The thousands of serious cyber attacks occurring daily highlight the critical need for a workforce with the requisite skillset and of sufficient size to meet growing and increasingly complex demands. Yet despite significant investments in the development of the cybersecurity workforce from governments across the globe, the U.S. and many other nations lack a sufficient supply of well-trained cybersecurity professionals. It is often argued that this workforce shortage, and the consequent openness to attack, is a pressing security threat facing the U.S.1
Despite descriptions of the cybersecurity workforce as a "profession"meaning a single occupational categoryit is not.
Professionalizationactivities such as certification, licensure, and skill-based competency examshas been advanced as a strategy for creating a workforce capable of addressing the growing cybersecurity threat. To explore this argument, the U.S. Department of Homeland Security sponsored a National Research Council committee, which we led. What follows are insights largely drawing on the study and although the impetus for asking the question at this moment came from the U.S. government, the issues and analysis would have general applicability. Our key question was: What is the role that professionalization might play in enhancing the capacity and capability of the U.S. national cybersecurity workforce? This question led to a complex mosaic of answers to the cybersecurity workforce issue.
Despite descriptions of the cybersecurity workforce as a "profession"meaning a single occupational category, it is not. Rather, cybersecurity is a broad field comprised of many occupations spanning the range from highly technical to the management- or policy-oriented. Some of these occupations may be ready for professionalization, while others are not. Others are yet to be defined. Still others may never be defined either because the fluidity of the roles and responsibilities change too rapidly to allow for categorization or because they are hybrid occupations that blend cybersecurity responsibilities with other, often unrelated work roles. Given the great diversity of roles, responsibilities, and contexts, the fact that professionalization measures may be warranted in a particular subfield and context should not be confused with a broad need for professionalization.
Before professionalization activities are undertaken for an occupation, the profession itself must have well-defined characteristics: stable knowledge and skill requirements, stable job roles, occupational boundaries, and career ladders.
The fact that the current cybersecurity workforce is a field of multiple occupations highlights a significant problem with current approaches to professionalization. Realistically, such professionalization can only be undertaken for specific occupations within the field, but not for the field as a whole.
Professionalization is the process by which an occupation (or an individual who works within that occupation) is transformed through education, training, and other activities into a professional. Each occupation must exhibit some set of well-defined characteristics before professionalization activities commence. Not all of these characteristics or standards must be met, but the level of occupational readiness for professionalization is higher when more of them are. Readiness for professionalization, however, does not imply the occupation should be professionalized, nor does it identify the appropriate professionalization mechanism. It simply means the occupation could be professionalized if circumstances warrant the activity. At this point, the question becomes what are the deficiencies within the occupation that could be alleviated through professionalization.
The process of professionalization is initiated based on some deficiency in the occupational workforcea lack of public trust, questionable skill or performance, weak behavioral or ethical standards, low status, noncompliance with regulatory or legal requirements, ill-defined career pathways, or unregulated labor supply (when a steady flow of workers is desired or necessary). But as has been stated, the cybersecurity workforce challenge is one of capacity and capability. This statement, though compelling, is not sufficient to initiate professionalization activities.
Before professionalization activities are undertaken for an occupation, the profession itself must have well-defined characteristics.
Rather, we must unbundle this statement and ask difficult questions about the precise nature of the need. If the workforce need is for more accountability in the maintenance of hands-on skillsets within a particular occupation, then the professionalization mechanism should be focused on continuing education requirements and skill-based testing. If, on the other hand, the nature of the workforce challenge is related to troubling examples of ethical lapses, then professionalization activities should focus on some type of compliance mechanisms from a formal authority. The alignment of professionalization strategies with specific workforce challenges is necessary to ensure the deficiency is, in fact, addressed. It is also critical to ensuring the possible negative consequences of professionalization do not outweigh the good.
Even when the professionalization activity is aligned with the occupational deficiency, it will have associated trade-offs. These costs and benefits should be considered before embarking on a professionalization activity.
Do the benefits of a given professionalization mechanism outweigh the potential supply restrictions resulting from the additional barriers to entry? Professionalization can serve as a magnet that attracts people to the occupation, as a funnel that restricts the supply of people entering the occupation, or as a sieve that filters people out of the occupation based on increased requirements.
Does the potential to provide additional information about a candidate outweigh the risks of false certainty about who is actually best suited for a job? Certificates and certifications may provide useful tools for vetting job candidates, but overreliance on them may screen out some of the most talented and suitable individuals. This is particularly true in cybersecurity today, where some of the most effective workers develop their skillsets through informal methods (for example, self-taught hackers). Organizations that do not already have a sophisticated cybersecurity workforce may place a greater value on professionalization measures because they make it easier for them to identify qualified workers. However, at a time when few think the cybersecurity situation is improving, and where "sideways" thinking may be at a premium, creativity and innovation may be lost with overly rigid screening. Moreover, given the fluid and changing nature of cybersecurity work, the knowledge, skills, and abilities actually needed in a particular job can change, and workers' roles and responsibilities can also shift rapidly.
Do the benefits of establishing the standards needed for professionalization outweigh the risks of obsolescence (when the knowledge or skills associated with the standard are out of date by the time a standard is agreed on) and ossification (when the establishment of a standard inhibits further development by workers of their skills and knowledge)? It takes time to reach consensus on the standards needed to establish a curriculum or certification, and it can be difficult to reach convergence, given the rate of change in underlying technologies and the rapid pace at which the context and threat evolves. Following receipt of a degree or certification, workers may stop developing their skills and knowledge. Strategies for addressing these challenges, including focusing assessments as much as possible on fundamental concepts, segmenting a field (where possible) into sufficiently narrow specialty roles, adopting more nimble processes for updating content, and requiring continuing education and periodic recertification to refresh requirements.
These trade-offs illustrate the complex set of costs and benefits associated with professionalization. Some of the uncertainties may diminish over time, and long-term benefits may ultimately outweigh short-term costs. It may, thus, be an effective strategy to encourage, rather than require, the use of certain professionalization mechanisms so as to avoid overly restricting supply in the short term while still establishing a long-term path to enhancing quality.
Continued attention to the capacity and capability of the cybersecurity workforce is needed. Over time, parts of the cybersecurity field will likely reach the point where professionalization will be warranted. But blanket professionalization strategies will hinder efforts to build a national cybersecurity workforce of sufficient size, scope, and ability to meet the demands of the rapidly evolving field. The criteria set forth in the National Research Council Professionalization of the Nation's Cybersecurity Workforce? report2 can be used by decision-makers to judge when that time has come.
Activities by the U.S. federal government and other entities to professionalize cybersecurity should be undertaken only when the occupations and specific occupational characteristics have been defined, when there are observed deficiencies in the occupational workforce that professionalization could help remedy, and when the benefits of those activities outweigh the costs. When stakeholders believe those conditions have been met, we suggest they convene subject matter experts to outline a professionalization strategyincluding timeline, process, and other implementation details.
Continued attention to the capacity and capability of the cybersecurity workforce is needed.
This process will take time. But the path to professionalization of a field is slow and difficult, and not all portions of a field can or should be professionalized at the same time. Until that time, our work to develop a national cybersecurity workforce of sufficient capacity and capability should move away from overly broad generalizations based on anecdotal evidence and context-specific challenges, toward a set of targeted activities that meet identified and specific occupational workforce deficiencies.
The views expressed in this Viewpoint are those of the authors and do not necessarily reflect those of the National Research Council, the Committee on Professionalizing the Nation's Cybersecurity Workforce, which wrote the report, or the U.S. Department of Homeland Security, which sponsored the study.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2014 ACM, Inc.
No entries found