BCS response: Embedding standards and pathways across the cyber profession by 2025
Cyber security is a means to an end, which is to ensure organisations can securely go about their business in a digital world.
To achieve sustainable innovation and growth organisations need to embed high standards of professional practice across many information technology specialisms, including cyber security.
Such specialisms might include, for example, data science, artificial intelligence, software engineering, or health informatics, etc. Standards of professionalism in such strategically essential information technology specialisms need to be supported and recognised by government to at least the same extent as cyber security.
BCS welcomes the government’s ambition to embed high standards of professional practice and progression pathways across cyber security. BCS is a committed member of the UK Cyber Security Council and will act in good faith to implement government proposals in the consultation if they are taken forward.
However, we still hold the position first stated in 2016 that it is not clear there needs to be a new chartered status for cyber security when existing Chartered statuses can be contextualised to cyber security, which would avoid the unintended consequence of diluting practice or causing confusion in other professions.
In contrast to the consultation proposals the approach being taken to professionalise data science is through a broad alliance of national bodies, led by the Royal Statistical Society, who are contextualising various existing Chartered statuses to data science (further details are given in the following section).
Government recognised this initiative in the National Data Strategy. It would be logical for cyber security to follow a similar approach, led by the UK Cyber Security council.
BCS recommends:
- Government proactively sets the expectation that information technology practitioners in highly responsible roles are professionally registered and whenever possible hold an approved Chartered designation (for example CEng, CStat, CMath or CITP, or for example in the case of the NHS are registered with FEDIP, etc).
- Government proposals to ‘lead by example’ in cyber security professionalism are applied equally to professionalism in all information technology specialisms that are critical to the National Innovation Strategy, National Data Strategy, National Artificial Intelligence Strategy and the forthcoming national digital strategy. The introduction of requirements around procurement and broader alignment on recruitment across government and the public sector should apply equally to all strategically essential information technology specialisms such as, for example, data science, artificial intelligence, software engineering and health informatics, etc as well as cyber security.
- The UK Cyber Security Council works collaboratively with key stakeholders to ensure its efforts strengthen professional practice across related areas. For example, by recognising Chartered statuses from other professional bodies that are appropriately contextualised to cyber security, such as for example in engineering, health and information technology.
- Safeguards are put in place to ensure professional standards and professional registration provided through the UK Cyber Security Council are cohesive with and do not inadvertently undermine or cause fragmentation of professional standards or professional registration in information technology, engineering, data science or health informatics.
Equivalence of strategically essential information technology specialisms
To achieve the government’s wider strategic objectives of sustainable growth, enabling responsible innovation, and rapid digitalisation of the public and private sectors across all of the UK the cyber security proposals need to be accompanied by similarly ambitious government proposals for embedding high standards of professional practice and progression pathways across other strategically essential information technology specialisms. For example, such as health and care informatics, data science, artificial intelligence, software engineering, etc.
Through various national strategies (mentioned above) government has put in place a range of welcome measures that are supportive of professional standards and progression pathways in various key information technology specialisms, but not to the same level that is proposed for cyber security.
This is inconsistent and needs to be addressed given that other information technology specialisms that are as equally important as cyber security (such as those mentioned above) have the same challenges around embedding professional standards and progression pathways that cyber security has.
We believe it is important for government to set the expectation, including through its recruitment and procurement processes, that information technology practitioners, including those who specialise in cyber security, are professionally registered (such as for example with Chartered designation such as CEng, CStat, CMath or CITP), whenever they work in a role where poor practice could result in significant harm to individuals or society. This is a logical and appropriate extension of the government’s intention to set such an expectation for cyber security.
This is particularly important in light of the work being done to professionalise data science by the Royal Statistical Society, BCS, the Institute for Mathematics and its Applications, the Operational Research Society, the National Physical Laboratory, and the Alan Turing Institute, which is supported by the Royal Academy of Engineering and the Royal Society that will allow data scientists to achieve Chartered status through a range of appropriate bodies.
Fragmentation and undermining of professional practices
Cyber security (like data science) is a team sport. Different people from different parts of an organisation doing different jobs contribute to the overall cyber security of an organisation. It is not only those with full time jobs in cyber security who have a major responsibility, such as a Chief Information Security Officer.
Others with major responsibility include, for example, the Data Protection Officer, the Chief Systems Architect, the Chief Data Engineer, as well as a database administrator, etc. To some degree cyber security is part of the job of everybody who touches information technology systems and the professional standards they work to will determine how secure is an organisation.
We believe it is vital that measures to improve cyber security professional practice do not inadvertently undermine or cause fragmentation of professional practice across other information technology specialisms by introducing competing or conflicting standards with those already established and recognised through Chartered status from existing professional bodies.
It is essential that professional registration for cyber security practitioners should be coherent with and mutually supportive of other relevant Chartered statuses in engineering, statistics, mathematics and information technology.
For example, in the NHS the Federation for Informatics Professions (FEDIP) provides the only public register for all informatics professionals in the UK dedicated to delivering better health and care through the advanced use of technology. Some NHS informatics professionals will have significant cyber security responsibilities.
If they are professionally registered through FEDIP, with suitable contextualisation for cyber security, their professionalism should be recognised as meeting the appropriate standard by the UK Cyber Security Council. In a similar way the Council should act in good faith in ensuring it recognises appropriately contextualised Chartered statuses in other relevant fields, such as engineering or information technology, for example.
Global standards
Professional qualifications and Chartered status for cyber security that are approved by the UK Cyber Security Council need to be aligned with existing employer led skills frameworks such as SFIA that are globally adopted (SFIA has been adopted in Australia, New Zealand, Canada, Japan, and Saudi Arabia, etc, for example), as well as supporting appropriate pathways from apprenticeships to professional registration.
Inclusivity
Professional registration should be equally accessible to practitioners working in SMEs as well as those working in large corporations who have resources to support staff develop through formal qualifications.
To ensure progression pathways are inclusive and attractive to as wide a range of practitioners as possible an underpinning skills framework needs to support achieving professional registration through experience-based routes as well as ones that support progression through formal qualifications.
Working with government
BCS would welcome further opportunities to work with government to embed high standards of professional practice and progression pathways to Chartered statuses for all information technology practitioners, whether in cyber or other areas that are essential to technological sovereignty or delivering public benefit.