Cybersecurity should be seen as an occupation, not a profession, report says
National Academy of Sciences says field is too young, full of change
By Steve Ragan , Staff Writer
September 26, 2013 — A panel from the National Academy of Sciences, commissioned by the U.S. Department of Homeland Security, says that cybersecurity should be seen as an occupation and not a profession.
After being commissioned by the U.S. Department of Homeland Security, a panel from the National Academy of Sciences reported that the cybersecurity field is too young, and the technologies, threats, and actions taken to counter them change too rapidly, for professionalization to be considered. Thus, cybersecurity is an occupation and not a profession.
For some organizations, making cybersecurity a profession may provide a useful degree of quality control, the report says, but at the same time, professionalization also imposes barriers, which would prevent talented workers from entering the field at a time when "demand for cybersecurity workers exceeds supply."
Sticking to the quality control aspect of the report, professionalization, it says, has the potential to attract workers and establish long-term paths to improving the work force overall, but measures such as standardized education or requirements for certification, have their disadvantages too.
For example, formal education or certification could be helpful to employers looking to evaluate the skills and knowledge of a given applicant, but it takes time to develop curriculum and reach a consensus on what core knowledge and skills should be assessed in order to award any such certification. For direct examples of such a quandary, InfoSec needs only to look at the existing certification programs, and the criticisms directed that certifications such as the CISSP and C|EH.
Once a certification is issued, the previously mentioned barriers start to emerge. The standards used to award certifications will run the risk of becoming obsolete. Furthermore, workers may not have incentives to update their skills in order to remain current. Again, this issue is seen in the industry today, as some professionals chose to let their certifications lapse rather than renew them or try and collect the required CPE credits.
But the largest barrier that some of the most talented individuals in cybersecurity are self-taught. So the requirement of formal education or training may, as mentioned, deter potential employees from entering the field at a time when they are needed the most. So while professionalization may be a useful tool in some circumstances, the report notes, it shouldn't be used as a proxy for "better."
"It would be very hard to professionalize the field of cybersecurity. The complexities are such that the subject matter experts in any particular security field are not necessarily individuals that have passed exams certifying their level of knowledge or competence, but rather independent thinkers that have pieced together solutions, programs, and assessments from years of hands-on experience and analysis of event details," Sarah Isaacs, CEO of Conventus, an IT Security consultancy, told CSO.