Ask most professionals in the industry today how they got to where they are, and they’ll tell you it was a combination of luck and circumstance as well as hard graft. That’s because cybersecurity has evolved in response to technological innovation, with roles morphing to meet demand. But this has also made it incredibly difficult to build a career because nobody knows the specific skill sets associated with particular roles. Consequently, you’ll sometimes see different companies advertising for the same role but asking for different skills from bewildered candidates.
It’s now fallen to the UK Cyber Security Council to impose some sort of rationale on the industry, which it plans to do by introducing the Cyber Career Framework covering every conceivable cyber security role in 16 career pathways. Those who progress within their specialism and meet the criteria will be eligible to apply for one of the Cyber Security Profession Chartered Standards (CSPCS), which offers three grades of certification: associate and principal (“professional” titles) or chartered.
Ambitious Undertaking
Initially, the Council rolled out pilot schemes on three specialisms (Cyber Security Governance and Risk Management, Secure System Architecture and Design and Security Testing), which are being accredited by industry bodies such as (ISC)2, the Chartered Institute of Information Security (CIISEC) and CREST, respectively. Later, Cyber Security Audit and Assurance were added, to be followed by Cyber Security Specialist, Secure Operations, Secure System Development, and Cyber Security Management over the next 12 months.
By Q2 2024, only eight of the specialisms will be piloted, indicating how ambitious an undertaking this is. The aim is to effectively standardize the industry, providing a recognizable means of assessing professionals across the board by 2025. If the Council does pull this off, it will mark the single most significant step change in the sector’s history from a recruitment point of view.
So, what do the changes mean for cybersecurity professionals? Firstly, new or prospective entrants will be able to use the quiz-like Career Mapping Tool to work out where their skills fit best. By identifying transferable skills, the hope is the tool will encourage those outside the industry to apply to address the burgeoning skills gap that currently stands at 3.4 million vacancies worldwide, a shortfall of 42% in the workforce.
Benefits for Employers and Candidates
The career specialisms go into far greater depth, with numerous roles under each, and promise to make it much easier for employers to advertise and candidates to search for jobs. The details contained within a role include working life, responsibilities (such as job titles and salaries), knowledge, skills, moving on and qualifications. The moving on category also allows those looking to move sideways rather than up to explore roles in related fields.
From the business perspective, the pathways may solve another problem: the gap between the hirer and HR. This is because they detail the required knowledge and skillsets, taking much of the guesswork out of crafting job descriptions. The pathways could also inform workforce planning and improve retention by providing the detail needed to tailor training to specific roles.
Jumping Through Hoops
However, those already in the profession will need to jump through new hoops to achieve one of the three certification levels. The process is likely to involve an interview to verify skills and experience, with the applications peer-reviewed, while those seeking Chartered status will likely need to hold high-level qualifications much like the CCP does today (bearers of which will see their CCP certification commuted to Chartership as the CCP is being retired).
The 16 career pathways promise to put in place a uniform structure which will facilitate career progression and bestow upon Chartered individuals the kind of recognition we’ve only hitherto seen in professions such as accountancy and law. The Council states the three standards will act as proof of skills, improve credibility, enable career progression and increase earning potential, although that will depend greatly on how rigorous the assessment is.
How useful the career pathways are in the long term will also depend on their ability to adapt to and cater for emerging careers and new skills (AI prompting, perhaps) and map to their international equivalents. The National Initiative for Cybersecurity Education (NICE) in the US has been around for 15 years, for example, albeit that was developed for federal workers, while the European Cybersecurity Skills Framework (ECSF) on the continent was launched in September. Both use very different approaches to job classification, but given the cybersecurity profession is largely international, the ideal would be for all three frameworks to come to some form of consensus.