Cybersecurity should be seen as an occupation, not a profession, report says

A panel from the National Academy of Sciences, commissioned by the U.S. Department of Homeland Security, says that cybersecurity should be seen as an occupation and not a profession.

After being commissioned by the U.S. Department of Homeland Security, a panel from the National Academy of Sciences reported that the cybersecurity field is too young, and the technologies, threats, and actions taken to counter them change too rapidly, for professionalization to be considered. Thus, cybersecurity is an occupation and not a profession.

For some organizations, making cybersecurity a profession may provide a useful degree of quality control, the report says, but at the same time, professionalization also imposes barriers, which would prevent talented workers from entering the field at a time when “demand for cybersecurity workers exceeds supply.”

[Envisioning the security team of tomorrow]

Sticking to the quality control aspect of the report, professionalization, it says, has the potential to attract workers and establish long-term paths to improving the work force overall, but measures such as standardized education or requirements for certification, have their disadvantages too.

For example, formal education or certification could be helpful to employers looking to evaluate the skills and knowledge of a given applicant, but it takes time to develop curriculum and reach a consensus on what core knowledge and skills should be assessed in order to award any such certification. For direct examples of such a quandary, InfoSec needs only to look at the existing certification programs, and the criticisms directed that certifications such as the CISSP and C|EH.

Once a certification is issued, the previously mentioned barriers start to emerge. The standards used to award certifications will run the risk of becoming obsolete. Furthermore, workers may not have incentives to update their skills in order to remain current. Again, this issue is seen in the industry today, as some professionals chose to let their certifications lapse rather than renew them or try and collect the required CPE credits.

But the largest barrier that some of the most talented individuals in cybersecurity are self-taught. So the requirement of formal education or training may, as mentioned, deter potential employees from entering the field at a time when they are needed the most. So while professionalization may be a useful tool in some circumstances, the report notes, it shouldn’t be used as a proxy for “better.”

“It would be very hard to professionalize the field of cybersecurity. The complexities are such that the subject matter experts in any particular security field are not necessarily individuals that have passed exams certifying their level of knowledge or competence, but rather independent thinkers that have pieced together solutions, programs, and assessments from years of hands-on experience and analysis of event details,” Sarah Isaacs, CEO of Conventus, an IT Security consultancy, told CSO.

“Curriculum around cybersecurity today simply enforces a baseline knowledge of terminology, theory and protocol; where true excellence in the InfoSec community pieces each of those together with the important addition analytical skills — the hardest part to teach and standardize.”

From there, the report goes on to point out that in some cases professionalization is the right choice, but before that can happen, certain criteria needs to be met. First, a given cybersecurity occupation needs well-defined characteristics, such as a core set of knowledge and skills that remain stable even within a rapidly changing environment.Second, there needs to be evidence of occupational shortcomings that could be remedied by a professionalization measure. Such shortcomings could include skill deficiencies, questions of legitimacy from among the current set of practitioners, or concerns about accountability.

“Premature or blanket professionalization strategies will likely hinder efforts to build a national cybersecurity workforce of sufficient quality, size, and flexibility to meet the needs of this dynamic environment,” concluded Diana Burley, co-chair of the committee that wrote the report and associate professor of human and organizational learning at the George Washington University in Washington, D.C.