Making sense of the changing UK Cyber Policing and Skills Scene

Background:

 The scale and nature of demand for cybersecurity skills have changed radically over the past year in the face of transformations in the threats and responses needed. Fraud is now perceived as national threat. The structure and nature of the UK police response is changing with Cyber Resilience Centres mapped onto the ROCUs and the automation of intelligence gathering to aid targeted response. Cybersecurity has become an £8.9 billion business in the UK.

The way demand for cybersecurity skills is measured has not kept pace. The statistical definitions commonly used reflect neither the skills in demand nor those used to analyse the structure of the industry. Those for cyberwarfare, needed by GCHQ and MoD, overlap with those to protect Megabank and its Customers, but are not the same. They, in turn, overlap with those to protect children, adults and microbusinesses, but are not the same. Those to secure critical national infrastructures, on-line networks and connected devices also overlap, but are not the same.

A focus on the areas of overlap, defining these as “the profession”, is essential if we are to improve the supply of those competent to handle the areas of overlap, but it is not enough. In consequence the work to create the Cyber Security Council is essential, but not enough. The scale and nature of its outreach programmes will be critical. But they will, in turn, depend on the support it receives after the launch, including from Government as the UK’s largest employer and victim.

There may be a shortage of “Professionals” competent to protect large organisation from targeted attacks by organised crime but there is a much bigger shortage (proportions and numbers) of “Technicians” capable of helping advise and protect SMEs and end-users. Then there are the issues of training end-users to protect themselves and what to do when “attacked” or victimised.

We need to unpack demand for digital and cyber skills and map these regionally and locally onto the new structures for policing and the four “P”: prevent, pursue, protect and prepare. We then need to take effective action to attract and train those with the skills necessary and ensure they are provided with employment frameworks and terms of reference which enable them to work together constructively, including with other trades and professions .

Contents

1 Unpacking Demand

2 The Police Structures and Strategies

3 Skills Initiatives and Partnerships

4 Points of leverage

5 Action Plan

6 Appendices – Qualifications, Sources of Guidance

1 Unpacking Demand

The main current focus, including of those planning the Cybersecurity Skills Council, is on:

• the needs of those collectively seeking a few hundred post-graduates with “deep skills”,
• the needs of those collectively seeking thousands capable of becoming rounded “professionals”, for a relatively small number of security consultancies and large organisations,
• opening up alternative career paths as technicians (e.g. penetration testers) for individuals with “extreme talent” who would otherwise be at risk of recruitment by organised crime.

Demand can be split between the providers of cybersecurity products and services (including the security services and law enforcement such as MoD, GCHQ and those in their supply chains) and their customers.

The recent  DCMS Analysis of the UK Cybersecurity Industry indicates that the supply side currently employs the equivalent of 47,000 full time staff. Two thirds work in the cyber-security operations of under 150 service and/or product suppliers, in teams averaging over 200 staff, i.e. large enough to have in-house training and/or apprenticeship operations. Most are within large telco, defence, consulting, product or outsourcing operations. Most of the other 15,000 work in fewer than 200 specialist operations large enough (teams averaging a little over 50) to employ and supervise more than a couple of trainees.

To put this in wider context. The UK has only 7,500 businesses with more than 250 staff – i.e. likely to consider hiring a security technician/professional.  There are only 42,000 businesses with more than 50 staff, i.e. likely to have a member of staff with the digital competence to enable the organisation to meet the expectations for Cyber Essentials.

By contrast there are over 1.4 million business with under 50 staff, plus several million sole traders who need access to affordable “virtual CISO” services. That implies local support operations (not just on-line services), with staff competent to the level of (for example) CompTIA Security + .

But most employers also need sector and/or application specific skills e.g. to secure financial services, hospitality, logistics/transport, retail, construction, critical infrastructure, light or heavy engineering, consumer, entertainment, sports, educational or employment products and services. The skills to develop, maintain and operate secure applications have seen the sharpest recent rise in demand, followed by those for cloud security. Meanwhile the skills in local demand vary geographically with the employment mix.

