Chartering a Cyber Future Strategy 2025

FOREWORD FROM THE CHAIR

processes and if that skills gap isn’t bridged, we leave ourselves dangerously exposed to cyberattacks and ransomware threats.

Cultivating a wider, deeper and more robust pool of cyber security practitioners is essential to tackling this challenge and creating a truly world class cyber industry here in the UK. We need to champion the industry and the exciting opportunities it can provide to a wide range of talented people right across the UK. That means reaching into diverse demographics and disciplines to foster a new generation of cyber specialists.

Cyber security is a key strategic sector in the UK, both in terms of the economy and for the longterm security of the nation’s homes, businesses and critical infrastructure. And having a strong and resilient cyber industry is paramount for the UK fulfilling its ambition to be recognised as a leading democratic cyber power on the world stage.

To achieve this, the UK must address its cyber security skills gap. According to the Department for Digital, Culture, Media and Sport’s recently published report, Cyber Security Skills in the UK Labour Market 2022, 51 per cent of businesses have a basic cyber security skills gap.

In other words, the people in charge of cyber security at those businesses do not feel equipped to carry out the basic tasks laid out in the Government endorsed Cyber Essentials scheme.

At the same time, a third of businesses have advanced skills gaps in areas such as penetration testing, forensic analysis and security architecture.

The UK’s economy, our businesses and homes are intrinsically linked to the smooth running of digital

At the same time, we must clearly communicate the compelling argument that the presence of cyber expertise at the Board-level is critical to business continuity.

Cyber security – or lack thereof – is a serious and fundamental risk to growth at a time when resilience is most needed. By extension, it is a genuine threat to the UK’s economic prospects. Therefore, having senior cyber practitioners at the top table to ensure this is understood – and that decision makers feel equipped to make investment decisions which mitigate against this threat – is crucial.

With these challenges and opportunities ahead, the UK Cyber Security Council’s new strategic document – Chartering A Cyber Future Strategy 2025 – comes at a pivotal time. Our strategy has been developed in collaboration with key stakeholders and through engagement with industry professionals to ensure we are delivering an approach that works for the sector as a whole. The Council will continue to engage with and work alongside the industry to achieve our aim of being the voice of the cyber security sector.

The Council has an essential role to play in helping to create a world class cyber security industry here in the UK and its new strategy will play a central role in achieving this.

INTRODUCTION FROM THE CEO

It has been immensely rewarding for us to take stock and look back on the Council’s major achievements since its formation last year.

However, we have also seen the prevalence of cyber attacks increase over that time. This makes increased resolve and resilience across sectors increasingly important – and the ambition evidenced in the Government’s cyber vision and recent consultation essential.

Delivering on that ambition, some of the key highlights the Council has undertaken over the past twelve months include:



Receiving Royal Chartership, permitting the Council to grant cyber practitioners with chartered status

 Supporting our colleagues at DCMS with the standards and pathways consultation

 Acting as a key delivery partner as part of the National Cyber Strategy 2022

 Delivering dozens of webinars and events to engage with stakeholders as we promote our vision for a broad, diverse sector with clear pathways for entry and progression

Overwhelmingly, the sector is aligned in its view that we must cement the UK as a democratic and responsible cyber power. It’s a vision echoed within our strategy, which outlines the Council’s vision and key objectives, as we work to make the UK one of the safest places in the world to live and work online.

To deliver on these objectives, we must work with the sector to pull together and find opportunity through adversity. Against the backdrop of an exponential rise in the number and severity of cyber-attacks globally, cyber in the UK faces significant challenges. In addition to a lack of diversity, it also faces an annual workforce shortfall of 14,100 people per year.

This is why I believe the industry needs aligned professional standards and a chartered model,

if it is to stem the shortfall and address the cyber threats we face.

Our strategy is based around five pillarsProfessional Standards, Ethics, Careers & Learning, Outreach & Diversity and Thought Leadership & Influence. And we believe by working in accordance with these pillars, we can help strengthen our industry and encourage new entrants from a diverse range of backgrounds.

Despite the challenges ahead, receiving Royal Charter status and completing DCMS’ consultation this year have put the wind in our sails.

We are excited to be launching our chartership pilot and establishing an ethical framework for cyber professionals in the UK. And we are also developing a career route map to aide entry into, and progression within, the sector. This will help demystify what it means to work in cyber and support our work to steward nationally recognised standards for the industry.

