Our Conversation with Andrew Elliot - Embedding Standards and Pathways Across the Cyber Profession by 2025
11:00 Wednesday, 13 July 2022
UK Cyber Security Council
Cyber Security Council’s CEO, Simon Hepburn, talks to Andrew Elliot, Deputy Director of Cyber Security at Department for Digital, Culture, Media and Sport (DCMS).
Across two recent webinars – one open to Council members only and another to the wider sector - Andrew detailed the response to the recent DCMS consultation, which addressed embedding standards and pathways across the cyber profession by 2025.
Andrew and Simon took questions from the audience, which are summarised in detail below.
Could you take us through the background of the consultation and some of the key responses
The government is concerned about the state of the cyber workforce in the UK, principally the skills shortage in the profession. We conduct a labour survey of those leaving and entering professions, and we’re seeing a growing skills gap in the sector.
We also see a problem with people in organisations who don’t have the right skills performing cyber roles leading to inadequate resilience across the economy, and of course we also see a diversity problem across the sector.
There’s no silver bullet to fix this, but we’ve been working on solving this problem for several years. The key response is setting up a new professional body for cyber security, the UK Cyber Security Council. We see the Council as the vehicle to fix some of the fundamental problems of this profession.
The landscape of this profession is too complicated, it’s not clear how you get into it, it’s not clear how you progress through it, it’s not clear for employees wanting to join this workforce, and it’s certainly not clear to employers who want to hire. There’s a lot of confusion, and we hope the UK Cyber Security Council will be able to bring some clarity.
We’re very pleased the Council has taken its first steps to work through the different specialisms that have been identified.
Other professions have clear paths to pursue, but it’s not clear in Cyber. Therefore, those people that are prepared to take the risk and reap the rewards do ok, but many don’t, and that’s one of the reasons this profession has a problem with diversity.
Why did you consult?
We set up the UK Cyber Security Council as a fantastic pathway and first step, but you’re only going to be successful if you’re able to persuade the whole sector to come with you on this journey and participate in this process.
The government really wanted to know ‘what more should we do?’, and that was really the outcome of the consultation. We talked about how the government can show leadership, how we could work in terms of our own public sector workforce, how we could work in terms of procurement, and we’ve had lots of views on where we stand.
I really feel that we have listened in response to this consultation, and we think that we are now clear on what we need to do to make the Council a success. That’s all set out in our response document.
In the 2022 laid market survey, it is estimated that UK we have 131,000 cyber professionals in the labour market, and within the actual cyber sector that’s about 50,000 people. There are a lot of people we’re directly impacting. We’re impacting how their profession works and how their career’s going to progress, so I think there is a lot of interest, which has been reflected in the number of responses we’ve seen in the consultation.
Were there any surprises in questions and the themes of the questions?
We didn’t see a uniform view in many of the questions we asked for, and often the split was between individual responses and organisations. We felt that the responses from organisations were showing a greater appetite for government intervention and regulation in the space than individuals.
Was it a good diverse group of professions of those who responded? Such as from professional bodies for businesses, from SMEs etc?
The greatest number of responses was from individuals, but I think across the industry we had pretty good representation from the sorts of organisations we would hope to be engage on this. I’m happy that people were engaged and responded appropriately.
There were two issues really. One is, ‘do we all agree that there’s work to be done in this space?’, and the second is the question of ‘how quickly should the Government be moving to reinforce this effort by introducing measures that apply to pressure to adopt changes?’
Organisations were more enthusiastic than individuals, who were largely against. I think people are pleased, broadly, with where the Council’s got to, but I think very much that we should try and make it a success before we attempt to do anything more radical.
We’ve said that the Council is going to set these standards, what the 16 specialisms are going to look like, and work out the route to Chartered status, but I think people want to see a bit more meat on the bones. I think when we consulted back in January, people wanted clarity that the Council is going to deliver what it has promised and build that credibility.
What has the response been like for academics or the wider profession, especially around the core standard and the specialisms in the sector?
I think people do want an aligned standard. I know there has been debate over the technicalities of how to deliver the standard, how we make sure that everyone that has a stake in this protects their interests, but also participates in that programme so we can agree on something we can all sign up to.
There are people who have worked many years in this profession who are valuable leaders who are worried; they don’t want unnecessary requirements or additional costs to suffer as a result of the standards. We all understand that, and by and large they’re right. I think a lot of people are expecting us to raise the bar, when in fact a lot of people are already above that bar, and we just need to make sure we bring those who aren’t up with it.
Based on the response, what kind of feedback have you had? Is it what people in government expected?