Thus an exercise some years ago to look at security skills sought by London-based financial services organisations (serving customers globally as well as nationally) found that the most serious gap was with those related to “Identity and Access Management”, developing and implementing systems (including people processes for checking claimed certifications, competence, experience, probity and qualifications) to help users decide who should be trusted, with what access, to which data, under what circumstances. These skills moved into crisis with lockdown and mass homeworking.

The exercise also found that organisations large enough to have career development and training frameworks rarely have HR staff with the skills and knowledge to organise and procure training related to Cybersecurity. The main exceptions were those for which this was a major business area: e.g. Accenture, BAe, BT, Deloitte, HP, IBM, KPMG, PWC, Qinetiq, EY etc. Several of these had “academies” organised in co-operation with large training providers like QA and BPP and/or Universities like Royal Holloway or Warwick.

Most such employers make heavy use of a limited number of training providers and/or universities. Thus BPP  (now with University status) and its competitors handles the content delivery side of the “apprenticeship” programmes for most major accounting practices and law firms as well as for professional bodies such as the Chartered Institute of Marketing. DSS (part of Newham College) runs digital apprenticeship programmes for several large financial services employers as well as for O2.

2 The Police Structures and Strategies

2.1 The National Structure

UK Cyber Policing, including the National Cyber Crime Unit of the National Crime Agency, the National Cyber Security Centre , their intelligence sharing and response facilities (including what is now CiSP) and those organised by the National Police Chief’s Council have been re-organised locally and regionally to improve their shared capability to reduce cyber risk by collating intelligence (not just “reporting” and responding collectively to common threats and major attacks.

2.2 The Regional Structures

The National Cybercrime Programme enables every police force in England and Wales to have a dedicated cybercrime unit in place, supported by a network of Regional Organised Crime Units ROCUs).  Each ROCU now links to a Cyber Resilience Centre (CRC). Constituted as a Not-for-Profit organisation, each CRC is a public/private partnership there to promote increased cyber resilience across the SME audience as well as the wider community   The CRC’s provide free access to NCSC and Police Guidance using supervised cyber security students from participating universities  plus arrangements with trusted local and national partners (accredited to Cyber Essentials) to provide access to services including security awareness training, corporate internet investigation, individual internet investigation, remote vulnerability assessment, internal vulnerability assessment, web app vulnerability assessment, security policy review, cyber business continuity review and partner resource support.

The CRC for  Manchester opened in 2019, with support from players like CGI, Northropp Grumman, NCC Group and Siemens and a consortium of five local Universities. The North East CRC is supported by Accenture and Sheffield Hallam and Northumbria  Universities.  The East Midlands is supported by Nottingham and De Montfort Universities. West Midlands is supported by Wolverhampton University). The South East includes the Thames Valley, has major users like Bank of America, Domino’s Pizza, Marriott Hotels and Save the Children on its board, and has links to Portsmouth and Southampton Universities and JISC. The South West has strong links to GCHQ and its supply chain.  Those for Wales and the East of England are in the process of formation. Cyber Scotland brings together the longer established Scottish Business Resilience Centre (now in its 9^th year) and the NCSC information sharing programmes. London is handled differently. UK Finance funds operations like the DCPCU . City of London Police host Action Fraud and the UK’s largest economic crime unit.

2.3 Incident Reporting

Police Cyber Alarm connects to police monitoring services to give a real-time view of potentially malicious activity as it happens. The service is designed for SMEs but could be used by larger firms and the public sector, such as schools. It shares personnel, analyses and tools with the bulk reporting processes that are also being piloted with large organisations in defence, aerospace, pharmaceutical, financial services, telecoms and some other sectors. Local support is via the Cyber Resilience Centres and the map on the website shows where it is live and where it will be released soon.