As we look ahead, there is much to be excited about. And when I reflect on this report next year, I want to be able to recognise significant progress made against the important work we see before us.

VALUES

Introduction

Values are the things that are important to an individual, or to a company. Clear, defined values show what you stand for, and the type of culture you are looking to create.

However, writing them down is not enough. They need to be lived. Breathed. Here at the UK Cyber Security Council, we do just that. Our values empower us, hold us accountable and drive us forward.

Integrity

This is our base. Our grounding. A fundamental consideration in everything that we do. We do the right thing, in the right way, to be the trusted voice for the cyber security profession.

Innovation

We don’t stand still. This profession is constantly evolving, and so are we. We focus on what we can do, using creativity and ingenuity to overcome challenges and drive best practice across the industry. We will be setting the standard for cyber security professionals and in doing so we will need new processes, ideas and solutions for the current landscape.

Inclusion

This means everyone. We embrace diversity of all kinds and the rich knowledge this empowers us with. We break down barriers, promote fairness and champion the need and the benefits for inclusion in all our activities.

Collaboration

We recognise the power in collaboration, within our teams and externally. Connecting and communicating with the widest range of people possible allows us to better represent and reflect the views of this diverse profession and bring forward evidence-led solutions to the challenges they face.

Excellence

We strive for excellence in everything that we do. We recognise and harness the skills in our team, and in our partners, and know that learning never stops. We will continuously review and evolve to ensure we are staying informed, relevant and impactful.

ACHIEVEMENTS IN

The UK Cyber Security Council has been in operation since March 2021 when we became a legal entity. From then to now we have focused on making a difference and impact on the profession.

The highlights below outline some of our key achievements in this period. The list is not exhaustive.

 The Queen approving the award of Royal Charter to the Council in November 2021

The recruitment of the organisation’s first Chief Executive Officer, Simon Hepburn

Significant collaborative discussions and engagement across UK Government

 UK National Roadshow – Showcasing our work on standards and career route map development

 UK National Consultation Roadshow – A roadshow providing an opportunity for the profession to discuss the embedding of standards and pathways consultation with colleagues from DCMS

 Celebrating Women in Cyber Event – A virtual event to celebrate women in cyber and to promote gender diversity in the profession

 London Cyber Skills Symposium - A virtual event to discuss the importance of the cyber security workforce within the finance and banking sector

Strengthened organisational governance arrangements including the appointment of four new Board members and establishment of two sub committees

Achievement of Cyber Essential Certification

Referenced as a key delivery partner in the National Cyber Strategy 2022

Significant increase in media coverage including Computer Weekly, CSO Online and InfoSecurity Magazine

Referenced as an action partner within the Decrypting Diversity Report

Engagement with all devolved administrations; Scotland, Wales and Northern Ireland

CEO became a formal member of the CyBOK Steering Committee

Presented or spoke at events including for Department for Digital, Culture, Media and Sport (DCMS), National Cyber Security Centre (NCSC), The Security Awareness Special Interest Group (SASIG), The Chartered Society of Forensic Sciences, Information Assurance Advisory Council (IAAC) and Cyber Body of Knowledge (CyBOK)

Growing the organisation through the recruitment of high calibre staff to deliver on our mission

Over 250,000 views on our social media posts

OUR THEORY OF CHANGE

IMPACT

The UK has a world class and diverse cyber security sector, with expanded and enhanced skills at all levels

OUTCOMES

Strengthened dialogue between UKCSC and across sector and profession stakeholders

UKCSC VISION

To create a world where the whole of society is safe and secure in cyber space

Cross-cutting: Thought Leadership

Coordination between private and public sector stakeholders promotes the cyber profession

Pillar 1: Standards

Employers and recruiters adopt sector-wide standard on cyber qualifications

Professionals build cyber skills and expertise to strengthen employment opportunities

Pillar 2: Ethics Pillar 3: Careers/ Learning

UKCSC establishes and promotes a sector-wide code of ethics

Employers enhance monitoring and deterrance practices against abuse and unethical behaviour

Professionals have increased awareness of pathways to entering and progressing in the sector Employers and teachers increase training and mentorship opportunities

Pillar 4: Outreach/ Diversity

Diversity of the sector increased with greater inclusion of underrepresented groups Professional opportunities increased through expanded outreach by UKCSC

PROBLEM STATEMENT

Limited public awareness of professional opportunities, lack of universal professional standards and ethical frameworks; poor diversity and inclusion within the UK cyber security industry, lack of consistency in vision across the sector; lack of universal qualifications or certifications

ASSUMPTIONS

OUR ROYAL CHARTER

The UK Cyber Security Council achieved a world first in March of this year when it was granted a Charter of Incorporation by the Queen.

