Consultation outcome

Embedding standards and pathways across the cyber profession by 2025 - government response to the consultation

Updated 20 June 2022

Ministerial foreword

Julia Lopez MP, Minister for Media, Data, and Digital Infrastructure

In order to achieve the UK’s ambition to be a leading democratic cyber power we must focus on people and skills. The UK is a global tech leader but its continued success is dependent on the development of high quality professionals who can provide the best protection for UK citizens and companies. This is why the National Cyber Strategy set out our aim to create a world class, diverse cyber security profession.

The UK Cyber Security Council (‘the Council’) is central to this aim and the government is committed to supporting its work as the independent professional authority for the sector. The Council, the first of its kind globally, will act as an overarching organisation which sets and oversees standards for the cyber security profession, against which education and training solutions can be benchmarked.

The Council will soon be able to award chartered status to cyber security professionals (having received a Royal Charter earlier this year). The ability to employ chartered cyber security professionals will make it much easier for employers to identify suitably qualified individuals. It will allow individuals to demonstrate ongoing proficiency and that they represent the highest standards and ethics.

The Council has identified 16 specialisms within cyber security – indicating clear and accessible routes into and through the profession. Chartership will be available for each specialism, along with two further qualification levels which sit below it - ‘associate’ and ‘principal’ (collectively referred to as ‘standards’). The launch of standards for each specialism will be staggered up until 2025.

The cyber profession is complex and difficult to navigate and career pathways are not always entirely clear. By creating clear paths for those interested in joining the profession, whether straight out of education or through a career change, the Council will inspire and support more people with the right aptitude to pursue a career in cyber security. At the same time the Council’s work will increase trust in the profession by reducing the presence of individuals who misrepresent their abilities.

The consultation on embedding standards and pathways across the cyber security profession requested feedback as to what, if anything, government should do to support the Council to encourage uptake of its standards across the profession. This included whether the profession should be regulated on a voluntary or non-voluntary basis. We do not think regulatory intervention is appropriate at this stage, for reasons set out in this response. However, to guarantee the successful professionalisation of cyber security, the Council will require strong support from industry, regulators and the public sector. We will continue to do all we can across government to provide this support and engage closely with regulators and industry to secure similar support.

As a major employer of cyber security professionals and consumer of cyber security services, the government will exercise considerable influence in this sphere. We will support the Council to launch its standards pilot programme for two specialisms (Risk Management and Security Architecture) in Summer 2022, followed by the formal launch of these standards next year. Government is committed to working towards mapping its own programmes to Council standards as they are launched. For example, the National Cyber Security Centre’s Certified Cyber Professional programme (CCP) will be run by the Council until the launch of the Council’s standards. The Council’s work will continue to drive up quality in the profession and simplify a complex professional environment, while acknowledging the breadth and diversity of roles and responsibilities held by cyber practitioners across the UK. By making it easier for government, regulators and businesses to identify the cyber security professionals they need, we will increase our collective cyber resilience and bring about a significant increase in the number of people who have the necessary skills in the cyber workforce.

We are grateful to the wide range of individuals and organisations who gave open and honest feedback to the consultation. We have worked to engage diverse groups of people throughout the process, ensuring that we heard as many perspectives as possible. These views have allowed us to formulate considered next steps, as outlined throughout this response. We have set out proposals to allow the cyber security profession to develop in a holistic and collaborative manner. A profession is made up of individuals. Through these proposals we will incentivise increasing numbers of individuals to enter a career in cyber security and be recognised and rewarded for the quality of their work. It is exceptional people at all levels that will guarantee our ability to secure systems and respond to threats remains world class.

Executive summary

The UK Cyber Security Council is the professional authority for cyber security. Set up last year, its ambition is to make it simple to identify the people with the right skills and experience to secure organisations against cyber threats. The Council’s formation was in response to a government consultation held in 2018 on developing the cyber security profession. Responses to the 2018 consultation indicated that there are a myriad of cyber qualifications, certifications and degree standards without any uniform equivalency. This makes it difficult for employers looking to recruit, professionals looking to develop and new entrants looking to enter the cyber workforce.

The government’s annual Cyber Labour Market Survey also shows that most businesses are struggling to identify people with the right skills to secure their networks. The Council was set up to solve these problems and create professional standards. It was formed by a consortium of professional and certification organisations, led by the Institution of Engineering and Technology and launched in May 2021.

Setting professional standards for cyber security will only have an impact if both employers and employees adopt them. Employers need to understand how the standards are relevant to their organisation and start to align their workforce to the standards. They also need to recruit and measure capability and potential against the standards. Employees need to consider how their skills and career pathways sit alongside the standards and whether their certifications fit within the standards framework. This won’t happen just because the standards exist. The cyber profession, government, industry and academia need to work together to drive through this change.

The consultation embedding standards and pathways across the cyber profession by 2025 was published on 19 January 2022. It was used to gather feedback from individuals and organisations as to whether the Council needs to be empowered further to fulfil its role as the professional authority and standard setting body. The consultation considered both legislative and non-legislative interventions.

We received 680 responses from a range of participants that would be affected by the proposals, including: individual cyber security professionals, graduates and career changers, private businesses and small or medium-sized enterprises (SMEs), accreditation and qualification providers, cyber security organisations, public sector bodies and critical national infrastructure providers. This response provides an overview and analysis of the key findings.

