Blog: Consultancy advice
How I became a Cyber Essentials Plus assessor
TL;DR
- What is Cyber Essentials and why does it matter?
- The role of Cyber Essentials (CE) and Cyber Essentials Plus (CE+) assessors in protecting UK businesses
- The difference between a CE and CE+ assessor
- Becoming a CE assessor
- Becoming a CE+ assessor
- Challenges I faced and tips for success
Introduction
Cyber threats are a growing concern for businesses in the UK, making cybersecurity more important than ever. CE is a government-backed scheme that helps organisations protect themselves from common online attacks. But who ensures businesses follow the right security steps? That’s where CE assessors come in.
In this blog post I’ll share my journey to becoming a CE and CE+ assessor. From my first steps in cybersecurity to passing the required exams, I’ll give you insights into the process, the challenges I faced, and tips for anyone looking to enter this field. If you’re considering a career in cybersecurity, this post might just help you take the first step and as a business looking to get certified in CE or CE+, this post can help you understand the process.
What is CE, and why does it matter?
CE is the UK’s first line of defence against cyber threats, helping businesses protect themselves from the most common online attacks. This government-backed scheme focuses on five key security measures, including firewalls, secure settings, access controls, malware protection, and software updates. The CE scheme is delivered by trained cybersecurity professionals, commonly known as assessors in the CE community.
The role of CE and CE+ assessors in protecting UK businesses
In today’s digital world, cyber threats are a constant concern for organisations across the UK. That’s where CE assessors come in, playing a critical role in keeping IT systems safe and secure.
As an assessor, your expertise helps ensure that businesses have the right protections in place to defend against online threats. Here are just a few of the key areas assessors focus on:
- Firewall Protection: Ensuring firewalls are set up to block unauthorised network traffic.
- Secure System Configurations: Making sure IT systems are correctly configured to minimise vulnerabilities.
- Controlled Access: Limiting administrative privileges to reduce the risk of security breaches.
- Malware Protection: Verifying that up-to-date software is in place to guard against malicious attacks.
- Regular Updates and Patch Management: Ensuring systems are regularly updated to fix vulnerabilities and stay secure.
The job of an assessor goes beyond ticking boxes, it’s about empowering organisations to strengthen their defences and stay ahead in the ever-changing cyber landscape.
The difference between a CE and CE+ assessor
As a CE assessor, your role involves reviewing written reports to determine if an organisation meets the five key CE security mechanisms. However, as a CE+ assessor, you need to get hands-on by verifying that all the information provided in the written report is accurate. A CE+ assessor requires a lot of technical knowledge.
A CE assessor is restricted to reviewing written reports, while a CE+ assessor can review written reports and perform technical assessments that verify the accuracy of the written report.
Becoming a CE assessor
I began my career as a Cyber Security Analyst before joining PTP as an Associate Security Consultant. I wasn’t entirely sure what my role would entail at PTP, but I was confident it would be an opportunity to grow and gain more experience in the field of cyber security.
During my initial interview for PTP, I was told that I would be taking a lot of exams. I didn’t fully grasp the weight of that statement until I began my journey to becoming a CE+ assessor.
To become a CE assessor, you typically need three years of experience and must be employed by a certification body, a company licensed to deliver the CE scheme. Interestingly, the scheme’s owners are now easing these requirements to encourage young people and people without an IT background to get involved through mentorship programmes. If you’re interested in starting a career in cyber security as a CE assessor but have little or no IT experience, you can reach out to [email protected] for helpful guidance and information.
Let’s get back to my journey. With my experience as a Cyber Security Analyst and being employed by a certification body, I met the requirements. The next step was to write an essay on key topics in cyber security.
The essay had a hard word count limit, the topics focused on risk management and practical solutions to ensure businesses adopt the five key CE security mechanisms. These mechanisms include firewalls, secure settings, access controls, malware protection, and software updates.
The essay calls for you, as a cyber security professional, to provide valuable advice on IT risk management and ensure that IT infrastructures are set up and configured securely.
If you are successful, you will then be required to participate in a mandatory one-day in-person CE assessor training course. During this course, you’ll learn about the core CE processes and your responsibilities as a CE assessor.