The key powers which the Royal Charter gives the Council are; to develop and implement standards, good practice, codes of conduct and codes of ethics for academic and occupational achievement, competence and commitment, and the requirements for initial and continuing professional development across the cyber security profession.

It permits the Council to award the individual professional designation of “Chartered Cyber Security Professional” provided that a minimum qualification standard for Registration as a Chartered Cyber Security Professional is met.

The Charter allows the Council to admit as Licensees those organisations that demonstrate to the satisfaction of the Council their competence to assess individuals for Registration as Registrants, and which regulate the conduct of their members.

It also allows the Council to promote, undertake and commission research, surveys, studies or other work and to disseminate the useful results;

Work is now taking place to complete the legal transition of the Charitable body to the new Royal Chartered Body, and this will be completed by the end of the 2022-2023 financial year.

POLICY CONTEXT

In December 2021 the National Cyber Strategy was released. This important document lays out the UK Government’s policy and strategic direction for cyber.

The strategy sets our five priority areas for action (called “pillars”) Pillar one aims to strengthen the UK cyber ecosystem by investing in the UK’s people and skills and deepening the partnership between government, academia and industry.

Objective 2 under pillar 1 commits to ‘enhance and expand the nation’s cyber skills at every level, including through a world class and diverse cyber security profession that inspires and equips future talent’.

The UK Cyber Security Council will play a critical role in developing a world class cyber security profession and in this context will support the whole of the UK in achieving its objectives by 2030.

The strategic importance of the Council is recognised in the strategy, which notes that the Council is a world first for the cyber security profession and that it will establish professional standards and pathways into and through a cyber career, playing a major part in supporting young people and career changers to navigate a career in cyber.

CYBER SECURITY SKILLS

The latest DCMS report on cyber security skills in the UK labour market suggests that:

 ‘A high proportion of UK businesses continue to lack staff with the technical skills, incident response skills and governance skills needed to manage their cyber security’.

 ‘Management boards (outside the cyber sector) lack an understanding of cyber security’.

 85% of individuals fulfilling cyber roles in private sector organisations (not in cyber sector firms) ‘have transitioned into this position from a previous non-cyber role’.

According to this report, we can identify two opposing trends in the current UK cyber security landscape:

 A limited awareness of professional development pathways and relevant training, and the existence of low-quality cyber security training in the external training market make it challenging to distinguish good and bad training.

 An increase in the demand for cyber security professionals by 58% from 2020 which leaves the UK cyber workforce market with an annual shortfall of c.14,100.

The technical skills areas most in demand include information security, network security and skills around ISO 27001. However, the skills gap goes beyond this. Almost half of those in lead private sector cyber roles, outside of the cyber sector itself, state they are not confident in their ability to carry out a cyber security risk assessment or develop cyber security policies. In addition, 4 out of 10 say they lack confidence carrying out data protection impact assessments or writing the cyber security aspects of business continuity plans.

This sets the background and identifies the training needs in which the UK Cyber Security Council must operate to ensure that we make a positive impact on the profession and provide the capabilities to address the cyber security challenges of UK businesses.

2025 STRATEGIC AIMS/PRIORITIES



We will raise the profile of the cyber security profession and the UK Cyber Security Council to expand visibility of the profession by demonstrating a discernible positive impact on the cyber ecosystem in all our workstream areas.



We will use outreach initiatives to address the longer-term skills gaps in the sector by working in partnership at all levels within the education sector, developing and distributing clear guidelines for those looking for a route into the sector, and by hosting the largest collection of cyber security case studies.



We will design schemes to award professional titles for the specialist areas representing the Cyber Security Lifecycle, producing an agreed standard for Chartered, Principal and Associate levels. We will ensure there are no financial barriers to entry and that equivalent experience is clearly demonstrable to formal qualifications under these schemes.



We will be a thought leader for the profession through our membership voice, links with academia, and our wide range of stakeholders. We will use our research findings to inform developments and feed into government activities.