A number of key concerns were reflected throughout responses from participants. Echoing feedback from the 2018 consultation, respondents noted that the profession has evolved to be complex and career pathways are not always entirely clear. The Council has identified 16 specialisms in cyber security using the Cyber Security Body of Knowledge (CyBOK). It has created a career routemap, which will offer information on these 16 specialisms and the skills and qualifications needed to pursue them. This overview of what a career in cyber can offer will simplify professional pathways for those already working in cyber security and demystify it for those wishing to enter, thereby attracting more people into the profession.

Respondents further reflected previous feedback that cyber security is of increasing importance, but at the same time it is increasingly difficult for those hiring cyber security professionals to know whether a candidate is suitably qualified. It is therefore imperative to have a mechanism which provides assurance that an individual is qualified and will act ethically, removing those who could offer potentially dangerous advice/services due to incompetence or lack of experience. The launch of associate, principal and chartered standards for the 16 cyber specialisms identified by the Council will help significantly with this problem.

While there was general consensus from respondents that titles and role definitions within the cyber security profession are inconsistent, it was observed that artificial division of responsibilities within roles was not useful either. To address this, the Council will pilot professional standards on the basis of specialism, rather than role type, which will give more flexibility to practitioners.

Respondents urged the Council to take into account existing qualifications and consider how their equivalence with Council standards could be articulated in order to create a coherent overall framework. This would complement the existing ecosystem and allow individuals and employers to navigate different regimes. The Council is in the process of developing a qualifications framework which will map the equivalence of existing qualifications against Council standards as far as possible. It was also emphasised that a number of individuals with extensive experience did not hold certifications and should not be excluded on this basis. A competency-based assessment process for standards will take into account the experience of those without qualifications.

The importance of international alignment of standards was emphasised in many responses. Cyber security is international in nature. Attracting talent is important for the sector and respondents highlighted the need to recognise and map international qualifications against UK standards. As well as looking at UK qualifications, the Council’s qualifications framework will map established international accreditations against Council standards on an iterative basis.

Respondents supported proposals for alignment between the Council’s standards and government recruitment, procurement and schemes, such as NCSC’s CCP scheme. Government will work to map the Council’s professional standards to existing recruitment, procurement and other schemes as far as possible. Given the complexity of the profession, we understand and agree with respondents’ reflections that government should coordinate itself with Council standards to ensure a level of consistency across both the public and private sectors.

The question of regulatory intervention was a key part of the consultation. Respondents were asked whether regulation by activity should be explored in future plans and, separately, whether regulating by title should be brought in at this stage. Overall, respondents were opposed to the idea of regulatory intervention (though on the whole there was more support for regulatory intervention among organisations than individuals).

Commonly expressed concerns were that the Council is at an early stage in its development and that regulation would exacerbate the current shortage of cyber security professionals and introduce barriers to entry. Taking into account this feedback, we will not regulate at this point in time. Instead, we will promote the Council’s standards where appropriate opportunities arise. This might include guidance for organisations on their cyber resilience, guidance from regulators to assess their security posture, best practice in procurement, recruitment and staff retention. We will also work with certification bodies to ensure they transition to align with the Council’s standards. We will observe the uptake of the Council’s professional standards as these are developed. If we do not judge the level of uptake to be sufficient to embed the profession we may revisit the idea of regulatory intervention in future.

The proposal for a register of practitioners was met with a mixed response. Just over half of respondents disagreed with this proposal (though the majority of organisations who responded agreed with the idea of a register). Some respondents noted that if a register were to be created it should be voluntary. The Council intends to create a voluntary register for those who meet their professional standards, listing individuals who are accredited at associate, principal and chartered level.

Respondents were keen for routes into cyber to remain flexible. The Government supports this view and the need to support more people to pursue a career in the sector, rather than put in place barriers to entry. We heard that professional standards should not be looked at in isolation, but should be considered within the broader cyber skills landscape in order to establish a holistic approach to education, training and recruitment. We recognise this need, which is why alongside efforts to develop the cyber security profession, we are working to develop initiatives in schools and for those post-16 (further information can be found in the government response to questions 28-29a).

We will continue to work with the UK Cyber Security Council to support the development of its professional standards and pathways. Government will review where it can most effectively provide support to coordinate our own programmes with these professional standards. Alongside the Council, we will engage closely with regulatory and professional bodies and industry to discuss the development and uptake of these standards.

Methodology

On 19 January 2022 the embedding standards and pathways across the cyber profession by 2025 consultation was published on gov.uk for eight weeks to gather feedback from individuals and organisations on how to most effectively empower the UK Cyber Security Council to lead the profession and set clear and comprehensive professional standards and pathways through government legislation, government levers or business as usual. The consultation closed on 20 March 2022.

The consultation asked respondents 29 questions, including both closed and open questions. For some questions respondents were offered the opportunity to expand on answers and provide more detail with qualitative open text boxes. For open response questions, every response was reviewed and, while not every point that was made by each respondent can be reflected, responses were coded to identify common themes.

Individuals and organisations were invited to participate via an online survey and via email and post. Respondents did not have to complete every question. For inclusion in the consultation analysis, participants had to have completed at least one of the consultation questions. Responses were excluded from consultation analysis if they did not meet this criteria or if the response did not directly answer the question (e.g. it was off topic). In total, 680 responses met the criteria for inclusion in the consultation analysis.

All questions and the accompanying percentages are reported based on the number of respondents that answered that individual question. This is detailed in the description of each question through each section of this government response. Where results do not sum to 100%, this may be due to the rounding of percentages or respondents selecting multiple responses.

This government response provides an overview of the findings we have collated through the analysis of the responses to the embedding standards and pathways across the cyber profession by 2025 consultation.

Section 1: Is government intervention required to embed professional standards?

Questions 1-2a sought views as to whether government intervention (beyond initial support, such as funding for its first four years) is required to ensure that the UK Cyber Security Council establishes itself as a sustainable and credible organisation, able to effectively embed professional standards.

Question 1. To what extent do you agree or disagree, ranging from fully agree to fully disagree, that the market is best placed to define and embed professional standards?

In response to question 1, a total of 680 responses were recorded, out of which 584 came from individuals (86%) and 96 came from organisations (14%). Most respondents agreed that the market is best placed to define and embed professional standards (63%). Specifically, 64% of individuals and 55% of organisations agreed with the proposal. Only 21% of respondents felt that the market is not best placed to define and embed professional standards. In fact, organisations were more likely than individuals to maintain this claim (29% organisations vs 20% individuals).

Question 2. To what extent do you agree or disagree, ranging from fully agree to fully disagree, that government intervention is required to support this approach?

Figure 1: Extent to which individuals and organisations agree or disagree that government intervention is required to support the market in defining and embedding professional standards.

Base: 680 responses, 584 individuals (86%), 96 organisations (14%)

A total of 680 responses were recorded, out of which 584 came from individuals (86%) and 96 came from organisations (14%). Overall, most respondents disagreed that government intervention is required (55%). However, there was a noticeable difference between the responses of individuals and organisations. The majority of organisations were in favour of government intervention (56%) whereas the majority of individuals were against government intervention (58%).

Question 2a. Please expand on the reasons for this response

In total, 261 participants provided a supplementary qualitative response to this question. The majority of those disagreed with question 2.

Respondents noted the fast paced nature of the cyber security industry. There was concern that government intervention would not be able to match the pace of change. It was suggested that this could stifle innovation within the cyber security industry. Participants also suggested that the breadth and interdisciplinary nature of cybersecurity meant it was too broad to be standardised.

Questions 1-2a: Government response

We will continue to support the work of the UK Cyber Security Council to develop and define professional standards. The Council will take into account the breadth of cyber security roles and develop professional standards in consultation with industry, professional bodies, certification providers, government and academia. These standards will be created based on an initial 16 specialisms the Council has identified using the Cyber Security Body of Knowledge (CyBOK) and stakeholder engagement. The government takes the view that the cyber profession needs to be given the opportunity to adopt the Council’s standards before further regulation is considered. The government notes, however, the stronger support from organisations for government to take further steps to embed professional standards. We will work with the Council to ensure the standards can be used to shape the government’s own cyber profession. We will work with certification providers to support their alignment with the standards. We will work with regulators and government agencies to ensure that guidance on cyber resilience encourages consideration of the standards.

Section 2: Should the UK Cyber Security Council be formally recognised (via legislation) as the standard setting body for the profession?

The Council could be designated the authority for the cyber security profession in legislation. However, legislative underpinning would only be required if there were a statutory scheme for the Council to oversee. Questions 3-3a asked for views as to whether the Council should be designated professional authority.

Question 3 : To what extent do you agree or disagree, ranging from fully agree to fully disagree, with the proposal that the UK Cyber Security Council should be formally recognised (via legislation) as the standard setting body for the cyber profession with a view to it overseeing the regulation of the profession under a legislative scheme?

In response to question 3, a total of 629 responses were recorded, out of which 536 came from individuals (85%) and 93 came from organisations (15%). Overall more respondents disagreed that the Council should be recognised in legislation as the standard setting body (55%).

Although most respondents disagreed with the proposal, there were large differences between the responses of organisations and individuals. Individuals tended to disagree more, 57%, and among those that disagreed, 75% fully disagreed. Organisations tended to agree more, 54%, and of those, 48% fully agreed.

Question 3a. (If mostly or fully disagree) Please expand on the reasons for this response?

In total, 264 participants provided a supplementary qualitative response to this question. Respondents suggested that if the Council were the formal standard setting body, the market would be constrained by government intervention. There was some doubt over the Cyber Security Council’s ability to act as the formal standard setting body and concerns about the existence of multiple certification bodies in the market.

Further concerns were raised that having a formal standard setting body would lead to increased bureaucracy in the profession, such as the imposition of fees or certification requirements. It was emphasised that standard setting should be done internationally – on the basis that the majority of cyber security issues are global rather than local.

Some respondents noted that they might support the Council as the standard setting body for the profession whilst being opposed to the idea of it overseeing a legislative scheme.

Questions 3-3a: Government response

Government has been clear that it supports the Council as the standard setting body for the profession. The Government has already formally underlined this support by giving the Council a special legal status through the award of a Royal Charter. The Council is at an early stage in its development and has not yet had the chance to fully embed itself in the sector. Further legal underpinning would only be necessary if the Council were to be given regulatory powers.

Many organisations have a regulatory requirement to maintain minimum cyber security standards. We would expect these organisations to ensure that their cyber security professionals meet the professional standards set by the Council as they develop. Where regulatory oversight exists, we would expect regulators to work closely with the Council to ensure that the Council’s standards become one of the yardsticks by which regulators assess compliance. The Government will work with regulators to ensure that they are involved in the development of standards across the 16 cyber specialisms. We will consider whether legislation may be needed in future if regulators do not have adequate powers to ensure organisations are defended by appropriately skilled cyber professionals. The government will continue to support the Council as it builds its standards and embeds itself within the industry and with regulatory bodies.

Section 3: Should regulation by activity be explored in future plans?

Questions 4 and 5 sought views on whether there could be a future need to regulate cyber professionals under a legislative (mandatory) scheme and what this scheme could look like. The question did not propose that regulation by activity be considered at this stage, but that it could be revisited in future policy development.

