acm-header
Sign In

Communications of the ACM

Privacy and security

Would Cybersecurity Professionalization Help Address the Cybersecurity Crisis?


 Cybersecurity, illustration

Credit: Gary Neill

The thousands of serious cyber attacks occurring daily highlight the critical need for a workforce with the requisite skillset and of sufficient size to meet growing and increasingly complex demands. Yet despite significant investments in the development of the cybersecurity workforce from governments across the globe, the U.S. and many other nations lack a sufficient supply of well-trained cybersecurity professionals. It is often argued that this workforce shortage, and the consequent openness to attack, is a pressing security threat facing the U.S.1


Despite descriptions of the cybersecurity workforce as a "profession"—meaning a single occupational category—it is not.


Professionalization—activities such as certification, licensure, and skill-based competency exams—has been advanced as a strategy for creating a workforce capable of addressing the growing cybersecurity threat. To explore this argument, the U.S. Department of Homeland Security sponsored a National Research Council committee, which we led. What follows are insights largely drawing on the study and although the impetus for asking the question at this moment came from the U.S. government, the issues and analysis would have general applicability. Our key question was: What is the role that professionalization might play in enhancing the capacity and capability of the U.S. national cybersecurity workforce? This question led to a complex mosaic of answers to the cybersecurity workforce issue.

Back to Top

The Cybersecurity Workforce

Despite descriptions of the cybersecurity workforce as a "profession"—meaning a single occupational category, it is not. Rather, cybersecurity is a broad field comprised of many occupations spanning the range from highly technical to the management- or policy-oriented. Some of these occupations may be ready for professionalization, while others are not. Others are yet to be defined. Still others may never be defined either because the fluidity of the roles and responsibilities change too rapidly to allow for categorization or because they are hybrid occupations that blend cybersecurity responsibilities with other, often unrelated work roles. Given the great diversity of roles, responsibilities, and contexts, the fact that professionalization measures may be warranted in a particular subfield and context should not be confused with a broad need for professionalization.

Before professionalization activities are undertaken for an occupation, the profession itself must have well-defined characteristics: stable knowledge and skill requirements, stable job roles, occupational boundaries, and career ladders.

  • Stable knowledge and skill requirements: The occupation should have a stable (but not necessarily static) common body of knowledge on which members of the profession can be judged to a generally agreed upon standard. This does not imply, however, that the occupation is static; even within a rapidly evolving profession, core knowledge elements that remain stable can be identified.
  • Stable roles and responsibilities and occupational boundaries that distinguish the profession from others.
  • Well-defined career ladders that are linked to professionalization mechanisms.
  • Agreed-upon ethical standards to which members of the profession will be held and a mechanism for removing noncompliant individuals from the professional ranks.

The fact that the current cybersecurity workforce is a field of multiple occupations highlights a significant problem with current approaches to professionalization. Realistically, such professionalization can only be undertaken for specific occupations within the field, but not for the field as a whole.

Back to Top

Professionalization

Professionalization is the process by which an occupation (or an individual who works within that occupation) is transformed through education, training, and other activities into a professional. Each occupation must exhibit some set of well-defined characteristics before professionalization activities commence. Not all of these characteristics or standards must be met, but the level of occupational readiness for professionalization is higher when more of them are. Readiness for professionalization, however, does not imply the occupation should be professionalized, nor does it identify the appropriate professionalization mechanism. It simply means the occupation could be professionalized if circumstances warrant the activity. At this point, the question becomes what are the deficiencies within the occupation that could be alleviated through professionalization.

The process of professionalization is initiated based on some deficiency in the occupational workforce—a lack of public trust, questionable skill or performance, weak behavioral or ethical standards, low status, noncompliance with regulatory or legal requirements, ill-defined career pathways, or unregulated labor supply (when a steady flow of workers is desired or necessary). But as has been stated, the cybersecurity workforce challenge is one of capacity and capability. This statement, though compelling, is not sufficient to initiate professionalization activities.


Before professionalization activities are undertaken for an occupation, the profession itself must have well-defined characteristics.


Rather, we must unbundle this statement and ask difficult questions about the precise nature of the need. If the workforce need is for more accountability in the maintenance of hands-on skillsets within a particular occupation, then the professionalization mechanism should be focused on continuing education requirements and skill-based testing. If, on the other hand, the nature of the workforce challenge is related to troubling examples of ethical lapses, then professionalization activities should focus on some type of compliance mechanisms from a formal authority. The alignment of professionalization strategies with specific workforce challenges is necessary to ensure the deficiency is, in fact, addressed. It is also critical to ensuring the possible negative consequences of professionalization do not outweigh the good.

Back to Top

Trade-Offs of Professionalization

Even when the professionalization activity is aligned with the occupational deficiency, it will have associated trade-offs. These costs and benefits should be considered before embarking on a professionalization activity.

Do the benefits of a given professionalization mechanism outweigh the potential supply restrictions resulting from the additional barriers to entry? Professionalization can serve as a magnet that attracts people to the occupation, as a funnel that restricts the supply of people entering the occupation, or as a sieve that filters people out of the occupation based on increased requirements.

