Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making (2013)

1

Cybersecurity, the Cybersecurity Workforce, and Its Development and Professionalization

CYBERSECURITY

Cyberspace comprises myriad interconnected computers, cyber-physical systems, and telecommunications networks—including the Internet and the systems attached to it—that have become integral to our economy, society, and national security. These include servers, routers, and other infrastructure; desktops, laptops, and mobile computing devices; and the many other devices that incorporate computing and networking functionality. Cybersecurity involves the articulation and enforcement of security policies for information and communications systems and the implementation of associated technical solutions, mechanisms, and programs. These policies protect various desirable attributes of a system—for example, confidentiality, possession or control, integrity, authenticity, availability, and utility.¹ Privacy is closely associated with security; for example, confidentiality is required to protect information from unwanted disclosure. Cybersecurity is also required for safety when misuse of information and communications systems has the potential to cause harm.

The nation’s cybersecurity challenge stems from actions taken by a wide array of actors—including individuals, insiders, criminal organizations, transnational nonstate actors, and nation-states—to compromise computing and communications systems and the organizations

_____________

¹ This particular framework comes from D.B. Parker, Fighting Computer Crime, John Wiley & Sons, New York, N.Y., 1998.

that depend on these systems. Indeed, the whole field of cybersecurity would not exist without these adversaries.² This cybersecurity threat faces individuals, organizations of all sizes, and government at all levels. The overall sense is that the threat is evolving and growing.³ Because attackers target organizations and individuals as well as machines and networks, protecting cyberspace also means ensuring that the components are securely operated, and thus cybersecurity involves human and behavioral factors.

Although many of the fundamental cybersecurity challenges have endured over time, the underlying information and communications technologies and their applications continue to change rapidly. For example, recent years have seen the rapid adoption of smart phones and tablets by consumers and employers and the associated phenomenon of “bring your own device,” which has rapidly infused mobile devices into the workplace. Both developments have provided organizations with new capabilities that introduce at the same time new cybersecurity risks. Cybersecurity threats also continue to evolve as the interests of active human adversaries change, as their capabilities grow, and as the techniques they employ change. The response to the cybersecurity threat has also shifted from one that was entirely, or at least primarily, defensive in nature to one that also includes more active activities, even as defensive activities continue to dominate. In the national security arena, the United States has made public its plans to strengthen its offensive cyber operations capabilities and workforce.

Although the prevailing sense is that the state of the nation’s cybersecurity is not getting better (and indeed many argue that it is getting worse), it is actually difficult to measure how “cyber secure” a system, organization, or nation may be.⁴ Consider, for example, that the security of a system generally reflects not only how well that system was constructed, but also how it is configured, the organizational policies and practices that govern its operation, the degree to which organizational members follow these policies, and the capabilities and interests of potential adversaries.⁵ Moreover, organizations have different definitions of security (i.e., different security policies), so a system that is “secure” for

_____________

² Although dependability and other trustworthiness issues would remain.

³ See, e.g., National Research Council, Toward a Safer and More Secure Cyberspace, The National Academies Press, Washington, D.C., 2007. The following provides a similar assessment of the situation facing the federal government: see U.S. Government Accountability Office, Cybersecurity: National Strategy, Roles, and Responsibilities Need to Be Better Defined and More Effectively Implemented, GAO-13-187, Washington, D.C., February 2013.

⁴ See, e.g., National Research Council, Toward a Safer and More Secure Cyberspace,2007, pp. 2 and 133.

⁵ National Research Council, Toward a Safer and More Secure Cyberspace, 2007, pp. 133-135.

one use or one organization may not be secure for other uses or organizations. All of this makes it challenging to accurately assess workforce requirements, make workforce investment decisions, or measure the contributions or performance of the cybersecurity workforce.

The effort to establish a safer and more secure cyberspace will require improvements in many areas, including a cybersecurity workforce that has the capacity and capability to do the job; better tools and techniques that enhance the efficiency and effectiveness of cybersecurity workers; better tools and approaches for risk identification and assessment; better systems design; better systems-development practices; greater incentives to encourage the deployment of better cybersecurity technologies and practices; better practices and techniques for dealing with the supply chain for components and services; improvements in end-user behavior through training; and organizational, industry, national, and international measures to deter bad actors. This report focuses on one of these areas: building a cybersecurity workforce with enough cybersecurity workers of the right types (capacity) with the right knowledge, skills, and abilities (capability) and the improvements that might come from professionalization.

