“We must educate and develop the cyber-workforce” is a constant refrain among government officials. But professionalizing that workforce should wait, according to a new study.
The Department of Homeland Security sponsored a study to examine whether the cybersecurity workforce could — and should — be professionalized. Like the legal or medical fields, professionalization involves formal training, education, performance testing and other quality standards. But the cyber-workforce is just “too broad and diverse to be treated as a single profession,” concluded the study, conducted jointly by the National Academies.
“Many aspects of the cybersecurity field are changing rapidly, from new technologies to the types of threats we face to the ways offensive and defensive measures are carried out,” said Diana Burley, co-chair of the committee that wrote the report and associate professor of human and organizational learning at George Washington University.
The government is heavily investing in the cyber-workforce, seen as the crew that will ensure the country’s military and financial security in a globally connected landscape. It makes sense. Cybersecurity touches every corner of cyberspace — computers, the Internet, telecommunications, servers, routers — and is a vital to the economy, society and national security.
But it’s exactly this ubiquity that makes defining cybersecurity as a specific profession near impossible. And while the underlying principles of cybersecurity remain steady, the technology those principles are mapped onto changes constantly.
Which means the cybersecurity workforce is sprawling and ill-defined. There are 300,000 “information security analysts,” according to the Bureau of Labor Statistics, but that’s not an all-encompassing number. Considered most broadly, nearly every organization has someone involved in making IT and cybersecurity purchasing decisions. That’s at least 6 million businesses and 90,000 local government and public school systems with at least one cybersecurity person, not to mention the 200,000-plus federal employees involved in such tasks. Professionalizing such a disparate group is not only daunting, but a potential hindrance to developing the cyber-workforce.
“Premature or blanket professionalization strategies will likely hinder efforts to build a national cybersecurity workforce of sufficient quality, size and flexibility to meet the needs of this dynamic environment,” Burley said.
There is such an outsized demand for cybersecurity workers that the barriers to entry created by formalized education, degrees and certificates outweigh the benefits — ease in identifying qualified candidates, ease in regulatory compliance, existence of a code of ethics and public trust in the profession. In the formative era of cybersecurity, standardized education can “discourage out-of-the-box thinking and narrow the pipeline of potential workers,” according to a release about the study.
Which is not to say certain cybersecurity occupations don’t require specialized knowledge. They just “have not yet sufficiently crystallized into specific professions,” the study says.
Gradually, though, this crystallization will occur. The government needs to watch for two characteristics to determine when a specific job is ready for professionalization. First, the job must have well-defined characteristics: a stable knowledge set and skill requirements, a clear career ladder and an established ethical standard. Second, there should be evidence of deficiencies in the existing workforce: skill deficiencies or accountability and legitimacy concerns.
Only then should the federal government get involved. How long that will take is another question completely.