The key to improving intelligence collection, reporting, investigation and victim support at affordable cost is automation. The Cyber Help-Line is based on a three year old network of volunteer security professionals who developed a 24/7 chatbot that appears to be 80% accurate in identifying the problems faced by individuals and sole-traders.

Their 60 or so volunteers currently handle 4 – 500 cases a month. They need many times that number to enable the service to be expanded and linked locally to the Cyber Resilience Centres, let alone to the Cyberhood Watch component of the Neighbourhood Watch network.

2.4 Guidance

There is a need to complement and support the new structures with practical and realistic guidance on self-protection and reporting for use by Neighbourhood Watch, Business Watch and Safer Neighbourhood Partnerships and Teams as well as by public and private sector organisations of all shapes and sizes.  That implies  linking, extending and publicising current programmes such as NCSC Cyberware (currently only 27,000 followers) and Get Safe On-line. That will entail persuading those providing the current wealth (see Appendix) of segmented guidance to co-operate in conveying common and complementary messages to those they do not reach, as well as those they do.

The resultant materials also need to be packaged, with regularly updated cross references, for inclusion in Section 5 (being Safe and Responsible On-line) of programmes delivered to the National Standards for Essential Digital skills.

Many of the Cybersecurity skills partnerships, local and national, that are beginning to emerge to harness currently neglected talent and organised by professional bodies and trade associations also involved with the work to create the Cybersecurity Skills Council as an umbrella.

3 Skills Initiatives and Partnerships

3.1 Apprenticeships

 The Institute for Apprenticeships is part of a triumvirate with Ofqual and Ofsted which agrees standards, funding levels and providers for programmes which can be charged against the apprenticeship levy via EFSA listed training providers, before unspent funds revert to HM Treasury.

 The Cybersecurity standards are:

Cyber security technician, Level 3 – £11,000 – provided via DSS, SWATPRO and 12 others, EPA: BCS

(organised by e-Skills when the process excluded most industry recognised qualifications).

Cyber security technologist, Level 4, £18,000 – organised via BPP, DSS, Firebrand, QA, 2 ITECs, 19 FE Colleges, 30 others.  EPA : BCS, City and Guilds, Accelerate (includes. Comptia Security + etc.)

Cyber Intrusion Analyst – Level 4, £18,000 – via DSS, Firebrand, Barking and Dagenham, Plymouth City and 3 other FE Colleges, 10 others  (focussed more on the needs of large proganisations)

Cyber security technical professional – level 6, £24,000, organised by TP Degrees: via QA, De Montfort, Central Lancashire, Edinburgh Napier, Northumbria, Gloucestershire, Bedfordshire, Croydon College (degree linked apprenticeships organised by TP Degrees , now part of TechUK)

Other standards relevant to converged (cyber and physical) security, crime and investigation include:

Security First Line Manager level 3 £5,000 Organised by G4S

Intelligence Analyst – level 4 £11,000 – led by Home Office

Counter Fraud Investigator – Level 4 £15,000 – organised by HMRC

Serious and Complex Crime Investigator – level 6 £19,000 – organised by NCA

3.2 Other programmes include:

•  Employers offering Covid Traineeships can claim £1,000 per trainee on prorammes which can range from 6 weeks to 6 months with varying requirements.
• Kickstart is for those aged 16 – 24 who are out of work, on Universal Credit and at risk of long-term unemployment.
• T-Levels require 45 week industry placements.
• The Essential Digital Skills entitlement , fully funded basic digital user skills.
• National Skills Fund covers Level 3 skills programmes and Regional Boot Camps via: Derby and Notts LEP D2N2LEP,  the Lancashire Digital Skills Partnership, Heart of the South West LEP (boot camp graduates available to recruit from March 12^th plus Bounce Back Digital, including  Cybersecurity), Leeds , Liverpool and West Midlands (Code programmes fully booked). Other funded boot camps include Comptia Cyber Ready
• The Hacked programme for “at risk” teenagers vetted and referred by the ROCUs. The first referrals now work for, inter alia, GHCQ.