NEED, DEMAND, AND SUPPLY

The size of the cybersecurity workforce is difficult to measure because it spans many job roles that often have different and overlapping titles in different organizations. Some sense of the magnitude of this workforce can be obtained from Bureau of Labor Statistics reports, which show employment at just over 300,000 for the occupation “information security analysts,” a category that does not encompass all cybersecurity workers and may include some workers who are not cybersecurity workers.⁶ Another indication was provided by the size of the target population for a recent workforce survey by the Department of Homeland Security (DHS) and the Federal Chief Information Officer Council that was sent to more than 200,000 federal civilian employees from 82 agencies.⁷ Some sense of the total cybersecurity-related workforce, construed broadly, can be obtained by considering the number of organizations that must undertake some measures to protect their cybersecurity. There are, for example, roughly

_____________

⁶ National Center for O*NET Development, Bureau of Labor Statistics, O*Net Online Summary Report for 15-1122.00—Information Security Analysts, 2010, available at http://www.onetonline.org/link/summary/15-1122.00.

⁷ National Initiative for Cybersecurity Education, Department of Homeland Security and Federal CIO Council, 2012 Information Technology Workforce Assessment for Cybersecurity Summary Report, Washington, D.C., 2013.

6 million businesses with a payroll (and many more without)⁸ and nearly 90,000 local governments and public school systems⁹ in the United States. Not all necessarily have full-time cybersecurity workers, but all must have someone responsible for that organization’s cybersecurity, at least to make decisions about which information technology and cybersecurity products and services to acquire.

In considering the role of professionalization in building a cybersecurity workforce with sufficient capacity and capability, it is useful to distinguish need, demand, and supply. Need is the number (and skill mix) of cybersecurity workers required to provide satisfactory cybersecurity (a judgment that will vary according to who makes the assessment). Demand is expressed by the desired capabilities stated in job descriptions, the number of such positions that are created and filled, and the salaries offered to those who have those abilities. Demand will fall short of national or societal need to the extent that cybersecurity is a public good— that is, organizations will invest to meet their own requirements but not necessarily to achieve society’s desirable overall requirements. Demand can also fall short of an organization’s own needs if (1) the organization lacks the required resources or (2) an organization underestimates the threats it faces and thus underinvests in meeting its own needs. Supply is the number of available qualified¹⁰ workers willing to fill positions and is a function of the visibility and attractiveness of cybersecurity occupations, the availability of appropriate training and education, and (as in all fields) the overall labor market in which potential workers respond to salary and other signals about demand.

As discussed below, professionalization mechanisms can both stimulate supply, by making a field more attractive, and dampen supply, by creating barriers to entry. They can make it easier for employers to meet their needs, by making it easier to identify suitable candidates, but they can also inhibit the flexibility needed as job requirements change or where job responsibilities are necessarily broad and fluid.

It would be helpful in assessing the role and effects of professionalization to have a handle on the current supply of cybersecurity workers. Unfortunately, it is notoriously difficult to assess labor supply and demand to determine whether or not there is a shortage. For example, employers in a particular sector may complain that they cannot find enough qualified individuals, even as workers in that sector complain that there are

_____________

⁸ U.S. Census Bureau, Statistics about Business Size, 2007, available at http://www.census.gov/econ/smallbus.html.

⁹ U.S. Census Bureau, Local Government and Public School Systems by Type and State, 2007, available at http://www.census.gov/govs/cog/GovOrgTab03ss.html.

¹⁰ Without ways of assessing quality, the supply will, of course, include available but unqualified individuals, especially if demand greatly exceeds supply.

not enough open positions. This can happen when employers seek talent with very particular skill requirements and balk at training or retraining potential hires. Rapid turnover, which is common in fast-moving high-tech fields, can also exacerbate perceived shortages, even when there are enough qualified workers in the labor pool. Another complication in measuring supply and demand is that the job categories used in the collection of statistics by the Department of Labor are not always well aligned with the occupation of interest. For example, as noted above, the “information security analysts” category does not necessarily include everyone who is a cybersecurity worker, and there may be cybersecurity workers who do not neatly fit into a single category.

The national origin of cybersecurity workers also affects supply. Firms without global reach must either rely on workers within the U.S. workforce or work within a complex system for hiring foreign workers. By contrast, firms with global operations are able to seek talent wherever it exists across the globe and move at least some cybersecurity work to where they find it. Firms of all sizes can outsource some or all of their cybersecurity work, and some of this may also be performed offshore. U.S. citizenship is generally required for federal government cybersecurity positions, and security clearance requirements for national security-related jobs further restrict the pool of candidates to U.S. citizens.

ROLES, RESPONSIBILITIES, AND CONTEXTS FOR CYBERSECURITY WORK

The cybersecurity workforce is quite diverse, encompassing a wide variety of roles and responsibilities, each involving an array of different skills and abilities. It includes workers in the private and nonprofit sector, military, and civilian government.

The diverse mix of skills in the cybersecurity workforce reflects the complex nature of cybersecurity. Some of the cybersecurity problem is technical (i.e., drawing on computer science techniques and skills), but given that cybersecurity is inherently concerned with human adversaries and the behaviors of those in the organizations that they target, behavioral and management aspects are also critical.

Effective response to an attack involves understanding and anticipating the actions of an attacker. As a result, in some jobs, an adversarial mindset and approach may be as important as the aggregation of particular technical skills in roles that involve detecting, tracking, or responding to an attack. Workshop participants noted that some of the most talented individuals in this context today are people who lack formal education, training, or certification—and that these individuals may be unwilling to pursue any of these to meet a hiring requirement. Indeed, it

was clear from presentations and discussion at the workshops that such “self-taught” experts play key roles in some organizations.

Moreover, security capabilities are hard for end users, administrators, and developers to understand, making it all too easy to use, operate, or construct systems that are inadvertently insecure. Insights on how to address usability often come from the disciplines of human-computer interaction and psychology.¹¹ Behavioral expertise is relevant in efforts to detect and deter potential insider threats. Because failures to adopt, deploy, or use adequate cybersecurity measures often stem from insufficient incentives, the disciplines of economics, anthropology, and psychology are also relevant for cybersecurity.¹²

Given that many aspects of cybersecurity involve highly technical matters, it is often not appreciated that “soft skills” are also important, much as they are in other technical fields. These skills include the ability to work in teams and facility with oral and written communication. Response to an incident may require coordinating activities across multiple organizational elements or job functions and may involve interactions with vendors, security consultants, law enforcement, or other outside actors. Given the dynamic nature of the information technology substrate and threat environment, the ability to continue to learn is also important. All of these traits are at a particular premium in the often complex response to “advanced persistent threats,” where adversaries possess sophisticated levels of expertise and significant resources that allow them to pursue their objectives through multiple attack vectors. Organizations confronting cybersecurity threats increasingly find themselves conducting what has been dubbed “cyber intelligence” in addition to more traditional cybersecurity activities.¹³

The organizational context in which the cybersecurity workforce is employed is also diverse. For example, the cybersecurity capabilities of employers vary considerably and include the following:

• Employers with large, specialized cybersecurity operations that have built up a cadre of highly skilled, extensively trained specialists who work together on the most complex cybersecurity problems. Such organizations are characterized by willingness and ability to make the necessary invest-

_____________

¹¹ National Research Council, Toward Better Usability, Security, and Privacy of Information Technology: Report of a Workshop, The National Academies Press, Washington, D.C., 2010.

¹² Ross Anderson and Tyler Moore, Information security: Where computer science, economics and psychology meet, Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences 367(1898):2717-2727, 2009; ibid.

¹³ Troy Townsend et al. Emerging Technology Center Report: Cyber Intelligence Tradecraft Project Summary of Key Findings, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pa., 2013.

ments and by having management with sufficient savvy to identify and recruit high-caliber talent.

• Employers with mixed cybersecurity groups that employ more than one security specialist, typically led by a manager who is knowledgeable but not necessarily expert in the field.

• Employers with distributed cybersecurity functions, in which cybersecurity is the responsibility of a general information technology (IT) worker or manager as part of a broader IT job, typically performed in contexts where managers have little specialized knowledge or understanding of cybersecurity.

In the first case, organizations with global reach may send work offshore to wherever expertise can be found within the enterprise. In the second two cases, organizations will rely, at least in part, on outsourced work to obtain the necessary expertise, and some of this work may be offshored by the firm providing the security services.

As is true in many fields, there are varying approaches to how work is divided between the cybersecurity workforce and the broader workforce, because the lines between cybersecurity and other roles are blurry, reflecting overlaps in both expertise and responsibility. For example, when a change is made to address a cybersecurity problem, someone designated as having cybersecurity responsibilities may recommend a configuration change that is, in turn, implemented by a network engineer who is not designated as a cybersecurity employee. Also, high-level decisions about investment in cybersecurity may be made by individuals who have risk management responsibilities that extend well beyond cybersecurity. Another example is privacy, where issues, technical approaches, and job responsibilities often overlap with cybersecurity.

