing it in line with other professions such as law, medicine, and engineering.”[1]
The council was brought into place due to The National Cyber Security Strategy 2016-2021 policy paper that set out the UK Governments’ plans to make Britain cyber secure and resilient in cyberspace. Included within this report was the government’s desire to further develop the cyber security industry and accredit the profession by “reinforcing the recognised body of cyber security excellence within the industry and providing a focal point which can advise, shape and inform national policy.” [2]
The Department for Digital, Culture, Media, and Sport (DCMS) won the bid to commission the UK Cyber Security Council delivering it to a consortium of cyber security professional bodies known as the Cyber Security Alliance. The Institution of Engineering and Technology describe the Cyber Security Alliance as “a consortium of cyber security organisations that represent a substantial part of the cyber security community in the UK. It brings stakeholders together in the interest of advancing a healthy cybersecurity sector for the UK, from the development of professional recognition to the collaboration around acknowledged priorities to move the workforce and skills base forward.”[3]
The basis of the 2025 strategy for UK Cyber Security Council is set in five pillars[4]:
- Professional Standards: Setting the standards for practitioners across the sector
- Professional Ethics: Creating and ensuring cyber professionals adhere to our Code of Ethics
- Careers and Learning: Providing guidance on how to join and progress within cyber security
- Outreach and Diversity: Striving for an inclusive and representative sector
- Thought Leadership and Influence: Positioning the Council as the voice of the profession
The first of the pillars: Professional Standards is where the chartership scheme falls under. The goal of the UK Cyber Security Council is that “By 2025, all agreed specialisms will have been stood up, underpinned by a holistic, responsive, and inclusive Standard, to represent the Cyber Security Life Cycle. A pipeline of candidates will produce individuals, who demonstrate the Gold Standard of expertise, excellence, and professional conduct, and therefore are able to protect the UK’s Economy and Critical National Infrastructure. The Council will be the recognised ‘Standard Setter’ for the Cyber Security Industry.”[5]
Royal Charter
The UK Cyber Security Council has been granted Royal Chartered status, as a result of this the UK Cyber Security Council now has the power/ ability to set the standards of the industry and award professional titles for those working in the cyber profession. A royal charter is defined as the following by the Privy Council: “A Royal Charter is an instrument of incorporation, granted by The King, which confers independent legal personality on an organisation and defines its objectives, constitution and powers to govern its own affairs.”[6] A professional body must hold a Royal Charter from the British monarch in order to have the ability to award chartered status to its members. Now that the UK Cyber Security Council has full royal charter status, they are able to launch the chartership scheme for the industry in earnest.
What is chartership
Collins dictionary defines chartered as “a professional person having attained certain professional qualifications or standards and acquired membership of a particular professional body”[7]. There are many other professions that already have established chartership schemes such as: Accountants, Journalists, Marketing, Teaching, and Engineers. The professional body that awards chartered status, in the case of the cyber industry the UK Cyber Security Council, must create a list of criteria for those seeking chartership to meet. This usually pertains to a certain level of skill or experience being achieved within their role. Whilst this can be demonstrated through the work experience of the individual; there is often a requirement of meeting a certain level of qualification, such as post graduate qualifications or industry specific qualifications[8]. It is also commonplace for the professional body to implement a code of conduct or practice to ensure those that are chartered uphold the standards and reputation that comes with being a member of that particular professional body. This code often sets out what constitutes as best practice within the industry, if a chartered member is found to be neglecting these standards and risking the reputation of their profession, they can have their chartership removed or cancelled.
