A time to regulate?

With increasing attention being paid to cybersecurity across all areas of the economy, the government is consulting on the standards, structure and regulation of the cybersecurity profession. Hywel Davies considers the implications for Journal readers

The UK is a global leader in technology, in which we see high levels of investment and a fast-growing workforce. Many areas of the economy and public services are increasingly dependent on technology and the workforce that supports it, so we must remain resilient to cyber risks, especially in the new world we have entered recently. 

The government is currently consulting on the regulation of the cybersecurity profession1, following the launch, last March, of the UK Cyber Security Council, the professional body to lead the cyber workforce. The government is looking to the council to ‘raise the bar, acting as a force to raise standards and to ensure that people working in cyber are properly equipped to protect us from criminal gangs and hostile states’. 

The proposals being consulted on ‘look to provide clarity within the cybersecurity profession as it stands, [and] embed professional standards and pathways’. More significantly, it says that ‘this will recognise cyber as a profession similar to more established fields, such as accounting, law and engineering’.

The ambition is for the UK Cyber Security Council to be ‘suitably empowered to be the voice of the profession’. It needs to build governance, establish its leadership, and develop partnerships that can ‘achieve and embed clarity in the profession’. The government consultation seeks views on how to do this between 2022 and 2025.

There is also an explicit question about adding cybersecurity practitioners to the list of regulated professions. Interestingly, that includes lawyers and actuaries, but not accountants or engineers. It also fails to list architects, who are regulated under the Architects Act and will face stricter regulation as a result of Part five of the Building Safety Bill.

It is clear that the UK needs the highest standards of professionalism in cybersecurity; indeed, in the current circumstances, it must be a very high priority to secure the UK’s digital assets against hostile states as, and then to do all we can to maintain that security. Competent, professional people are vital to that endeavour, and it is essential that they are recognised and have clear standards to meet and maintain.

It is also clear that building services must play a part in this – in particular, that our IT and controls group and the Society of Digital Engineering are closely engaged in this ongoing activity. Those within the sector with an interest in building controls systems and digital engineering should be paying close attention to this consultation and considering how we, as building services engineers, should respond. 

There is also a potential irony in these proposals. In the pursuit of public interest, to protect us from hostile actors, the government is clearly prepared to contemplate adding cybersecurity professionals to the list of regulated professions. That may mean engineers working on building controls being regulated in future. 

Meanwhile, apart from architects and building control practitioners in the near future, under the Building Safety Bill, we seem to be content not to regulate any other professional construction activity. Not even when the consequences of the unqualified, underqualified or incompetent being given responsibility for certain roles carries the risk of catastrophic failure of a building. 

Is it time to reconsider the case for regulating the key professionals who work on ‘higher-risk buildings’, or other tall or complex buildings? Failure of structural, building services, façade or fire engineering can have severe consequences, as we very well know. 

We should wholeheartedly support improved standards of cybersecurity – in buildings and anywhere else. We should also ask, however, whether it is right that the only regulated engineer on a building will be the one dealing with cybersecurity in its systems – or perhaps keeping the information model secure – but not those engineering the actual structure? 

About the author

Dr Hywel Davies is technical director at CIBSE


1 Embedding standards and pathways across the cyber profession by 2025 bit.ly/CJMAR22HD2 

2 The European Communities (Recognition of Professional Qualifications) Regulations 1991 bit.ly/CJMar22HD