Because attacks can cross international borders, cybersecurity work sometimes has an international dimension. Cybersecurity work may involve coordinating activities in multiple countries and thus require the ability to work with international counterparts from both the private sector and other governments and the knowledge and skills to properly comply with rules and policies that can differ by jurisdiction. For example, cybersecurity work sometimes involves use of sensitive information about vulnerabilities and responses.

In short, cybersecurity work encompasses a wide range of roles and contexts, and there are many different ways to classify cybersecurity work. Some workshop participants commented that agreement on a common framework would be helpful in understanding and developing the cybersecurity workforce, and this view prompted the commissioning of such a framework under the National Initiative for Cybersecurity Education (NICE). Issued by the National Institute for Standards and Technol-

ogy, the recently released NICE framework divides cybersecurity roles into high-level areas of specialization, each of which contains multiple subspecialties.¹⁴ Today, this framework is being referenced as part of workforce development efforts in parts of the federal government and, to a lesser extent, in the private sector. Some workshop participants cited the framework as a helpful or much needed development; others observed that it did not seem relevant, given how they currently thought about the structure of their organization’s workforce.

FACTORS AFFECTING FUTURE CYBERSECURITY WORKFORCE NEEDS

It is even more difficult to assess future need, demand, and supply for cybersecurity (or information technology more broadly). There are many indications today that demand will continue to be high. For example, the Bureau of Labor Statistics estimates a faster-than-average growth rate in employment for the decade 2010 to 2020 of “information security analysts,” a labor category that represents a significant subset of the cybersecurity workforce.¹⁵ In a 2012 survey of information security professionals, more than half reported that their organizations had too few information security workers.¹⁶

There are a number of factors that could increase or decrease the needed capacity in particular areas or affect the needed workforce capabilities, including the following:

• How the cybersecurity challenge will evolve as new technologies and threats emerge and old threats evolve, and what the resulting workforce requirements will be. At least historically, new technologies have been deployed without sufficient attention to the security implications, and bad actors have found ways to exploit the resulting vulnerabilities. Familiar examples include the introduction of networked personal computers into the workplace and widespread adoption of the Internet for mission-critical activities.

• What the key skills and best practices will be in cybersecurity, and what the content of curricula should be, because the ability to build more secure

_____________

¹⁴ National Institute for Standards and Technology, U.S. Department of Commerce, National Cybersecurity Workforce Framework, Washington, D.C., 2013.

¹⁵ National Center for O*NET Development, Bureau of Labor Statistics, O*Net Online Summary Report for 15-1122.00—Information Security Analysts, 2013, available at http://www.onetonline.org/link/summary/15-1122.00.

¹⁶ Michael Suby, The 2013 (ISC)² Global Information Security Workforce Study, Frost and Sullivan, Mountain View, Calif., 2013.

systems lags what is needed, and knowledge about how to protect, defend, and repair computer systems continues to grow.

• How advances on various fronts might affect the mix of needed capacity and capability. For example, better software design and development from a security perspective would result in fewer vulnerabilities to be exploited (and thus potentially require fewer people to detect, patch, and respond), better tools and techniques for cybersecurity might reduce the number of workers needed in certain roles and change the skills needed for others, more robust law enforcement action might reduce the incidence of certain forms of cybercrime, better training and understanding of security among system administrators would enable them to better “harden” systems, and better training of the workers that operate systems would help them avoid actions that undermine security. In the case of better tools and techniques that enhance productivity, it is possible that demand for workers might shift to higher-end positions, because fewer workers would be needed to carry out functions that are partly or fully automated. Emerging technologies like cloud services could enhance security by reducing the burden on individual organizations, but it could also introduce new risks by changing the boundary of an organization’s information systems.

• How the policy environment for cybersecurity will change. For example, if new cybersecurity or privacy regulations were introduced, organizations would need to increase their workforce to comply with the new requirements and document and report on compliance.

• How cybersecurity will be provided in the future, especially in smaller organizations. Already, many organizations turn to vendors to supply various cybersecurity tools and services, and there are models in which cybersecurity work can be outsourced to service providers. For example, Internet service providers increasingly offer a range of security services for their customers. In the increasingly popular software-as-a-service model, vendors generally take responsibility for configuration, monitoring, and response. Such shifts of duties may reduce the number or change the mix of cybersecurity workers needed by organizations. On the other hand, every organization that uses IT will need people who can take responsibility for the organization’s cybersecurity, at a minimum being able to select vendors that can provide the required levels of assurance. Future trends in offshoring security work will also affect the demand for U.S. cybersecurity workers.