I sense that a lot of people expected us to come down in favour of a lot of immediate regulation, I can certainly see a lot of noise from people worried that would be the case, but we’ve been clear - we are genuinely testing what views are out there. For the time being, we’ve decided that we don’t want to pursue that route.
At the same time, we’ve been consulted about the future of the NIS regulation, and there probably does need to be some reform in cyber security, but right now in terms of how the cyber workforce operates we need to be careful about what that might be.
Over the past few months, we’ve had conversations with several different regulators across the economy, and when they go into organisations they regulate, they want to know if those organisations have done enough to secure themselves. There are lots of different ways in which you can measure organisational resilience, there’s lots of different guidance produced by the NCSC and others, but we’re trying to encourage is looking at how the organisation is helping the cyber security workforce to develop.
These organisations need a yardstick to determine whether they’re up to it. In future, the yardstick which they ought to be using is that which the UK Cyber Security Council is going to provide.
What is the view across government office e.g cabinet office, DWP, MOD, in relation to the Council and standards, specialisms and career route-maps?
The whole of government is entirely aligned on this – we published the government cyber security strategy to set out how the government cyber security across all departments will be aligning to the framework that the UK Cyber Security Council has given us.
Member question – Individuals in the industry could work across various specialisms during their career, how will this be handled?
I’m entirely confident that the framework for how this is going to operate can be designed to accommodate that. If it can’t, it’s not going to work. What Leanne has pointed out is not the exception, it’s the norm.
I was talking to one of my colleagues who was discussing the analogies of other professions; in engineering or medicine, moving through specialisms is normal. It’s also normal through a more general route and then move into a specialism, and how do we ensure that ‘general practice’ are properly covered as well? The framework needs to encompass all of those.
Member question – As we have a skills shortage, would you not see that some form of licensing at this time could be a barrier to entry, especially for early-stage career individuals?
We do have a skills shortage. The labour market survey suggests that it was 14,000 a year, but (ISC)² have a different number which is significantly larger. We have a range of interventions to try to narrow that gap.
I think firstly, we see the work of the Council as aiding the closure of that gap. If we have more structure and clarity, it makes it easier for people to see how they can enter this profession. If anything, I think it makes the offer more attractive. I think it makes it easier to retain people.
On licensing, the evidence that we have so far suggests that we’re not in a position to start doing that yet. The infrastructure, the scale; we’re not there yet. We’re also not satisfied that we’ve seen enough evidence to justify that level of intervention.
We’re not going to do that casually; this is a sector that is entirely critical to UK resilience against cyber threats and national security. I hope I can offer reassurances around that.
Member question – What incentives are being considered to encourage individuals to sign up to registration etc with the Council? The NCSC’s schemes have generally failed to provide any tangible benefits and have not generally been well supported.
As I’ve already said, working with employers, regulators and others trying to encourage acceptance that the Council should be the yardstick.
It’s interesting at the moment, if you look at job adverts in the cyber sector, and you see what is asked for, it’s very general certifications which are being asked for as a random proxy because people don’t really know what they want.
We think that as it becomes clearer to employers what the cyber profession looks like and what they need, we hope they will become more demanding as to what skill sets they require for their organisation.
Member question – How does the work that the government security profession has done in term of setting up a career framework which includes cyber roles fit alongside what DCMS and the Council are proposing?
I think Government Security Profession has frameworks that identifies fewer specialisms than the 16 at the Cyber Security Council. They do map, and we’ve also set up a working group whereby the Government Security Profession can make sure that we have understood across government all the different cyber strands, and to ensure that they are aligned and operating within this framework.
I don’t think there will be a problem there and we are absolutely committed to making sure that works.
Member question – The (ISC)² report for the UK indicates that we do not have a skills shortage. We have a hiring and retention shortage. I have yet to see how the proposed career framework from the Council and DCMS will resolve this.
Do we have a major retention issue? This is something I really would like to know more about. We had a debate about this in government last week.
I don’t know what the ISC2 numbers are on retention, I think our numbers suggest that something like 6,000 people leave the profession every year, I think it’s about 4%.
I think, if you look at the reasons people are leaving, they’re not all retiring. They’re moving into other areas. But I think people do that in other careers too, it’s not unusual, so I’m not sure if we have a retention problem or not. It’s something we need to look further at.
Member question – What is DCMS doing alongside DoE to ensure that cyber careers are fully included and explained as part of the careers curriculum for school leavers?
We’re doing an awful lot on that front now. Half the problem is ensuring that computing is presented well in the classroom, taught well, attracts students to make their next steps towards cyber. So, it’s partly down to teaching and it’s partly down to careers advice.