  • The Magnet: Professionalization may increase the supply over time as it helps increase awareness and desirability of that profession, and thus increases the number of individuals who consider cybersecurity as a career. By helping define roles and career paths, it can also help workers identify suitable jobs and help employers identify suitable workers. Specialization and stratification may also help address supply issues, much as the introduction of nurse practitioners and physical assistants expanded the workforce providing primary medical care.
  • The Funnel: No one would argue against restricting the supply of unqualified individuals in a workforce. Certainly, professionalization mechanisms that address the capability of the workforce should be in place if capability is a concern. However, overly narrow professionalization or mismatched mechanisms may unnecessarily filter out qualified workers whose skills are needed. For example, the requirement for entry-level, technical employees to hold a bachelor's degree when an associate's degree and passing a skill-based exam may be more appropriate unnecessarily restricts the flow of qualified workers.
  • The Sieve: The sieve function is of particular concern in cybersecurity where many members of the workforce function in hybrid positions and are subject to professionalization requirements in those other roles. Consider, for example, the healthcare professional who has added cybersecurity responsibilities to her portfolio and must meet a double set of requirements. If the professionalization requirement is necessary to determine or verify skill requirements then it may be appropriate. If, on the other hand, the requirement has been implemented without regard to remedying a specific deficiency, then it may unnecessarily burden and ultimately encourage the departure of the individual from the workforce.

Does the potential to provide additional information about a candidate outweigh the risks of false certainty about who is actually best suited for a job? Certificates and certifications may provide useful tools for vetting job candidates, but overreliance on them may screen out some of the most talented and suitable individuals. This is particularly true in cybersecurity today, where some of the most effective workers develop their skillsets through informal methods (for example, self-taught hackers). Organizations that do not already have a sophisticated cybersecurity workforce may place a greater value on professionalization measures because they make it easier for them to identify qualified workers. However, at a time when few think the cybersecurity situation is improving, and where "sideways" thinking may be at a premium, creativity and innovation may be lost with overly rigid screening. Moreover, given the fluid and changing nature of cybersecurity work, the knowledge, skills, and abilities actually needed in a particular job can change, and workers' roles and responsibilities can also shift rapidly.

Do the benefits of establishing the standards needed for professionalization outweigh the risks of obsolescence (when the knowledge or skills associated with the standard are out of date by the time a standard is agreed on) and ossification (when the establishment of a standard inhibits further development by workers of their skills and knowledge)? It takes time to reach consensus on the standards needed to establish a curriculum or certification, and it can be difficult to reach convergence, given the rate of change in underlying technologies and the rapid pace at which the context and threat evolves. Following receipt of a degree or certification, workers may stop developing their skills and knowledge. Strategies for addressing these challenges, including focusing assessments as much as possible on fundamental concepts, segmenting a field (where possible) into sufficiently narrow specialty roles, adopting more nimble processes for updating content, and requiring continuing education and periodic recertification to refresh requirements.

These trade-offs illustrate the complex set of costs and benefits associated with professionalization. Some of the uncertainties may diminish over time, and long-term benefits may ultimately outweigh short-term costs. It may, thus, be an effective strategy to encourage, rather than require, the use of certain professionalization mechanisms so as to avoid overly restricting supply in the short term while still establishing a long-term path to enhancing quality.

Back to Top

Conclusion

Continued attention to the capacity and capability of the cybersecurity workforce is needed. Over time, parts of the cybersecurity field will likely reach the point where professionalization will be warranted. But blanket professionalization strategies will hinder efforts to build a national cybersecurity workforce of sufficient size, scope, and ability to meet the demands of the rapidly evolving field. The criteria set forth in the National Research Council Professionalization of the Nation's Cybersecurity Workforce? report2 can be used by decision-makers to judge when that time has come.

Activities by the U.S. federal government and other entities to professionalize cybersecurity should be undertaken only when the occupations and specific occupational characteristics have been defined, when there are observed deficiencies in the occupational workforce that professionalization could help remedy, and when the benefits of those activities outweigh the costs. When stakeholders believe those conditions have been met, we suggest they convene subject matter experts to outline a professionalization strategy—including timeline, process, and other implementation details.


Continued attention to the capacity and capability of the cybersecurity workforce is needed.


This process will take time. But the path to professionalization of a field is slow and difficult, and not all portions of a field can or should be professionalized at the same time. Until that time, our work to develop a national cybersecurity workforce of sufficient capacity and capability should move away from overly broad generalizations based on anecdotal evidence and context-specific challenges, toward a set of targeted activities that meet identified and specific occupational workforce deficiencies.

Back to Top

References

1. Homeland Security Advisory Council. Cyber Skills Task Force Report. Department of Homeland Security, Washington, D.C., 2012.

2. National Research Council. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. The National Academies Press, Washington, D.C., 2013.

Back to Top

Authors

Diana L. Burley ([email protected]) is an associate professor of Human and Organizational Learning in the Graduate School of Education and Human Development at George Washington University.

Jon Eisenberg ([email protected]) is the director of the Computer Science and Telecommunications Board at the National Research Council in Washington, D.C.

Seymour (Sy) E. Goodman ([email protected]) is a professor of International Affairs and Computing, jointly at the Sam Nunn School of International Affairs and the College of Computing at the Georgia Institute of Technology.

Back to Top

Footnotes

The views expressed in this Viewpoint are those of the authors and do not necessarily reflect those of the National Research Council, the Committee on Professionalizing the Nation's Cybersecurity Workforce, which wrote the report, or the U.S. Department of Homeland Security, which sponsored the study.


Copyright held by Author/Owner(s).

The Digital Library is published by the Association for Computing Machinery. Copyright © 2014 ACM, Inc.


 

No entries found