Such a scheme would mean that professionals regarded as under-qualified would be prohibited from carrying out activities related to essential cyber security functions and would need to be assessed via the UK Cyber Security Council before being permitted to practice. A definition of an under-qualified professional would be provided by the UK Cyber Security Council.There would be a further question on the extent to which regulation by activity would need to be sector or industry specific, and how this would be enforced.

Question 4. To what extent do you agree or disagree, ranging from fully agree to fully disagree, that regulating by activity should be explored in future plans?

Figure 2: Extent to which individuals and organisations agree or disagree that regulating by activity should be explored in future plans.

Base: 586 responses, 493 individuals (84%), 93 organisations (16%)

586 responses were recorded for this question, 493 came from individuals (84%) and 93 from organisations (16%). Overall more respondents disagreed than agreed that regulating by activity should be explored in the future (55% vs 34%). Of the 55% that disagreed, 71% fully disagreed.

There was a stark difference between the responses from organisations and individuals. Organisations were overall in favour of exploring regulation by activity in the future (52%) whereas more individuals were opposed to the suggestion (59%).

Question 5. To what extent do you agree or disagree, ranging from fully agree to fully disagree, that under-qualified professionals should be prohibited from carrying out activities related to a specialism until they are qualified to do so?

Of a total 586 responses, 493 came from individuals (84%) and 93 came from organisations (16%). In response to this question, 47% of organisations and 64% of individuals disagreed with the proposal. In total, 61% of respondents felt that under-qualified professionals should not be prohibited from carrying out activities related to a specialism until they are qualified to do so. Of those individuals and organisations that disagreed with the proposal, 62% fully disagreed.

Questions 4-5: Government response

Regulation of the cyber profession will be kept under review. We support the UK Cyber Security Council’s vision for a high quality cyber profession. The uptake of professional standards across the public and private sector will allow employers to identify and recognise quality practitioners. We may consider revisiting regulation by activity in the future depending on the level of uptake of standards set by the Council.

Section 4: Should the use of professional job titles be regulated?

Questions 6-19 and 22-22a explored the question of whether there should be statutory regulation by professional title. This would result in cyber security roles - which are often inconsistently defined and recruited for across employers - having coherence that could be assessed more easily by prospective entrants to the profession, existing practitioners and employers. Individuals would have to meet competency standards set by the UK Cyber Security Council before they could utilise a specific professional job title across the range of specialisms in cyber security. However, this would not result in individuals being prohibited from undertaking activities under a job title if they chose.

Question 6. To what extent do you agree or disagree, ranging from fully agree to fully disagree, that role definitions across cyber security functions are inconsistently defined and require consolidation?

In response to question 6, a total of 586 responses were recorded, out of which 493 came from individuals (84%) and 93 came from organisations (16%). Most organisations and individuals (54% and 47% respectively) agreed that functions are inconsistently defined and require consolidation. Of the 48% of individuals and organisations that agreed, 58% mostly agreed.

Question 7 : Do you think there are any additional considerations that need to be examined to ensure that the proposed measures to regulate professional job titles do not provide unnecessary barriers to entry for candidates entering or wishing to progress in a cyber security career?

A total of 586 responses were recorded. 493 came from individuals (84%) and 93 came from organisations (16%). The vast majority of respondents answered ‘yes’ (73%) wherein organisations were more cautious about raising unnecessary barriers to entry than individuals (82% vs 71% respectively).

Question 7a. If yes, what additional measures should be considered?

In total, 368 participants provided a supplementary qualitative response to this question. Respondents suggested that government should recognise experience, existing qualifications and transferable skills when considering regulating professional job titles, in a similar way to other organisations, such as the Engineering Council. It was emphasised that government should consider any barriers regulating by title could introduce and ensure an inclusive environment which does not deter individuals without degrees or certifications.

Respondents further noted that, given the fast moving nature of technology, cyber security roles do not lend themselves well to siloed approaches and are ever-evolving - so any framework introduced would need to be simple and adaptable. It was suggested that government should consider introducing apprenticeship schemes and different routes to qualification to reduce barriers to entry. Respondents said government should consider the cost of regulating by title to business and professionals and on skills shortages.

Question 8. To what extent do you agree or disagree, ranging from fully agree to fully disagree, that the profession should regulate the use of professional job titles?

Figure 3: Extent to which individuals and organisations agree or disagree that the profession should regulate the use of professional job titles.

Base: 567 responses, 478 individuals (84%), 89 organisations (16%)

In response to question 8, a total of 567 responses were recorded, out of which 478 came from individuals (84%) and 89 came from organisations (16%). More respondents disagreed than agreed with this question (46% vs 39%). Of those individuals and organisations that disagreed, 63% fully disagreed. Of the total respondents that agreed, 33% fully agreed. There was an apparent distinction between organisation and individual responses as organisations agreed at slightly higher percentages than individuals (44% vs 38%). Individuals, on the other hand, disagreed at slightly higher percentages than organisations (48% vs 39%).

Question 9. To what extent do you agree or disagree, ranging from fully agree to fully disagree, that individuals should have to meet particular competency standards set by the UK Cyber Security Council in order to utilise a specific job title?

A total of 567 responses were recorded, of which 476 came from individuals (84%) and 91 came from organisations (16%).

The majority of respondents (60%) disagreed that individuals should have to meet particular competency standards set by the UK Cyber Security Council in order to utilise a specific job title (60%). Of those who disagreed, 70% fully disagreed. Specifically, 64% of individuals and 44% of organisations disagreed with the proposal. On the other hand, 30% of individuals and 44% of organisations agreed with the proposal.