I met a few schools' careers advisors last week, and they were the cream of the crop, so I know that informed careers advisors are doing the right thing. There is more that we can do with them.
We have several programmes to inform and inspire, at the younger end we have our cyber explorers programme, Cyber First runs courses but there’s also the Cyber First schools' programme.
The way to achieve the critical mass to reach all schools is, like Roy said, alongside the Department for Education. We are working alongside them to address this too, including through things like the national centre for computing education.
Member question – As a school governor, my experience is that the teachers and governors don’t really understand the cyber security sector. Is there education for governors in place?
Well, the primary focus of the National Centre for Computing Education has been towards computer science teachers. That’s one of my concerns, that programme only reaches computer science teachers who are not really who I think Lee is pointing to.
We have other interventions going on to try to reach others; this is the first-time governors have been presented to me as an issue, but I think we tend to see it more as ‘who are the influencers who actually advise young people, or create the framework in the education institutions?’ It may be that governors are part of that.
There’s a whole cultural change piece happening here, we’re having a continuing conversation with the Department for Education about how we tackle this.
A SUMMARY OF WEBINAR QUESTIONS AND RESPONSES FIELDED TO BOTH SIMON AND ANDREW
Webinar question 1 – The DCMS and Lords Home Office Minister stated the Council’s work to professionalise the sector must be linked to the ongoing review of the Computer Misuse Act. Will you be able to provide an update on how the two will be linked?
The computer misuse act is being reviewed by the Home Office. That may now not be responded to until the Autumn given the changes within government. What’s clear in the Home Office’s eyes, is that when you are assessing, researching, or testing, you can’t just operate as a white hat hacker without a consideration of the wider environment.
You need to understand the risks, legal framework and operate with good ethics. There must be good oversight. What the Council is doing, is that creating a professional workforce is signed up to a code of ethics and operate within the standards it sets. That creates greater assurances these risks are being mitigated.
The Home Office is interested in how we can better align the Council with the Computer Misuse Act, but this won’t be brought forward until the Council has established its standards. There is alignment to be done.
We will be ensuring any future changes take advantage of the new professional landscape emerging.
Webinar question 2 - The majority of practitioners in my community aren’t aware of the UKCSC. How are you getting more people engaged?
We’re a new organisation, and a lot of the work we’re doing is raising awareness and our profile. We’re in the National Cyber Strategy and you’ll find a lot of references to us within government strategy documents.
To achieve greater awareness, we’re doing a lot through marketing, PR, comms and social around the work we’re doing. We want to amplify our voice further through engaging with stakeholders across government and the sector.
Webinar question 3 – How does UKCSC and CIISec align? If both are working towards Charterships, how does this crossover?
To make it clear, there are other organisations chartered in relation to specific awarding titles. From our charter from the Queen in November and the Privy Council, we’re the only organisation which can give a chartered title in relation to cyber security – not just in the UK, but on a global level.
Webinar question 4 – The implementation of the new standards will be encouraged but largely voluntary. Is that correct?
Currently, you’re right – they will be encouraged, but we’re in a pilot phase and we’re going to see where it’s going.
If you’re part of critical national infrastructure, you’re likely in a regulated sector. We’d expect those regulators to look at these organisations – and if they’re applying the standard, it’s almost certainly a good thing.
The model I see is, within the Data Protection Act, there is provision for several codes of practice for all number of different things. But they’re not mandatory. The commissioner sets codes, but you don’t have to follow them; it’s just a tick in the box.
If you’ve gone down a different route and don’t follow them, you need to justify it, which shows you comply with the regulatory requirement.
If an organisation working into CNI is being assessed, and meets the standards set by the Council, it’s a tick in the box. If you’re not, they’ll ask what else you’re doing. That’s where we’ll likely start off.
If this has the effect of raising the bar, then so be it – a positive outcome for all. If it’s not working, we’ll have to look at what else we can do.
Webinar question 5 – It feels like there isn’t alignment between stakeholders about the causes and consequences of regulation of the profession. The implication is the UK workforce is not sufficiently professional and or ethical.
The core evidence the DCMS looks at is collected annually via three major sector surveys: sectoral analysis, the cyber labour market survey and a breaches survey. It's all published on gov.uk. In there, you’ll see evidence – both within cyber and wider economy – that organisations feel like they’re not equipped with the necessary skills they need to achieve resilience.
