GCHQ's infosec arm bins advisor accreditation scheme

GCHQ's communications security arm, CESG, has been accused of leaving a gaping hole in the government security advisor profession by axing its accreditation scheme.

The CESG Listed Advisor Scheme (CLAS), the accreditation programme for private sector consultants providing information assurance advice to the public, is to be closed in January next year. It means that some 700 approved advisers will lose their accreditation and customers will have no way of verifying whether security advisers have the necessary government expertise.

The scheme is to be replaced with Certified Cyber Security Consultancy, which accredits companies rather than individuals. However, no companies have yet signed up.

A survey of CLAS customers seen by The Register suggested that the many still valued the scheme.

One government-accredited security advisor who asked not to be named said the new "companies scheme" is at odds with Whitehall's agenda of working with SMEs, as it squeezes out independent advisers in favour of larger suppliers.

He said: "We seem to be running the risk of losing substantial numbers of potentially key individuals in a Cabinet Office driven information assurance brain drain away from government work."

The source claimed there had been zero consultation or discussion between CESG and the CLAS practitioner community as to the right balance for future information assurance regimes in the UK public sector.

"Instead of using 700 consultants with, lets assume 10 years experience each in every sector of central and local government, as suppliers and client side, and with many former civil servants of decades standing in their midst, CESG have decided - for reasons surely only they can explain - to drop the scheme wholesale and chase new (as yet poorly defined) models or working."

Another security advisor said: "The business change has been handled so badly. Even now CESG is still promoting CLAS on its website." He added: "But soon customers will be in a position where they have no way of knowing if this person knows about government security."

Another joked: "CESG has some good people, but they are clearly too busy listening to people's phone conversations to listen to the profession and government customers."

He added: "Customers are confused and puzzled about why it has been discontinued. When the companies replacement gets off the ground, it'll only be the big system integrators who benefit."

A fourth practitioner, who also asked not to be named, acknowledged that the scheme had not been perfect, but said issues around a perceived deterioration of skills could have been addressed without disregarding the whole programme.

A spokeswoman from CESG said it has decided to close CLAS "because both our customers and the CLAS Members' Forum itself told us it was no longer delivering the consistent, high quality, value for money consultancy needed. The replacement - Certified Cyber Security Consultancy - tackles these issues and is open to independent consultants who can demonstrate that they have the skills needed for the cyber security challenges of today. ®