3.3 Generic Careers Guidance Programmes (see 3.n for Cybersecurity Careers Programmes)

The main source of guidance for most Employers and Schools is the Careers and Enterprise Company  with 3,500 advisors serving over 2,000 schools via LEP partnerships, including “Careers Hubs” bringing over half of them alongside local colleges, careers professionals, universities and employers with support from over 100 national employers.  Founders4Schools works with the Careers and Enterprise Company and others to connect business leaders with over a thousand schools. There are also 30,000 STEM Ambassadors grouped into 19  regional STEM hubs.  Other employer and industry groupings with careers activities include  FISSS, 5% Club.

3.4  Cyber Security Technical and Professional Partnerships

 The leadership team of the Cyber Security Council due be launched on April 2nd has been  announced. The Council is to:

•  be the self-regulatory body for Cyber Profession
• support the delivery of the Government Cyber strategy
• set standards nationally and internationally for the profession with ethical guidelines

The UK technical authority will remain the NCSC. The role of the Council is complementary, setting professional standards and providing a voice to the technical authority from the profession.

The founding partners are (ISC2), BCS, CIISEC, CIPD, CompTIA, CREST, CSFS, Engineering Council, IAAC, IAP, IET, InstMC , ISACA,  Security Institute, Tech UK and WCIT.

The four pillars are:

• Professional development: The Council will begin by mapping the qualifications and certifications already available back to the knowledge areas in Cybok and through to create pathways so people can find how to enter and navigate their way through the profession. (See Appendix for Qualifications accredited by the founding members)
• Outreach and Diversity: the long term focus is pupils before they decide their educational direction (boys 12-14, girls earlier).  Shorter term it is on recruitment from parallel disciplines. There is also a need to look at gender, ethnic and neuro diversity and at inclusivity.
• Ethics. Enforced against agreed baseline standards will through the professional bodies with the Council providing assurance and a route for appeal.
• Thought leadership and influence with regard to new technologies, e.g. Cloud, AI, Machine Learning, Quantum. NCSC provides technical guidance.

The Council has to be self-sustaining after seed corn funding from DCMS. Membership will be open to any organization that can show that it has an interest in developing the profession and for which cyber security is a core or important part of what they do. That will include professional bodies, training, certification and qualification providers, plus a range of employers of cybersecurity professionals to help ensure that the needs of the public sector, defence, transport, finance and health are covered.

3.5 Other cybersecurity qualification/certification providers and their programmes include:

 AWS, CISCO, IBM, Microsoft , Oracle  Samsung, SAP, Juniper, Palo Alto, SANS,  Open University, City and Guilds, Pearson, Huawei. IASME  runs the Cybersecurity Essentials certification that is mandatory for those in Government procurement supply chains.

3.6 Education, Training, Geographic and Application Sector Partnerships 

Cybersecurity Talent Attraction and Careers Guidance programmes include: Cyberfirst  (the umbrella for NCSC funded competitions and courses), (Cybersecurity Challenge funded by an industry consortium) and Cybergirls First (employer supported schools events to stimulate wider engagement).

Association of Career Colleges: Two Cyberhubs are operational (Plymouth and Barking and Dagenham). Two are expected to be operation within three months (Birmingham and Liverpool). Another is expected to be operational by summer (Manchester). Subject to the success of the first five the lead sponsor (AWS) has agreed to support one per Career College (currently 22).

TP Degrees is the accreditation operation previously run by e-Skills, now a subsidiary of Tech UK. It is used by over 200 employers and 38 Colleges/Universities for their degrees and apprenticeships.

University Technical Colleges :  UTC Cybergroup  21, including MATs giving a total of over 50 Schools. Sponsors include Fujitsu who sponsored an on-line challenge day with Immersive labs attended by over 800 pupils.