We will develop an ethical framework in which the cyber security profession should operate by producing a Code of Ethics and Guiding Principles which are fit for purpose and set clear guidance on the ethical standards required of any individual or organisation, as well as defining the consequences of any breach or alleged breach of this Code.



We will create cyber career frameworks linked to the mapping of all certifications and qualifications within the sector. The route maps will be accessible to all stakeholders and will help to address the significant skills gap in the cyber profession by creating a clear action plan for people selecting cyber security as a career of choice, and those choosing to remain and advance in the sector.

We will be creating a fit for purpose Royal Incorporated Organisation to deliver on our mission through strong and sustainable governance structures which are representative of the profession and the four nations of the United Kingdom. We will have in place a strong, embedded leadership team who will drive forward organisational change leading to a self-sustaining organisation that it is seen as one of the best places to work in the UK, thanks to its innovative people strategy and streamlined processes.

RAISE THE PROFILE

We will raise the profile of the UK Cyber Security Council and expand visibility of the profession by demonstrating a discernible positive impact on the cyber ecosystem in all our workstream areas. We will reach a wide audience across the industry through various engagement strategies including utilising our social media reach, issuing regular and relevant communications to our newsletter subscribers and by both hosting and attending high profile events as part of our annual events strategy. We will increase media coverage of the Council, highlighting the key issues faced by the sector and addressing how we plan to tackle these issues. We will gain the trust of the whole profession and be seen

as the credible standards setter for the industry by building and expanding on the work of the formation team to ensure our standards, advice and guidance are up to date and reflect the changing landscape. We will take ownership of the Cyber Body of Knowledge (CyBOK) and, along with retaining the work of the Information Assurance Advisory Council (IAAC), we will create a central, searchable knowledge hub on our refreshed website. We will communicate our clear understanding to the industry and wider community of who we are, what we do and the value we add to enhancing cyber security across the UK.

PROFESSIONAL STANDARDS

We will design schemes to award the professional titles of Chartered, Principal and Associate, beginning with a pilot in Autumn 2022 for the Cyber Security Governance and Risk Management and Secure System Architecture and Design specialisms. Ushering in the first Chartered cyber security professionals through this programme. This pilot will enable us to develop a robust scalable model that provides assurance to all stakeholders, meets the needs of a diverse range of organisations within the profession, and does not create unnecessary barriers to entry, or progression for professionals.

By 2025, all agreed specialisms will have been

Cyber

stood up, underpinned by a holistic, responsive and inclusive Standard, to represent the Cyber Security Life Cycle. A pipeline of candidates will produce individuals, who demonstrate the Gold Standard of expertise, excellence and professional conduct, and therefore are able to protect the UK’s Economy and Critical National Infrastructure. The Council will be the recognised ‘Standard Setter’ for the Cyber Security Industry. We will seek to educate and inform sector professionals, businesses and employers of our pilot programme progress, as well as how to identify suitable candidates for recruitment and how to use our professional standard to benchmark against.

ETHICAL FRAMEWORK

The Council understand the importance of working ethically in cyber security, so we will reinforce this importance by developing an ethical framework in which the profession should operate, and which will help to build and maintain public confidence and trust. This framework will be shared with sector professionals, government, stakeholders, and the third sector, to ensure we are helping to make the UK the safest place to live and work online.

We will also seek to understand how strengthening ethics across the industry can help support in retaining practitioners and ensuring they can achieve personal fulfilment within the sector. As we enforce our ethical framework, we will investigate potential breaches of ethics and principles. We will make recommendations to ensure our members and registrants support our mission to enhance and expand the nation’s cyber skills, knowledge and profession.

CYBER CAREER FRAMEWORK

The Cyber Careers Framework aims to demystify and simplify career paths within cyber security, which will have a tangible impact through the reduction of the skills gap in the sector. Utilising collaboration with our stakeholders, we will design, develop and publish frameworks aligning to each of the agreed specialisms. The framework will cover areas such as qualification and certification, skills and behaviours, and knowledge and expertise. This will enable us to create and promote cyber career route maps which allow practitioners to develop specialised skills within the field of cyber security. A robust system of quality assurance and data validation will be in place, to ensure accuracy and reliability of information. The Cyber Careers Framework will be published on our website and accessible to all. It will add value to the career journey of prospective, new and established cyber security professionals. Our framework will be the building block for further education resources around progression within cyber security, from school age children through to late career-changers. We will host an interactive tool whereby anyone interested in starting a career in cyber security

or moving through specialisms can access a personalised map of the steps they need to take to succeed, considering their current knowledge and experience.