Question 10. To what extent do you agree or disagree, ranging from fully agree to fully disagree, that statutory regulation on the use of title will not significantly exacerbate the existing skills shortage across cyber security roles in the UK?

A total of 570 responses were recorded, out of which 479 came from individuals (84%) and 91 came from organisations (16%).

The majority of respondents disagreed that statutory regulation on the use of title would not significantly exacerbate the existing skills shortage across cyber security roles in the UK (67%). For this question, organisations and individuals were largely aligned in their responses as most organisations (58%) as well as most individuals (68%) disagreed with the proposal. Of those individuals and organisations that disagreed, 70% fully disagreed.

Question 11. As an employer, to what extent do you agree or disagree, ranging from fully agree to fully disagree, that you would prioritise recruitment of professionals with a job title recognised by the UK Cyber Security Council?

A total of 293 responses were recorded out of which 223 came from individuals (76%) and 70 came from organisations (24%).

The majority of respondents disagreed that they would prioritise recruitment of professionals with a job title recognised by the UK Cyber Security Council (56%). Organisations disagreed less than individuals (40% vs 61%).Of the 40% of organisations who disagreed, 65% fully disagreed. 34% of organisations said that they would prioritise recruitment of professionals with a job title recognised by the Council and 23% said they neither agreed nor disagreed.

Question 12: As an employer, to what extent do you agree or disagree, ranging from fully agree to fully disagree, that your recruitment practice would be improved by having a clear, competence framework underpinned by legislation for cyber professionals to adhere to?

Base: 291 responses, 222 individuals (76%), 69 organisations (24%)

Figure 4: Extent to which individuals and organisations agree or disagree that their recruitment practice would be improved by having a clear, competence framework underpinned by legislation for cyber professionals to adhere to.

A total of 291 responses were recorded, out of which 222 came from individuals (76%) and 69 came from organisations (24%).

Half of respondents disagreed that their recruitment practice would be improved by having a clear competence framework underpinned by legislation for cyber professionals to adhere to (50%). Only 38% of respondents agreed with the proposal, with organisations being more likely to agree than individuals (57% vs 33% respectively).

Question 13. As an employer, to what extent do you agree or disagree, ranging from fully agree to fully disagree, that you would support staff with their continuous professional development to achieve a job title recognised by the UK Cyber Security Council?

A total of 287 responses were recorded, out of which 219 came from individuals (76%) and 68 came from organisations (24%).

The majority of respondents agreed that they would support staff with their continuous professional development to achieve a job title recognised by the UK Cyber Security Council (52%). Organisations were more likely to agree than individuals (62% vs 49%). Of the 62% of organisations that agreed, 61% fully agreed.

Question 14. As an employee, would you apply to obtain qualifications towards a professional job title recognised by the UK Cyber Security Council?

In response to question 8, a total of 531 responses were recorded, out of which 452 came from individuals (85%) and 79 came from organisations (15%). The responses indicate a mixed picture as 36% respondents agreed that they would apply to obtain qualifications towards a professional job title, 37% respondents disagreed with this, and 27% of respondents did not know.

Question 15. As an employee, to what extent do you agree or disagree, ranging from fully agree to fully disagree, that it would be beneficial to have a professional job title that is recognised by the UK Cyber Security Council?

A total of 545 responses were recorded, of which 465 came from individuals (85%) and 80 came from organisations (15%).

More respondents disagreed than agreed that it would be beneficial to have a professional job title that is recognised by the UK Cyber Security Council (43% vs 37%). Organisations were more likely to agree than individuals (49% vs 35%) and less likely to disagree (26% vs 46%). Of the individuals that disagreed (46%), 70% fully disagreed.

Question 15a. Please explain more about why you agree or disagree that it would be beneficial to have a professional job title recognised by the UK Cyber Security Council.

In total, 426 participants provided a supplementary qualitative response to this question. For those that agreed with question 15, the main themes were that this approach would help to introduce consistency across job roles, which would help industry to identify and recruit talent. It would bring increased understanding of roles, allow for role comparison and provide recognition of individual skill level and competence. This would provide comfort to employers that their employees had the necessary skills and competencies their organisation required, as well as to employees struggling to understand employer needs. Professional job titles would help to show defined career paths and entry points into/across industries.

For those that disagreed with question 15, many thought that the fast-paced nature of the cyber security industry would mean that standardising job roles would lead to inflexible structures and frameworks. Several highlighted that the Council was at an early stage and had not yet established credibility with industry to be able to enforce the proposed measures competently. Some respondents said they would choose to assess a candidate’s competency based on their own knowledge rather than on the basis of a job title recognised by the Council. Others said that having a job title recognised by the Council would not demonstrate the practical skill level of individuals. It was further mentioned that candidates could be deterred from entering the industry if required to hold a professional job title recognised by the Council and that this could lead to skills shortages.

Question 16: As an employer, would you be willing to pay more (in terms of wage) for someone who has an assessed competency based on a regulated professional title?

A total of 282 responses were recorded, out of which 218 came from individuals (77%) and 64 came from organisations (23%).

Overall, more respondents disagreed than agreed that they would be willing to pay more (in terms of wage) for someone who has an assessed competency based on a regulated professional title (55% vs 26%). Specifically, 60% of individuals and 38% of organisations said they would not be willing to pay more compared to 23% of individuals and 34% of organisations who were willing to pay more. However, 17% of individuals and 28% of organisations stated that they did not know.