UK Finance (which funds the DCPCU, Financial Fraud Action etc),

Global Cyber Alliance  Anglo-US which uses the proceeds of crime to reduce vulnerabilities by providing free tool-kits

Vendorcom Brings together on-line payment and transaction providers

West Midlands Digital Road Map  BT, PWC, Lloyds Bank, Microsoft, Google, Coursera., Good Things, Fircroft College, Dudley College, Halesowen College, Birmingham University, OU, Comptia

3.7. Apprenticeship, Training and Awareness Providers:

Althaus digital apprenticeship (including Cyber) provider. Runs theD2N2 cybersecurity boot camps.

Bluescreen IT  cyber-security audit and skills provider to defence and aerospace operating to international (NATO) not just UK standards. It pioneered the cyberhub: secure, shared, networked skills incubators-cum-SOCs, operating within contractual processes for ethical co-operation.

Bobs Business a small business security training co-operation which grow out of the EU-funded collaboratipn which made South Yorkshire “the safest place to go on-line” in the UK.

DSS the digital arm of Newham College which also co-ordinates apprenticeship operations for London North of the River Thames. South Bank University does South of the Thames. Newham commonly works in tandem with QMUL

Firebrand has trained over 100,000 individuals since its launch in 2001. Its training centre in Wyboston is currently closed and all courses are on-line,

Good Things is the UK’s main digital inclusion charity running and/or involved with many digital literacy and inclusion programmes, national and locally.

Immersive labs Bristol-based multi-national providing AI based on-line cyber-security training materials and courses, including uncharged access for registered pupils and students.

Net Security  high end cyber-security security training for 11,000 individuals since 2003. Self-study modules here

QA Probably the UK largest digital (including cyber security) training provider. Runs boot camp programmes for Amazon (e.g. Cloud Security for Army veterans, wives and dependents), BAe (thousands of applicant down to hundreds capable of UK eyes only security clearance)  etc.

The Security Company Arguably the largest and best known UK-based provider of Corporate Security Awareness programmes.

3.8 Generic Training Providers with Digital/Cyber offerings include:

Learning Tree,   Reed , The Knowledge Academy,: Learning 247 .

3.9 Recruitment Agencies and Sites include:

Barclay Simpson, Harvey Nash   Hays, Reed , Indeed

 3.10  Identity and Access Management  [to be added including refererences to]

Arrow  Thales , Forgerock  CIFAS

PCI-DSS  PCI Security Standards Council  Reed, , The Knowledge Academy IT Governance

3.11  Applicant Screening:  [to be added ]

Reed Screening, Experian, GB Group, CIFAS etc

3.12 Data Protection and Information Governance [to be added]

3.13 onwards

Risk Management, Trading Standards, Investigation, Prosecution/Redress [to be added ]

4 Points of Leverage

 4.1 Formation and launch of the Cyber Security Council

 The Cyber Security Council is expected to provide outreach to other relevant professional bodies, trade associations and regulators. To do so it will far more resource than is currently envisaged.

The activities below should not divert effort from the formation and launch of the Council, but be progressed in parallel, with the expectation and intention that they will come under the aegis of the Council as it grows and matures.

4.2 Joining up guidance on reporting and safeguarding

NCSC has issued Cyber Aware for sole traders and small firms but has not yet produced guidance for individuals and families It is focused on improving password practice, adopting two factor authentication, software updating and forwarding phishing e-mails.

There is currently fragmented guidance for reporting: scam texts) phone calls (e.g. Protecting you from scams | BT Help ), phishing e-mails (e.g. simple forwarding or generic guidance ), employment fraud (Safer Jobs), financial  fraud (e.g. Take Five and Action Fraud) and the various types of abuse (e.g. Child Abuse , Hate Crime,  Revenge Porn ) and impersonation (e.g. Amazon, Apple, Facebook, Google, Instagram, Twitter etc.).

Given the scale and nature of fraud and impersonation, authoritative and reputable guidance needs to be accessible via a robust, secure and usable (by a variety of audiences) front ends, including via:

• Neighbourhood Watch and Safer Neighbourhood Partnership Teams,
• Local Police Force and Cyber Resilience Centre Programme
• Corporate websites (e.g. via links from “Report Abuse/Problem” buttons
• Schools, business, children and adults as well as professionals, technicians and advisors.

4.3 Guidance on public funding for training, on tax breaks and on use of the apprenticeship levy

Employers can claim  £1,000 per Traineeship, which may range from 6weeks to 6 months with varying requirements. Kickstart is for those aged 16 – 24 who are out of work, on Universal Credit and at risk of long-term unemployment. T-Levels require 45 week industry placements. The Essential Digital Skills entitlement is fully funded and covers basic skills.

There are varying incentives for apprenticeships according to age. There are also programmes to enable the re-use of unused apprenticeship levy – such as that being piloted under the aegis of the Positive Transformation Group with the Shaw Trust. There is also a need to promote guidance on good practice in running apprenticeships programmes such as that from Investors in People.

4.4 Guidance on identifying applicants and reputable training providers

 There is a serious problem with education, training employment fraud (from obtaining the credentials of applicants to enable access, through frees for worthless/unnecessary checks and qualifications to the “insertion” of unqualified/malicious applicant. There are also issues to do with the quality, relevance, competence and probity of training providers. This problem will become very much worse, very quickly as fraudsters seek to exploit the skills programmes announced in the budget on 3^rd March.

4.5 Guidance on Safeguarding pupils and students of all ages

Reference and links to London Grid for Learning, Safer Internet Centre, JISC, NSPCC, Elder Abuse etc. and new DfE funded SWGfL programme.

5 Action Plan

 5.1 Use the revision and completion of this paper to identify partners, publicity channels and invitees for the SASIG Skills Fest

5.2 Use the process to identify those interested in using the Skills Fest to pilot a secure (e.g. DNS checked) portal for use by schools, colleges, careers advisors, pupils and partners to access reputable careers information via Janet and the Grids for Learning

5.3 Use the revision of this paper in the light of experience and feed-back from the Skills Fest to help inform those planning the skills outreach programmes for the Security Council

5.4 Use the revision of this paper to help those seeking to join up activities at the local and regional, not just national, level.

5.5 Use the revision of this paper to help inform those planning and implementing policy development and implementation: central and local government, regulatory and corporate.

The audiences include Communication, Financial Services, Data Protection and other regulators as well as Home Office, BEIS, DCMS, DWP, Treasury and their agencies.

5.6 Use the revision of this paper to help form “coalitions of the willing”, publicise their success in moving from words to deed, and encourage others to join them.

6 Appendices (yet to be completed) 

Appendix 1- Qualifications

Top 10 In order of demand

ITIL Foundation

CCNA Cisco Certified Network Associate

CISA Certified Information Systems Auditor

CCNP Cisco Certified Network Professional

Comptia A+

CISM Certified Information Security Manager

Comptia Security +

Comptia Network +

CCA-V Citrix Certified Associate – Virtualisation

AWS Certified Soclution Architect

Others from Security Council members

(ISC2),

BCS,

CIISEC,

CIPD,

CompTIA,

CREST,

CSFS,

IAP,

IET,

InstMC ,

ISACA,  CRISC, CGEIT, CDPSE

Security Institute,

Tech UK TP Degrees

Appendix – Sources of Guidance

Cyberaware

Get Safe Online | Free online security advice

Take Five – To Stop Fraud | To Stop Fraud (takefive-stopfraud.org.uk)

ScamSmart – Avoid investment and pension scams | FCA

Fraud guide | NatWest

Safer Jobs (safer-jobs.com)

Sexual violence and sexual harassment between children in schools and colleges (publishing.service.gov.uk)

Keeping children safe: code of practice (publishing.service.gov.uk)

Association of Child Protection Professional Association of Child Protection Professi (childprotectionprofessionals.org.uk)

Community Tech Support – ClearCommunityWeb