To maintain chartered status as an individual there is often a requirement to do continued professional development or CPD. Most chartered professions have the requirement that you earn so many CPD hours/credits per year to illustrate your continued professional growth and that you are keeping up with new ideas and technologies. An example of this would be the Chartered Governance Institute UK & Ireland, they require a mandatory completion of 20 CPD hours as a basic requirement; with the members in public practice being required to log 35 CPD hours a year.[9] There are multiple ways to earn CPD credits: work based learning, professional activity, formal education, and self-directed learning[10]. Most professional bodies require a mix of CPD activities, usually a minimum of two different types of activity. An example of this would be sitting courses and presenting or speaking at conferences. If you do not achieve the requirement amount of CPD hours in a year you do not meet the criteria for chartered status and are at risk for having your chartership revoked. Chartership does look different from industry to industry, the way one chartered profession operates is not necessarily the rule for all.
Established Chartered Industry Example
Chartered Accountant
To become a charted accountant, you are required to hold an ACA qualification. This qualification takes between three to five years to complete and involves different phases. Part of this is completing 450 days of work experience with an ICAEW (Institute of Chartered Accountants in England and Wales) authorised training employer. You also must register as a student with ICAEW, if you have already completed a relevant qualification, you may be exempt from certain modules. To complete the ACA, you must “demonstrate that you have: completed 450 days of work experience at an ATE; passed 15 exam modules; undertaken professional development; and have advanced your ethical understanding and professional scepticism.”[11]
To gain a better understanding of the structure for achieving chartered status in the cyber industry read the UK Cyber Security Council route to chartership here.
How Chartership Differs from CHECK
The CHECK accreditation scheme differs from chartership in that the organisation is CHECK accredited as opposed to the individual. CHECK is awarded to companies to illustrate they have the ability and methodology to provide CHECK level testing. Chartership is for the individual and does not rely on the individual’s current employer. The chartership scheme will create a clear indicator of an individual’s experience within the industry, as opposed to the clearance level/ability of the organisation they work for. While admittance requirements for Chartership will resemble the skills, knowledge and behaviours required to pass a CSTL exam, the on-the-job experience an individual can prove by way of attestation will be much more important.
References
[1] GOV.UK. (n.d.). New UK Cyber Security Council to be official governing body on training and standards. [online] Available at: https://www.gov.uk/government/news/new-uk-cyber-security-council-to-be-official-governing-body-on-training-and-standards.
[2] Office, C. (2016). National Cyber Security Strategy 2016 to 2021. [online] GOV.UK. Available at: https://www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021.
[3] www.theiet.org. (n.d.). UK Cyber Security Council Formation Project – The IET. [online] Available at: https://www.theiet.org/impact-society/uk-cyber-security-council-formation-project/.
[4] Council, U.C.S. (n.d.). What the UK Cyber Security Council does | UK Cyber Security Council. [online] www.ukcybersecuritycouncil.org.uk. Available at: https://www.ukcybersecuritycouncil.org.uk/about-the-council/what-we-do/.
[5] UK Cyber Security Council. (n.d.). Ethics and the cyber security profession. [online] Available at: https://www.ukcybersecuritycouncil.org.uk/professional-standards/.
[6] Privy Council. (n.d.). Royal Charters. [online] Available at: https://privycouncil.independent.gov.uk/royal-charters/#:~:text=A%20Royal%20Charter%20is%20an.
[7] Collins Dictionary . (n.d.). Chartered Definition . [online] Available at: https://www.collinsdictionary.com/dictionary/english/chartered.
[8] Make The Future Yours! (n.d.). What does it mean to be Chartered? [online] Available at: https://www.makethefutureyours.uk/what-does-it-mean-to-be-chartered [Accessed 14 Jun. 2023].
[9] www.cgi.org.uk. (n.d.). Continuing Professional Development (CPD). [online] Available at: https://www.cgi.org.uk/professional-development/cpd.
[10] Imeche.org. (2018). What counts as CPD. [online] Available at: https://www.imeche.org/membership-registration/professional-development-and-cpd/continuing-professional-development-cpd/what-counts-as-cpd.
[11] https://careers.icaew.com/how-to-become-a-chartered-accountant#:~:text=To%20successfully%20achieve%20the%20ACA,ethical%20understanding%20and%20professional%20scepticism.