Question 17: How much more may you be willing to pay in terms of annual wage for someone who has an assessed competency based on a regulated professional title?

Base: 71 responses, 50 individuals (70%), 21 organisations (30%)

Figure 5: The amount individuals and organisations may be willing to increase the annual wage of someone who has an assessed competency based on a regulated professional title

In response to question 17, a total of 71 responses were recorded, out of which 50 came from individuals (70%) and 21 came from organisations (30%).

Overall, most respondents (41%) did not know how much more they would be willing to pay in terms of annual wage for someone who has an assessed competency based on a regulated professional title. Of those who did not know, 48% were organisations and 38% were individuals.

24% of organisations said they were willing to pay £1,001 to £4,000 while 24% of individuals were willing to pay £4,001 to £7,000 more in terms of annual wage for someone who has an assessed competency based on a regulated professional title. 22% of individuals said they would pay over £10,000, although no organisations expressed willingness to pay over £10,000.

Question 18: As an employer, would you pay more (in terms of training and professional development) for someone who has an assessed competency based on a professional title awarded by the UK Cyber Security Council?

A total of 285 responses were recorded, out of which 219 came from individuals (77%) and 66 came from organisations (23%).

Most respondents said they were not willing to pay more (in terms of training and professional development) for someone who has an assessed competency based on a professional title awarded by the UK Cyber Security Council (58%). 63% of individuals and 41% of organisations were not willing to pay more while 24% of organisations and 17% of individuals said they would be willing to pay more. 23% of respondents replied saying they did not know, which consisted of 35% organisations and 20% individuals.

Question 19: How much more may you be willing to pay in terms of training and development for someone who has an assessed competency based on a regulated professional title?

A total of 55 responses were recorded, out of which 37 came from individuals (67%) and 18 came from organisations (33%).

The majority of respondents did not know how much more they would be willing to pay in terms of training and development for someone who has an assessed competency based on a regulated professional title (53%). 33% of organisations said they would expect to pay between £1,000-5,000 more.

Question 22: To what extent do you agree or disagree, ranging from fully agree to fully disagree, that employers should not be legally required to employ practitioners whose titles have been recognised through the UK Cyber Security Council?

A total of 553 responses were recorded, out of which 462 came from individuals (84%) and 91 came from organisations (16%).

The vast majority of respondents agreed that employers should not be legally required to employ practitioners whose titles have been recognised through the UK Cyber Security Council (77%). In this instance, 77% of individuals and organisations both agreed with the above, out of which 79% of individuals and 82% of organisations fully agreed that legal obligations should not be introduced.

Question 22a : Why do you agree or disagree that employers should be legally required to only employ practitioners whose titles have been recognised through the UK Cyber Security Council?

54 participants provided a supplementary qualitative response to this question. The majority of respondents provided a negative response to question 22. Respondents emphasised that such a requirement would place an onerous burden on organisations, for instance through increased training costs, which could have a big impact on SMEs. Respondents said that such a measure could lead to increased barriers to entry and progression within the industry and increase skills shortages.

Questions 6-19 and 22-22a: Government response

We agree with the majority of respondents who said that role definitions are inconsistent across cyber security functions. The UK Cyber Security Council has mapped 16 specialisms across the cyber profession, which allows for consistency without introducing artificial division of roles. Framing the profession around specialisms should allow broadly consistent definitions. We expect the Council to keep these specialisms under review and consider whether further future consolidation is required.

We do not think regulation by title is required at this point in time. The Council has set out its roadmap for setting standards for 16 cyber specialisms by 2025. Government recognises that industry will need to plan and invest to meet these standards - though many organisations, especially where responsible for critical infrastructure, should already be operating at a high standard. The government will track the adoption of Council standards and continue to assess whether regulatory intervention is needed to further support levels of uptake.

Section 5: Should there be a Register of Practitioners for the cyber profession?

Questions 20 and 21 considered whether there should be a register of practitioners for the profession, similar to the medical and legal professions. The consultation proposed that a register would set out the practitioners who had met the eligibility requirements to be recognised as a suitably-qualified and ethical senior practitioner under a designated title award. This could include periodic reviews to ensure practitioners continue to meet competence and ethical requirements.

Question 20 : To what extent do you agree or disagree, ranging from fully agree to fully disagree, that there should be a centrally-held Register of Practitioners for the cyber profession?

In response to question 20, a total of 554 responses were recorded. 464 came from individuals (84%) and 90 from organisations (16%).

Most respondents (54%) disagreed that there should be a centrally-held Register of Practitioners for the cyber profession, out of which 78% fully disagreed. There was a substantial difference between the responses of individuals and organisations. More organisations tended to agree that there should be a centrally-held Register of Practitioners for the cyber profession (57%) out of which 63% of organisations mostly agreed. On the other hand, more individuals tended to disagree with this proposal (58%), of which 79% fully disagreed.

Question 21 : To what extent do you agree or disagree, ranging from fully agree to fully disagree, that the Register of Practitioners should include a periodic review to ensure practitioners continue to meet competence and ethical requirements?

A total of 551 responses were recorded, out of which 461 came from individuals (84%) and 90 came from organisations (16%).

There was an even split between those who agreed and disagreed (both at 44%) but there was a sizable divide between responses from individuals and organisations. More organisations tended to agree that the Register of Practitioners should include a periodic review (68%), out of which 54% of organisations fully agreed. On the other hand, more individuals tended to disagree with this proposal (49%), out of which 78% of individuals fully disagreed.

