The NCSC CCP has grown on me
10:00 Wednesday, 01 September 2021
UK Cyber Security Council
This author has an admission to make. When I first heard of the National Cyber Security Centre’s “Certified Cyber Professional” scheme I looked into what it involved and the moment I read the words “The application fee is £2,550.00 +VAT” I almost switched off completely. After all, I hold various professional memberships and passed my CISSP in 2016, so I wondered whether there would really be any value in spending two and a half grand on another certification.
“Value” in this sense is basically saying: if I become CCP accredited, will it present me with work opportunities that others won’t get? My initial thought was a solid “no” - but, having considered that answer for a while, I’m now thinking: "yes, over time it will".
CCP in its current form is very new; although it’s been around for a few years the NCSC decided it wasn’t quite right and has spent some time making it more suitable. (In fact, it discusses the shortcomings of the original scheme in a very honest article on its web site). As it’s new, not many organisations are demanding it from their people or contractors, and similarly not many people have attained CCP status (one of the three accrediting bodies, the BCS, list 123 unique names on its CCP register, for instance). But the thing that changed my mind and made me see the potential of CCP was reading the assessment criteria for becoming a CCP (this link is to the Risk Management specialism, the first to be launched in the new-look CCP scheme).
At the basic level you need an acknowledged foundation such – options include full membership of the Chartered Institute of Information Security or a qualification such as CISM or CISSP. As part of the application, you have to include a case study (or potentially two) demonstrating convincing evidence of your capability in the specialism you are claiming to have – and that case study must include contact details for the organisation(s) involved so that the assessor can get in touch with them and ask about you and your work. After this you will be subject to a two-hour interview in which the assessor will ask you about the content of the case study along with anything else they wish to know that isn’t covered in the study. The assessment criteria document runs to 59 pages and could best be described with words like “rigorous” and “detailed”. As someone who has been interviewed (and, happily, accepted) for memberships of both the BCS and the CIISec, it feels to me that the CCP requirements take a step up from there in terms of rigour.
Am I going to rush out and become a CCP? No, but only because right now I don’t need to: I have a full-time job heading a security team in a bank and I don’t expect to be changing that any time soon.
But when I recruit new team members am I going to be mindful of the CCP, and have a level of respect for any applicants whose CVs cite it? Absolutely.