Why does cybersecurity still struggle with professionalization?

If you wanted advice from a lawyer or accountant, you would want to check they are registered with their professional body. Likewise if you employ an engineer, or engage an architect for a project, knowing that they have chartered status is reassuring.

Since 2000, IT even has its own chartered professional status, CITP, through the British Computer Society.

Earning chartered status is not easy. To apply, IT professionals need eight to 10 years’ experience, including senior experience at level five of the Skills Framework for the Information Age. Applicants need a “supporter” to validate their application and applications are reviewed by an assessor. To retain CITP status, members have to undertake continuous professional development training.

A fair number of IT security professionals have earned CITP.

By comparison, the cybersecurity industry seems somewhat behind when it comes to professionalization, particularly given the potential effects of a cyber attack and the high stakes that come with designing and maintaining security across enterprises. But this is starting to change.

Fragmentation

The cybersecurity industry does, actually, have professional qualifications and certifications. Part of the challenge is actually the industry’s fragmented nature, with different certification programmes and pathways into the profession.

Internationally, both ISACA and ISC2 provide recognised qualifications, with ISC2’s Certified Information Systems Security Professional (CIISP) probably the best known. In the UK, the Chartered Institute of Information Security (CIISec) offers accredited membership, as do more specialist bodies such as CREST, the professional organization for security testers (or ‘ethical hackers’).

Many of the qualifications on offer have developed as the industry has developed, and reflect the awarding bodies’ niches within cyber.

But this fragmentation causes issues, both for cyber professionals, and the organizations that employ them or use their services. It is not always clear which skills and qualifications match a role. And candidates are faced with a sometimes bewildering choice of memberships, courses, qualifications and CPD requirements, which often don’t come cheap.

It's problems such as this that the UK Cyber Security Council (UKCSC) is setting out to address. The Council was established by the UK government, with funding from the Department for Science, Innovation & Technology, and sets out to be an umbrella body for the cybersecurity industry. It also manages chartered status for cyber professionals.

“UKCSC is aiming to professionalize a relatively young industry sector by attributing professional titles to the field of cybersecurity, aligning it to other professions in order to enhance and expand the nation’s cyber skills, knowledge and profession at every level,” says Sean McCormack, operations director at The Cyber Scheme, one of the organizations involved in chartering with the UKCSC.

McCormack says this supports the UK government’s National Cyber Strategy. For individual cybersecurity professionals, it gives a “recognised career framework”. But the benefits for employers, and organizations using external cybersecurity firms, are as important. “For employers professional titles offer the assurance that individuals are at a certain level of recognized competence, demystifying some of the challenges of the hiring process,” he says.

Professionalization

Nonetheless, professional registration, and chartership is relatively new. The UKCSC was founded in 2018, and chartered status started to be offered in late 2023. So far, 550 people have registered as professionals with UKCSC, with fewer having gone all the way to achieving Chartered Cyber Security Professional status (ChCSP). So it is still early days. status (ChCSP). So it is still early days.

Looking at how chartership works shows just how complex the industry has become.

The Council runs pathways to registration and chartership for a range of different specialisms across cybersecurity and these, in turn, are assessed by several professional and certification organizations, or licenced bodies.

The current specialisms include governance and risk, secure systems architecture and cyber security audit and assurance, all though CIISec, security testing and penetration testing, incident response and secure operations through The Cyber Scheme, and security testing and penetration testing, and incident response via CREST. Planned new specialisms include cybersecurity management and secure systems development.

The UK, for once, is leading the way. Only Ghana and Singapore have equivalent programmes (Ghana goes further, in fact, with mandatory accreditation for cyber operators). And creating workable international standards for cybersecurity professionals is not easy.

“When professionalizing the cybersecurity sector, the goal is to set a standard for the profession in terms of core values, ethics, and skills, providing a level of trust to employers that the person in the role can do the job,” says Chris Dimitriadis, chief global strategy officer at ISACA.

But, he says, there is still much to be done to map credentials to skills frameworks, especially internationally.

“ISACA is providing certifications and is working with governments around the world to map those credentials with skills frameworks,” he says. This work is helping to standardize requirements from different jurisdictions.

“This is significant as technology products and services have no geographical barriers, giving more opportunity to professionals for finding a next job, and to employers for hiring quality talent both domestically and abroad,” he says.

Difficult as it might be, cybersecurity wants to be seen as a profession, argues Claudia Natanson, CEO of UKCSC.

“It's the same thing you see in any profession,” she says. “A professional has to not only be competent, which is to have the knowledge and the experience, but [also] the commitment. Most people who are in a profession are committed to it, or else they wouldn't be working long hours that we have to do in most professions.

“So I think there needs to be some education on how we manage professionals who are in those sorts of situations. They need support from the top, putting that culture in the organization, allowing them to implement cyber in a way that is useful and impactful, and seamlessly integrated into what the organization wants to achieve.

The Council is working to “demystify” the standards organizations need to achieve, Natanson says, adding that this involves setting out clear timelines for cybersecurity careers.

“We're here to tell professionals that there is a pathway that you can enter, and you can work yourself up to match what your organization needs.” And that, she hopes, will attract more talented people to enter, and stay in, the cybersecurity industry.