We are working to promote a Cyber Careers Framework that allows professionals to develop specialised skills as well as the ability to change course at any point during their career. This helps to broaden skill sets, as well as support specialised skills if so desired. Once established, a framework stakeholder engagement strategy will be created to plan how to achieve maximum impact within the sector. This will include engaging with key stakeholders such as employers, employees, learners and sector leaders as well as presenting at jobs and careers fairs. We will also host our own conference, celebrating good practice and innovation in Cyber Security Skills Development. These areas are part of the Council’s desire to offer support to the profession and to ensure the protection and on-going wellbeing of the sector.

OUTREACH & DIVERSITY INITIATIVES

We will use outreach initiatives to address the longer-term skills gaps in the sector and set a clear strategy and workplan to deliver the ambitions of increasing diversity throughout the cyber security workforce across the UK. We will encourage, inform, and support those underrepresented within the sector such as women and people from ethnic minority backgrounds, to pursue a career within cyber security. We will do this by championing existing role models, hosting accessible and relatable events, publishing thought leadership pieces on the need for increased diversity, and inviting collaboration from professionals, businesses, and the wider community.

We will work in partnership with other organisations supporting young people to

develop resources and initiatives to raise awareness of the cyber security sector and the opportunities available within it. Alongside this, we will use targeted initiatives and events to support and accelerate the increasing diversity of the sector. We will develop and distribute clear guidelines for those looking for a route into or through the profession. We will raise awareness of the breadth, depth and diversity of roles in and routes into the sector by highlighting individuals in industry, through written case studies and video content. By 2025 we will have established the provision of cyber security resources for all school children in Key Stages 1-5 and a Cyber Security Ambassadors Programme.

THOUGHT LEADERSHIP

We will establish trusted and authentic thought leadership pieces backed by data and with the support of our technical leads, to ensure we are speaking on the issues that matter to industry and having a clear voice in the conversation. We are the voice for the cyber security profession, and we will use that voice to amplify issues faced by professionals and businesses alike. Through our links with academia, our business stakeholders, and our members, we will inform developments and feed into government activities.

We will communicate our clear understanding of the industry and wider community by delivering a series of speaking events featuring thought

leaders from across the profession to new and existing professionals, apprentices and students.

Through partnership working, we will build mutually beneficial relationships with key stakeholders across industry and education, both in the UK and internationally. We will commission and publish annual research papers to inform government activities, as well as reports, publications, and public-facing articles to inform the public of our work.

ORGANISATION EXCELLENCE

We will be creating a fit for purpose Royal Incorporated Organisation to deliver on our mission and excellence across the profession through a high performing team and organisation. We will have inclusive and accessible pathways to chartership in order to contribute to the recognition of cyber as a global profession. We will create a legal structure that enables the organisation to be self-funding, sustainable and scalable, by sourcing and generating alternative income streams to support the longer-term future of the organisation. We will have a Board of Trustees and committee structure which represents the profession and the policies of governments across England, Scotland, Wales and Northern Ireland, with successful training, development and succession planning schemes in place to

provide governance opportunities to earlystage career professionals. We will be regarded as one of the best companies to work for in the UK through our people strategy, which will include embedding the organisations values and culture within our agile organisational design and establishing innovative schemes that enable the Council to recruit and retain the best talent. We will expand and upgrade our processes to ensure they are robust and meet quality standards, and we will develop the organisational processes with a datafirst approach and utilise that data to drive innovation.

THE UK CYBER SECURITY COUNCILS FIVE PILLARS

Professional Standards

Setting the standards for practitioners across the sector

Professional Ethics

Creating and ensuring cyber professionals adhere to our Code of Ethics

Careers & Learning

Providing guidance on how to join and progress within cyber security

Outreach & Diversity

Striving for an inclusive and representative sector

Thought Leadership & Influence

Positioning the Council as the voice of the profession

With thanks to the staff and the Board of Trustees of the Council, Department for Digital, Culture, Media and Sport (DCMS), National Cyber Security Centre (NCSC), our organisation members, our members of working groups, to our advisory panels and to all of the individuals and organisations for their time, support, advice and guidance.

It is only through this support and collaboration that we will be able to achieve our mission.

Thank You