Policy paper

Statement from HM Government on the adoption of UK Cyber Security Council standards

Published 15 May 2024

This was published under the 2022 to 2024 Sunak Conservative government

Statement

HM Government to strengthen its approach to cyber skills by embedding UK Cyber Security Council standards across its cyber workforce by 2025.

Cyber attacks on public institutions, coupled with a heightened awareness of the intent and capabilities of malicious state actors, serve as a reminder that cyber risks are increasing in terms of frequency, severity, and complexity. Without a first-class cyber security workforce, we cannot be resilient against current threats. It has been challenging for employers to understand whether they have the skills they need, and it has been equally difficult for people to demonstrate their own competence and to progress their careers. These problems are addressed in other professions, like engineering and audit, through standards and regulated professional titles. Cyber security should be no different. 

The National Cyber Strategy clearly sets out the criticality of building cyber skills at a national level as a mechanism for achieving our goal of operating as a responsible and democratic cyber power. In support of this ambition, over the past few years, the UK government has supported the establishment of the UK Cyber Security Council underpinned by Royal Charter. The Council will define the professional standards for cyber security professionals operating in the UK. It will oversee the bodies licenced to assess against those standards and hold the register of cyber security practitioners in the UK. The Council will simplify today’s complex landscape of qualifications, providing clear pathways for practitioners and employers.  

The establishment of the Council marks a significant shift. It allows organisations to reassure themselves of their own organisational capability, to recruit with greater clarity and to offer more structured development to retain the best. The Council’s professional standards and associated titles allow us to collectively raise the bar of cyber security competence, increasing the nation’s cyber resilience and clearly communicating what a career in cyber security looks like. 

It is the responsibility of government, regulators, and industry to ensure professional titles are embedded across the cyber workforce. Acknowledging the nation’s cyber skills at every level will increase the UK’s ability to secure systems and respond to threats, so that it remains at the forefront of global cyber capability.

HM Government

Government commitments

The UK government will use UK Cyber Security Council professional standards and titles to maintain a clear and consistent career framework. Government will:

  • Map its Government Security Career Framework to Council professional titles and specialisms by 2025. This will provide certainty around the skills and competencies required by each professional role and show clear pathways into and across cyber security within government.
  • Map government cyber security training programmes, including Early Talent and leadership programmes to Council standards.
  • Support government staff to achieve professional recognition and encouraging senior government cyber professionals to become assessors to use their professional recognition to give back to the professional community.
  • Support cyber security specialists at the National Cyber Security Centre (NCSC) to gain Council recognition and using the Council standards to define the skills industry will need to deliver NCSC-recognised services.
  • Allow buyers of cyber security services in government to request that staff servicing contracts hold Council titles.

Further to these government commitments, regulators and industry have agreed the following:

Regulator commitments

All CNI regulators commit to:

  • Recognise the Council’s standards and promote them across their regulated industries as the benchmark for professional cyber security practice.
  • Continue to work with the Council and HMG on this topic in a spirit of partnership.

Individual regulators are committed to continue working with the Council and the NCSC in specific ways to meet the needs of their sectors.

Industry adoption of standards

The Cyber Growth Partnership (CGP) co-chaired by techUK recognises the need for further professionalisation of the cyber security workforce, recognising high-quality cyber security practitioners and teams across all organisations, as we continue driving the growth of the UK cyber sector. As such:

  • The CGP strongly supports the UK Cyber Security Council (‘the Council’) ambition of widely offering chartered status to cyber security professionals and attracting new talent into the sector.
  • The CGP is committed to further collaborating with the Council to support the adoption of chartered status by industry.
  • To do this, the CGP will work with the Council to form a task and finish group which explores barriers to widespread adoption. The group will report its findings and present recommendations to the National Cyber Advisory Board later this year.