Hacking & Pen Testing | InfoSec Reviews Blog

The following is a discussion on LinkedIn between Terry Neal (CEO of InfoSec Skills) and Tony Campbell, which proved very useful in terms of explaining the position in the UK for new entrants wishing to come into the Information Security profession and how their careers might be further enhanced by getting on board an apprenticeship scheme.

From Terry Neal to InfoSec Skills LinkedIn Group…

Historically companies prefer to hire people with at least 2-3 years of experience for a specific job role. The next level would be graduates, who they can then train. What about apprentices and what age group would you be willing to take on? 16-19 years old with 100% training funded by the government or 19-21 years old with 50% of the training funded by the government?

Reply from Tony Campbell

Hi Terry

The thing that is missing in the UK (ripped from our society by the long reign of the last government) was the apprenticeship scheme whereby people could leave school at 16/17 years old but still have the ambition to do something with their lives. This was how our country got plumbers, electricians, carpenters, etc., however, it’s certainly a process that works in other disciplines.

We need this back for our kids today. We need more plumbers, we need more electricians, and we certainly need for penetration testers. Kids of 16 who are bored with school, yet have an affinity for hacking (in the purest sense) should be able to leave school and take up a junior apprenticeship with an pen testing company, or a security consultancy, and learn pen testing on the job. This would be, like being an electrician, augmented by good quality training, but at the age of 20, after 4 years being mentored in a professional team, and 4 years of degree standard training, I know who’d I’d choose in a hiring session between the graduate with no professional experience, or the apprentice with qualifications (academic and professional) and the in-depth on the job experience.

I also find that kids of 16/17 are sponges. If they have decided to leave school to pursue a career, then they will want to do a good job. With the right framework, these directionless teenagers can become the ninja cyber security experts of tomorrow that our industry is sadly lacking.

Discuss

Tony

Reply from Terry Neal

Hi Tony, I think you hit the nail on the head with regards to “the right framework”. There were many good things that were part of the now removed/unfunded work placement and internship programs that would serve well in a single framework that could provide these opportunities for interns, students during their degree and for school leavers as part of an apprenticeship program. We need to reach as far back into the education system as possible and raise the level of security awareness + provide opportunities to fuel our ageing depleting information security workforce with bright and talented young people that have the skills that employers want. “Bring back apprenticeships” I here you cry. With the right framework and with government funding, for training during those apprenticeships, I believe we can.

If anyone has any thoughts and would like to contribute to this discussion on information security apprenticeships, please join in.

Reply From Tony Campbell

So what frameworks are available, Terry, to make this happen? There must be something going on with the various skills bodies in the UK to take this sort of idea forward?

Reply From Terry Neal

If you start with the Skills for the Information Age (SFIA) framework, which underpins the IISP framework, which underpins the CESG Certification for IA Specialists / CESG Certified Professional framework, with mapped skill sets and skills levels to specific job roles, then you can also map training and certification programs to those required skills so a person knows how they can achieve those roles over time.

With that alignment in place and beginning to mature, coupled with the government extant programmes that are already funding more apprenticeships, now is the right time to map our information security professional qualifications and certificates back to the QCF (Qualifications and Credits Framework) and the IISP’s framework. In doing so, new entrants to our industry can gain academic credits and professional qualifications during their participation in any such information security related apprenticeship program. This offers a choice to those between the ages of 16-19 or 19-21 as their route to professionalism, either through academia or combined with work experience. Which route might provide the most value to the candidate? Which route might provide the most value to industry?

A program called the “Cyber Security Learning Pathways”, is well underway and is a great step in the right direction towards both apprenticeships and a continuing professional development framework.

The Cyber Security Learning Pathways program has received co-investment from the UK Commission for Employment and Skills through the Growth and Innovation Fund.

The Cyber Security Learning Pathways solution will set out the courses, qualifications and work experience needed for competence in security, from entry level through professional levels and up to the highest level of Chief Information Security Officer. They will consider the needs of those specialising in security and of those in all IT professional roles who need a level of security expertise. There will be a particular focus on the needs of employers in defence, utilities, financial services and crime prevention.

InfoSec Skills fully supports and participates in the Cyber Security Learning Pathways program by sitting on the Steering Group, by combining a range of our foundation and practitioner courses to support multiple learning pathways at different levels and within different disciplines, and by writing new courses to fill in the gaps. We also support the CESG certification scheme with our current focus being on the role of the security architect, with our CSAP and CPSA courses, and more courses are planned to support other roles that are defined in the CESG Certification for IA Specialists.

I am committed to our goal that sees government supported and funded information security apprenticeships that also have the full backing of the information security employer community and I believe that both the CESG certification scheme and the Cyber Security Learning Pathways program have gravitas.

I will keep you informed on our progress.

Further reading:

SFIA Framework
IISP Skills Framework
CESG Certification for IA Specialists
Cyber Security Learning Pathways