At the end of the training you’ll take a multiple-choice exam, which will be entirely based on the content covered during the course. If you pass the multiple-choice exam, you’ll be granted your licence as a qualified CE assessor.
Becoming a CE+ assessor
To become a CE+ assessor, I had to take the Vulnerability Assessment Plus (VA+) exam, which is split into two parts: a practical element and a multiple-choice section. The exam requires a solid understanding of vulnerability assessment, computer networks, computer law, and Linux and Windows environments. There’s information on the VA+ exam here.
Note: If you have extensive experience in the cyber security field and hold equivalent certifications, such as OSCP, CSTM, CSTL, etc. you don’t need to take the VA+ exam.
The VA+ exam demanded a great deal of dedication and effort. I invested considerable time in studying and honing my communication skills to ensure I could present information accurately and concisely, which I will go into more detail about later.
In the end, I was successful. After passing my VA+ exam, I signed up for a compulsory one-day, in-person CE+ assessor training course. This course delved deeper into the tasks required at the CE+ level. At the end of the training, I took a multiple-choice exam, which was entirely based on the course content. The exam was successful, and I became a fully licensed CE+ assessor.
My journey towards becoming a CE+ assessor wasn’t an easy one. However, with determination, hard work and solid support from my team (Tom, Emmanuel, and Darren) it was possible.
Challenges I faced and tips for success
Finding balance: My journey in learning
Juggling study, work, and training wasn’t easy. Like many others, I found it difficult to stick to a structured learning plan, largely because of self-doubt. One of my biggest mistakes was believing I had to know everything right away. This unrealistic expectation led me to buy a 70-hour course on Udemy.
Don’t get me wrong, taking a 70-hour course isn’t bad. However, you must remember that Cyber Security is a vast and ever-evolving field; it’s simply impossible to know it all. The key is understanding that learning is a continuous journey. This understanding helped me narrow down and focus on areas that applied to the VA+ exam.
If you’re pursuing a career or certification in Cyber Security, here’s my advice:
- Focus on the Curriculum: Study in line with the exam requirements and avoid overwhelming yourself with unnecessary information.
- Believe in Yourself: Confidence is crucial. Trust your ability to learn and grow over time.
- Embrace Lifelong Learning: In Cyber Security, every day is an opportunity to learn something new.
Remember, progress is better than perfection. Stay curious, stay focused, and most importantly, believe in yourself.
The power of support: Learning from others
I was fortunate to have a supportive team that guided me throughout my learning journey. Their advice and encouragement made a huge difference.
If you’re pursuing a career in Cyber Security or preparing for an exam, I strongly recommend surrounding yourself with knowledgeable professionals who can mentor you. The Cyber Security community is incredibly welcoming and eager to help.
Here are a few tips to tap into that support:
- Join Study Groups: Collaborating with others keeps you motivated and offers fresh perspectives.
- Seek Mentorship: Experienced professionals who have been through the process can offer invaluable insights and practical advice.
Never underestimate the power of learning from others. The right guidance can make your journey smoother and more rewarding.
Building skills that matter
If you’re new to Cyber Security, it’s essential to build both theoretical knowledge and practical experience. The good news is that there are fantastic platforms to help you get hands-on training.
- Hack The Box and Try Hack Me: These platforms provide interactive environments to test your skills and learn in a practical way.
- Focus on Vulnerabilities: Understanding vulnerabilities and how to manage them is a crucial part of cyber security. I strongly recommend getting familiar with vulnerability management tools like Nessus.
By combining practical experience with a solid understanding of vulnerabilities, you’ll build a strong foundation for a successful career in Cyber Security. Keep learning, stay curious, and get stuck in.
Conclusion
CE is playing a crucial role in keeping the UK safe, especially during these times of cyber warfare. Through our work as cyber assessors, we have helped organisations strengthen their security posture and reduce cyber risks.
As an organisation, if you’re interested in learning more about CE and CE+ services, please feel free to contact our Consultancy team at Pen Test Partners, we’re here to support you on your journey.
Resources
Some resources to learn more:
