Conclusions, Recommendation, and Criteria for Professionalization of Cybersecurity
This report considers the role that professionalization might play in ensuring that the United States has enough cybersecurity workers (capacity) and that it has a workforce with the right knowledge, skills, and abilities (capability). These issues arise at a critical juncture, when there is growing recognition that the cybersecurity threat is serious and pervasive. Where and how professionalization would contribute to, or possibly diminish, the capacity and capability of the national workforce to provide cybersecurity are questions that do not have a simple or single answer.
CAPACITY AND CAPABILITY OF THE CYBERSECURITY WORKFORCE
Conclusion 1. More attention to both the capacity and capability of the U.S. cybersecurity workforce is needed.
Even large organizations with top talent and significant resources devoted to cybersecurity have suffered major cybersecurity compromises, and organizations that do not have such levels of talent or resources face even greater challenges. More highly skilled workers in cybersecurity roles would help the nation respond more robustly to the cybersecurity problems it faces. All organizations need to understand their threat environment and the risks they face, address their cybersecurity problems, and hire the most appropriate people to do that work.
Conclusion 2. Although the need for cybersecurity workers is likely to continue to be high, it is difficult to forecast with certainty the number of workers required or the needed mix of cybersecurity knowledge and skills.
There are many indications today that demand for cybersecurity workers will continue to be high, but it is notoriously difficult to measure or forecast labor supply and demand for any field, especially one that is as dynamic and fast moving as cybersecurity. Moreover, there are several factors that may affect future need. These include the following:
• How the cybersecurity challenge will evolve as technologies and threats evolve, and how this may alter workforce capability and capacity requirements.
• How advances—such as better-quality, more-secure software; more productive cybersecurity tools; better training of the workers that operate and manage IT systems; or more robust law enforcement—might change the number of workers needed in certain roles and change the skills needed for others.
• How much responsibility for cybersecurity might shift from organizations at large to more specialist information technology (IT) or cybersecurity firms, which may reduce the number or change the mix of cybersecurity workers needed by organizations.
CYBERSECURITY WORK AND THE CYBERSECURITY WORKFORCE
Conclusion 3. The cybersecurity workforce encompasses a variety of contexts, roles, and occupations and is too broad and diverse to be treated as a single occupation or profession. Whether and how to professionalize will vary according to role and context.
Cybersecurity is a field that encompasses more than one kind of work and more than one occupation or profession. Some kinds of workers may come to be considered as professionals, but the committee believes that the field may also include a range of personnel and functions that are best not considered as professionals, much as many other fields contain both professionals and other workers who are not formally professionalized, including some who are designated as paraprofessionals. For example, there are today large numbers of people within organizations who have responsibility for cybersecurity functions, such as frontline IT support staff, for whom there may not be any formal education or accreditation requirements. The organizational context for cybersecurity work is
diverse, ranging from firms that have highly proficient cybersecurity groups to ones where cybersecurity is one of the responsibilities of general IT groups. There are also varying approaches to how work is divided between the cybersecurity workforce and the broader IT workforce— some cybersecurity positions are clearly hybrid in nature, blending cybersecurity roles with other roles in IT, management, or law enforcement.
The committee heard a wide range of opinions regarding the contexts in which professionalization would or would not be appropriate. The committee noted only one case where there is a compelling and widely agreed-on case for professionalization today. In digital forensics, where the results are to be used in a legal proceeding, the work is comparatively narrowly defined by procedures and law, the relevant domain of expertise appears to be sufficiently narrow, and the appropriate professionalization mechanism is clear (certification with periodic recertification reflecting advances in acceptable forensic techniques and practices). Even in this case, however, the committee learned that not all agencies that employ digital forensics examiners currently favor external certification.
Given the great diversity of roles, responsibilities, and contexts, the fact that professionalization measures may be warranted in a particular subfield and context should not be confused with a broad need for professionalization. Those organizations that find professionalization helpful can certainly insist on some form of certification or other professionalization measure for the workers they hire, and a number of organizations inside and outside government do so today. Other organizations, having given this serious thought, may find other ways to optimize and customize their hiring and cybersecurity workforce composition to best meet their specific needs.
Professionalizing by roles, which are the building blocks of professional categories, would be at too low a level. At the same time, it would be a mistake to attempt to professionalize at too high a level—for example, by identifying a single set of professional requirements for multiple, distinct occupations (with different knowledge requirements) within a broad field.
Conclusion 4. Because cybersecurity is not solely a technical endeavor, a wide range of backgrounds and skills will be needed in an effective national cybersecurity workforce.
For example:
• Attackers target organizations and individuals as well as machines and networks, so cybersecurity is inherently concerned with human adversaries and behaviors of those in the organizations they target. Pro-
tecting cyberspace thus involves human, behavioral, psychological, and economic factors and management expertise as well as technical skills and knowledge.
• Cybersecurity is a function of organizational policies and process as well as technologies. As a result, people are needed who understand the organizational context—mission requirements, business processes, and organizational culture.
• Cybersecurity work often involves teamwork and collaboration across organizational boundaries. Soft skills, which include the ability to work in teams and facility with oral and written communication, are essential in many roles.
As a result, education, training, and workforce development activities that focus too much on narrow technical knowledge and skills may discourage participation by people with much-needed nontechnical knowledge and skills, may overly concentrate attention and resources on building technical capability and capacity, and may discourage technically proficient people from developing nontechnical skills. The result would fall short of delivering the workforce the nation requires.
Conclusion 5. Professionalization has multiple goals and can occur through multiple mechanisms.
“Professionalization” describes the social process by which an occupation becomes a profession. Its goals include establishing quality standards, enhancing public trust and confidence, and establishing and standardizing job roles and pathways. The movement toward the professionalization of an occupation has multiple goals and can occur through multiple mechanisms. Members of a nascent profession may seek to establish a monopoly or otherwise regulate the supply of labor to advance their interests. An additional and often unstated but important goal is to establish a shared set of values, ethos, standards of conduct, culture, and mindset for a profession. Another frequently unstated goal is to facilitate compliance with contractual or other requirements.
Professional status for an individual is generally associated with the following mechanisms: (1) passing a knowledge and/or performance test, (2) completion of a course of study on the intellectual basis of the profession, (3) a sustained period of mentored experience/apprenticeship, (4) continuing education, (5) licensing by a formal authority, and (6) ethical standards of behavior with enforcement. A field in which all of these
mechanisms are used will almost certainly be recognized as a profession, but not all are required for a field to be recognized as a profession.
The committee made several observations regarding the role and application of several of these mechanisms:
• Codes of conduct or ethics define the norms of behavior for a profession. Although the adoption of such codes is generally a positive step with few drawbacks, it does raise two possible concerns in the context of cybersecurity. One issue is how the codes relate to actions taken in roles that involve offensive operations or active defensive measures (where legitimate activities might run afoul of overly narrowly drawn standards). The other is how the codes might (in the short run) affect the hiring of “black hats” (those who have violated computer security laws or rules in the past but may be a valuable source of talent in protecting computer security) for “white hat” jobs.1
• Certificates and certification are ways to demonstrate not only an individual’s competence in a well-defined area of cybersecurity, but also an individual’s interest and commitment. They may provide a useful complement or supplement to academic degrees in establishing knowledge and commitment. Views of certificates and certifications vary with respect to individual careers or workplaces: some see them as valuable, while others omit them from resumes because they believe they may diminish, not enhance, some employers’ perception of their technical credentials. The content of education and training programs can also be certified to have met an external standard.
• Licensure involves a government restriction on practice without a license, generally for reasons involving public safety or trust. The sense of the committee is that it is too early for licensure in cybersecurity, at least broadly, because today’s engineering practices for cybersecurity fall short of highly reliable methodologies found in some other areas of engineering where licensing has been applied. Licensure may have some utility in the future as the underlying science and engineering practice improves.
Conclusion 6. The path toward professionalization of a field can be slow and difficult, and not all portions of a field can or should be professionalized at the same time.
There has, for example, been a multi-decade discussion about the professionalization of software developers, with no consensus as yet reached
_____________
1 There are other contexts, such as law enforcement and the military, where a careful distinction must be made between actions that may be duty in one context but prohibited, or even criminal, in another.
among workers, professional organizations, and employers about whether or how to professionalize. Even 100 years after the Flexner report,2 which spurred education reforms and greater professionalization of medical practice, the medical profession continues to debate how best to instill new doctors with the requisite knowledge and skills. The professionalization of other fields, such as law and aviation, has also evolved over the course of many decades. Where professionalization does occur, it will take time, as consensus is developed, professional associations emerge or evolve, and professionalization mechanisms achieve recognition by employers and government.
Conclusion 7. Professionalization has associated costs and benefits that should be weighed when making decisions to undertake professionalization activities.
Professionalization is not a proxy for “better,” but it may be a useful tool in certain circumstances. The following criteria are suggested to help identify cybersecurity specialties and circumstances where professionalization may be appropriate and to assess the potential effects of different professionalization mechanisms:
• Do the benefits of a given professionalization measure outweigh the potential supply restrictions resulting from the additional barriers to entry? Professionalization can be both a magnet (attracting people to the field) and a funnel (restricting people from entering the field). It can also act as a sieve if people who have moved from general IT occupations or other positions into cybersecurity roles are subjected to new professionalization requirements and then move out of cybersecurity. The cost and time required for certification or a degree may also narrow the pipeline of people entering the field. A corollary is that overly narrow professionalization measures may filter out workers whose skills are needed (e.g., certifications focused on technical skills that filter out needed nontechnical skills). On the other hand, professionalization may increase supply over time, as it helps increase awareness and desirability of that profession and thus increases the number of individuals who consider cybersecurity as a career. By helping define roles and career paths, it can also help workers identify suitable jobs and help employers identify suitable workers. Specialization and stratification may also help address supply issues, much as the
_____________
2 A. Flexner, Medical Education in the United States and Canada: A Report to the Carnegie Foundation for the Advancement of Teaching, Merrymount Press, Boston, Mass., 1910.
introduction of nurse practitioners and physician assistants expanded the workforce providing primary medical care.
• Does the potential to provide additional information about a candidate outweigh the risks of false certainty about who is actually best suited for a job? Certificates and certifications may provide useful tools for vetting job candidates, but overreliance on them may screen out some of the most talented and suitable individuals. This is particularly true in cybersecurity today, where some of the most effective workers develop their skillsets through informal methods (e.g., self-taught hackers). Organizations that do not already have a sophisticated cybersecurity workforce may place a greater value on professionalization measures because they make it easier for them to identify qualified workers. However, at a time when few think the cybersecurity situation is improving, and where “sideways” thinking may be at a premium, creativity and innovation may be lost with overly rigid screening. Moreover, given the fluid and changing nature of cybersecurity work, the knowledge, skills, and abilities actually needed in a particular job can change, and workers’ roles and responsibilities can also shift rapidly.
• Do the benefits of establishing the standards needed for professionalization outweigh the risks of obsolescence (when the knowledge or skills associated with the standard are out-of-date by the time a standard is agreed on) and ossification (when the establishment of a standard inhibits further development by workers of their skills and knowledge)? It takes time to reach consensus on the standards needed to establish a curriculum or certification, and it can be difficult to reach convergence, given the rate of change in underlying technologies and the rapid pace at which the context and threat evolve. Following receipt of a degree or certification, workers may stop developing their skills and knowledge. Strategies for addressing these challenges include focusing assessments as much as possible on fundamental concepts, segmenting a field (where possible) into sufficiently narrow specialty roles, adopting more nimble processes for updating content, and requiring continuing education and periodic recertification to refresh requirements.
Recommendation. Activities by the federal government and other entities to professionalize a cybersecurity occupation should be undertaken only when that occupation has well-defined and stable characteristics, when there are observed deficiencies in the occupational workforce that professionalization could help remedy, and when the benefits outweigh the costs.
Cybersecurity is a broad field, and professionalization is something that can be undertaken for specific occupations within the field and not
the field as a whole. Before professionalization activities are undertaken for an occupation, two high-level criteria should be met:
1. The occupation has well-defined characteristics. These include the following:
• Stable knowledge and skill requirements. The occupation should have a stable (but not necessarily static) common body of knowledge on which members of the profession can be judged to a generally agreed-upon standard. This does not imply, however, that the occupation is static; even within a rapidly evolving profession, core knowledge elements that remain stable can be identified.
• Stable roles and responsibilities and occupational boundaries that distinguish the profession from others.
• Well-defined career ladders that provide links to professionalization mechanisms.
• Agreed-upon ethical standards to which members of the profession will be held.
Not all of these characteristics or standards must be met, but the level of readiness for professionalization is higher when more of them are met.
2. There is credible evidence of deficiencies in the occupational workforce. These might include skill deficiencies, questions of legitimacy among the current set of practitioners, or concerns about accountability. Each deficiency should be separately identified. There should be a compelling argument that professionalization (and the specific proposed mechanisms) will remedy each observed deficiency. Finally, the benefits of professionalization to remedy the targeted deficiencies should outweigh the potential costs.