Questions 20-21 Government response

The Council has announced that it will create a voluntary register listing individuals who are accredited at different levels, including chartered level. Government supports this initiative to create a voluntary register, which will enable employers to identify competence easily and employees to have their competence recognised by employers.

Section 6: Would regulatory intervention cause overlaps with existing legislative arrangements?

The consultation explored the need for legislation to underpin and embed professional standards and pathways, however there are already many initiatives designed to manage cyber risk effectively across the UK. Questions 23 and 23a asked for feedback on what overlaps there might be with existing legislation.

Question 23 : Do you consider there to be any perceived risks or overlaps with existing legislative arrangements, particularly in devolved nations?

In response to question 23, a total of 549 responses were recorded, out of which 460 came from individuals (84%) and 89 came from organisations (16%).

Overall, a large share of the respondents did not know if there were any perceived risks or overlaps with existing legislative arrangements, (59%). For this question, a divide between individual and organisation responses was not observed, as most individuals and organisations did not know (60% and 51% respectively).

Question 23a : In what areas do you think there would be perceived risks or overlaps with existing legislative arrangements?

In total, 117 participants provided a supplementary qualitative response to this question. Respondents highlighted the risk of overlaps with existing legislative arrangements across international markets and suggested that regulation could put off organisations from having teams in the UK to avoid bureaucratic considerations.

Respondents emphasised that any regulation would have to be UK-wide to be effective. More broadly it was noted that, whilst not a legislative overlap, regulating by title could lead to overlap with existing standards and create additional barriers to entry and mobility within the industry.

Questions 23-23a Government response

We do not intend to pursue any legislative interventions at this point in time but recognise broader themes in response to these questions, which have appeared throughout the consultation, about the importance of international alignment, alignment with devolved and non-devolved nations and avoiding barriers to entry.

Section 7: Should the government align procurement and recruitment processes with the Council’s standards?

Questions 24 and 25 asked whether government procurement processes should align with Council standards and, as a major employer of cyber security professionals, government departments and public sector bodies should align recruitment and professional development standards to those developed through the Council.

Question 24 : To what extent would it be helpful or unhelpful, ranging from very helpful to very unhelpful, to explore introducing public procurement routes to embed competency requirements for the market, as it relates to cyber professionals?

Figure 6: The extent to which individuals and organisations consider it helpful or unhelpful to explore introducing public procurement routes to embed competency requirements for the market.

Base: 536 responses, 447 individuals (83%), 89 organisations (17%)

A total of 536 responses were recorded, out of which 447 came from individuals (83%) and 89 came from organisations (17%).

38% of respondents thought that introducing public procurement routes to embed competency requirements for the market, as it relates to cyber professionals would be unhelpful (38%), while 36% of respondents were of the opinion that the proposal would be helpful. Most individuals, however, thought that this proposal would be unhelpful (41%) out of which 76% of individuals thought it would be very unhelpful. Conversely, most organisations felt that this proposal would be helpful (52%) out of which 54% of organisations believed that introducing public procurement routes would be very helpful. A total of 13% of respondents felt that the proposal would be neither helpful nor unhelpful. 14% of respondents said they did not know.

Question 25 : To what extent do you agree or disagree, ranging from fully agree to fully disagree, that government departments and relevant public sector bodies should align recruitment and professional development standards to those developed by the UK Cyber Security Council?

In response to this question, a total of 85 responses were recorded, out of which 74 came from individuals (87%) and 11 came from organisations (13%).

Overall, the majority of respondents tended to agree that government departments and relevant public sector bodies should align recruitment and professional development standards to those developed by the UK Cyber Security Council (42%). There was a discrepancy between responses from individuals and organisations. Most individuals agreed with the proposal (43%), out of which 63% individuals mostly agreed. On the other hand, most organisations neither agreed nor disagreed with the proposal (45%).

Questions 24-25: Government response

We will review the rules applied to government procurement and consider how these could take into account the Council’s standards as they develop up until 2025.

As set out in the Government Cyber Security Strategy, we are committed to developing the right cyber security skills and knowledge across government. The Government Security Profession will map existing government career frameworks - which set out the required knowledge and skills for cyber security professionals employed by the UK government - to the Council’s standards wherever possible as they are created.

Section 8: Should further voluntary certification schemes be created?

Questions 26 and 27 considered whether further voluntary certification schemes would be beneficial and whether the Certified Cyber Professional scheme (CCP) or Cyber Essentials should align with Council standards.

Question 26: Should the government and/or the UK Cyber Security Council continue to explore the creation of a further voluntary certification scheme that is aligned to existing programmes?

In response to question 26, a total of 536 responses were recorded, out of which 447 came from individuals (83%) and 89 came from organisations (17%). On the whole, most respondents were in favour of the government and/or the UK Cyber Security Council continuing to explore the creation of a further voluntary certification scheme that aligned to the existing programme (48%). 36% of respondents were not in favour of this, and 15% of respondents answered that they did not know. In other words, more individuals were in agreement with this proposal (46% as opposed to 39%) and similarly, more organisations agreed with this proposal than disagreed (62% compared to 22%).

Question 27: To what extent do you think it would be helpful or unhelpful, ranging from very helpful to very unhelpful, for Cyber Essentials and CCP (Cyber Certified Professional accreditation) to align their requirements with any future professional standards that may be set by the UK Cyber Security Council?

Base: 529 responses, 444 individuals (84%), 85 organisations (16%)

Figure 7: The extent to which individuals and organisations consider it helpful or unhelpful for Cyber Essentials and CCP (Cyber Certified Professional accreditation) to align their requirements with any future professional standards that may be set by the UK Cyber Security Council.