We know some organisations don’t have the skills, even within the sector itself. There are two issues we look at in Cyber Skills – we talk about cyber skills shortages and the skills gap. They sound the same, but the skills shortage is that there simply aren’t enough people to meet demand – 14,000 extra people are needed each year and it’s getting worse. The skills gap is that those people within the workforce have a capability gap.
In many ways, the Council is the key vehicle to address those problems.
Webinar question 6 – What advice can you give to UK SMB which face cyber risks – how can they engage or develop their cyber capability to meet standards?
The Government provides all sort of advice on how organisations can be made more resilient. The NCSC produces advice on this, and the Gov has specific interventions to help organisations.
The Council is actively engaging with CyBok and a transition is taking place for it to be ported across to the organisation. When looking at the specialisms and centres of excellence, we need to look through the lens of the CyBok, but also the wider sector itself.
We need to simplify standards and show the access into the sector and a lot of the mapping the council is doing is working towards this.
Webinar question 7: 16 roles within the CyBok feels like too many and is too confusing for new entrants, let alone those of us already within the profession
The 16 specialisms were developed as part of the formation project, but there are varying views across the sector for the number which should be included. Part of our pilot is ensuring we have key specialisms. As we work through developing the pilot programme, we will be able to then work out the number – it's a conversation we’ll have with DCMS/NCSC and other key stakeholders.
It sounds like a lot, but cyber security isn’t homogenous. There are loads of different areas within the profession. It’s important to identify the specialisms and the skills. What we certainly don’t want to do is create more confusion – it needs to demystify and make it more accessible.
Webinar question 8: Do you have any opinion on the changes coming to Relevant Digital Service Providers (RDSP) in the NIS legislation?
It's matter on which the government has been consulted and is currently subject to discussions across government and a collectively agreed response has not yet been settled. We’ll shortly set out the government’s position.
Webinar question 9: Isn’t the sector’s greatest challenge not the lack of professionalism, but insufficient numbers of suitably qualified practitioners being employed by organisations and a lack of accountability/attention towards cyber within those businesses?
Cyber needs to be in the right stack when it comes to an organisation’s structure. It’s essential that cyber has a clear route in to the board and the directors, they understand their role and it’s a critical part of business continuity. It can’t be a subset, measured against ROI and hidden away.
We also need a focus on how we can get more people to join, be aware of the profession and train appropriately.
There is a significant shortage in the sector of people coming in. We’re trying to increase the flow of people coming – the graduate flow, apprenticeship and adult re-trainers. There’s activity going on across all those strands, but the concern is whether those interventions are creating people who employers need with the right skills and people who are going to be equipped to progress through the profession.
One issue we have is where the bar is and how we assess whether they’ve met it. Dealing with shortages and a lack of professionalism is two sides of the same coin.
Webinar question 10: Will existing qualifications/certificates be taken into account for individuals undergoing accreditation?
Absolutely. The whole process is around the assessment and current membership and qualifications will be taken into account. It depends at what level an individual applies for; principle, chartered or associate. But it’s certainly part of the criteria for assessment.
Webinar question 11: Does the Council engage with local government organisations?
We’re engaging at all levels across local and national government. We also want to be targeted in talking to various sectors as part of that wider engagement.
Our starting point – from the consultation – is being worked through, but our new programmes and partnerships director will see us engage with even more local government and stakeholders as a central part of her role.
We definitely want to find out what’s happening within the sector and see how we can get alignment.
Webinar question 12: How will the Council engage with private/public sector organisations who are not members, to ensure the approach to professional ethics is taken seriously?
Some of the work we’re doing is around code of ethics and conduct, but we want a wider influence on the wider profession. Hopefully we’ll get to the position of a tendering/procurement process which asks, ‘if you are signed up to the Council’s ethical framework’, which is ultimately where we’d want to get to.
We'll need to get the right framework and engagement in place first to get take-up.
Webinar question 13: Current cyber employees’ voices might be lost in this debate because they’re busy dealing with the day-to-day challenges and don’t have time to contribute. How can we ensure these voices are heard?
For us, it’s about creating mechanisms through partnerships to ensure we’re in the right forums to hear from those who are doing the graft and that our work doesn’t create barriers. We’re looking at putting on even more events to hear from specific roles to inform the development of the council. There will be upcoming meetings in the next few months, but in the meantime, we’d like to hear about any specific forums, networks or institutions which the sector has found useful.
Webinar question 14: How are the Council’s standards and levels of chartership being set and when will this be available for the wider profession?
We’ve got the three levels – with assessments made across principle, chartered and associate levels. We’re in the process of developing the assessment pack - as part of the pilot – which will be released ready for people to apply in September.