A total of 529 responses were recorded, out of which 444 came from individuals (84%) and 85 came from organisations (16%).

Overall, most respondents felt that it would be helpful for Cyber Essentials and CCP (Cyber Certified Professional accreditation) to align their requirements with any future professional standards that may be set by the UK Cyber Security Council (48%). 46% of individuals thought this would be helpful, out of which 54% indicated that it would be very helpful. By the same token, 59% of organisations thought this would be helpful, out of which 76% indicated that it would be very helpful.

Question 26 and 27: Government response

The Council is creating 16 professional standards that will align to existing programmes and certification schemes. As part of this process, the Council will create a careers and qualifications framework which will map the equivalence of existing domestic and international cyber security certifications across Council standards. We support the Council in their work to make it clear to practitioners and employers what certifications are needed within each specialism, and at the various professional levels.

The Council has announced that it will run the NCSC’s CCP scheme until the launch of Council standards. The Council and NCSC will continue to work together to ensure Council standards are considered as the foundation for other programmes NCSC offers.

Section 9: Are there any additional measures which could support cyber professionals and embed standards across the profession?

Questions 28-29a requested feedback on additional measures government could consider to support the cyber security sector and for thoughts on how it should avoid creating additional barriers to entry or progression.

Question 28: In addition to the proposals mentioned in the consultation document, what more could be done to further support cyber security professionals and the policy ambition to embed standards and pathways within the profession?

In total, 321 participants provided a qualitative response to this question. Participants volunteered a number of recommendations and opportunities to further support cyber security professionals. This included the provision of funding for training opportunities and support to increase access to the cyber security sector. Building engagement with younger people was also noted as important. It was suggested that this is achieved through educational levers to enhance awareness of cyber security, but also to encourage young people to consider cyber security as a profession. Clarity of pathways, particularly looking at certification and accreditation, was highlighted as an area where further support could be provided due to the multitude of certification schemes that are run currently.

Question 29: Do you consider there to be additional considerations required to ensure that these proposed measures will not provide unnecessary additional barriers to entry for candidates to enter and progress a career in cyber security?

A total of 528 responses were recorded, out of which 440 came from individuals (83%) and 88 came from organisations (17%). Most respondents were in agreement with the fact that there were additional considerations required to ensure that the proposed measures would not provide unnecessary additional barriers to entry for candidates to enter and progress a career in cyber security (62%). More specifically, 61% of individuals and 65% of organisations thought there were additional considerations to be taken into account.

Question 29a : (If yes) what additional measures could be considered?

In total, 272 participants provided a supplementary qualitative response to this question. Some respondents suggested that the cyber security workforce should not be regulated at this stage. Hiring practices, workplace inclusion and reducing barriers to entry were highlighted as important factors to improve and strengthen the profession. Participants noted that consideration should be given to the breadth of entry routes and career pathways, in order to recognise the various pipelines for talent and that roles are not homogeneous. The potential cost of any new measures was also raised as a barrier for practitioners and businesses alike.

Question 28 - 29a Government response

Respondents suggested a number of measures to further support cyber security professionals and embed standards.

It was suggested that government could provide funding and support for cyber security training programmes. Through its National Cyber Strategy, the government has committed to fund a number of programmes to increase the number of people who have the skills they need to enter the cyber workforce by 2025. We are boosting investment in the post-16 skills pipeline through the expansion of digital T Levels and employer-designed apprenticeships, the roll out of new higher technical qualifications, and the continuation of the CyberFirst bursaries scheme for undergraduates.

Likewise, we are broadening opportunities for the existing workforce by investing in upskilling and re-skilling options such as Skills Bootcamps and Free Courses for Jobs.In addition, through our Skills for Life funding we are supporting combined authorities to retrain and upskill citizens in cyber security and funding an adult retraining programme for those with no prior cyber security background or qualifications. We are also providing initial funding to the Council up until 2025.

It was further suggested that educational levers could be used to enhance cyber security awareness and engage younger people on cyber security. The government is committed to inspiring and supporting more young people to follow a technology pathway. Government is currently funding a number of youth-focused cyber programmes, including Cyber Explorers and the CyberFirst Girls competition. These are designed to reach a diverse range of students to inspire them to pursue a career in cyber security. In addition we are working to increase the uptake of computer science qualifications.

More widely, the government supports delivery of high quality and impartial careers information, advice and guidance to people of all ages in England, through the Careers & Enterprise Company (CEC) and National Careers Service. This includes working in partnership with industry to ensure young people have access to inspiring encounters with the world of work across a range of sectors.

Respondents noted that certification and accreditation pathways into cyber security could be made more clear. The UK Cyber Security Council is in the process of defining pathways into and through the initial 16 specialisms it has identified. An accreditation and certification framework will sit alongside these pathways, making it simple to understand the equivalence of existing qualifications and where these will add value for cyber security professionals.

The government is rolling out reforms to strengthen progression pathways between training offers. By the end of the decade, most post-16 technical education and training will be aligned to employer-led occupational standards and will correspond with occupational routes approved by the Institute for Apprenticeships and Technical Education (IfATE). These occupational routes will develop to account for pathways to and from specialist providers.

Respondents emphasised that the introduction of any new schemes should not hinder entry to the profession. The National Cyber Strategy committed to strengthening the cyber workforce, not just by increasing the number of people entering the profession but also by ensuring that cyber professionals come from a diverse pool of candidates. We will ensure that any new programmes or schemes designed to increase cyber skills will not hinder the entry and progression of diverse candidates, but rather support and encourage them.