How or should the cybersecurity workforce be formally professionalized? The National Research Council this week issued a report that looks at the issues around how to professionalize a field it describes as so broad and diverse it could be hard to even treat it as a single occupation or profession.
"Many aspects of the cybersecurity field are changing rapidly, from new technologies to the types of threats we face to the ways offensive and defensive measures are carried out," says Diana Burley, associate professor of human and organizational learning at the George Washington University and co-chair of the committee that wrote the report entitled 'Professionalizing the Nation's Cybersecurity Workforce?.' "Premature or blanket professionalization strategies will likely hinder efforts to build a national cybersecurity workforce of sufficient quality, size, and flexibility to meet the needs of this dynamic environment."
The group wrote that professionalization might involve prolonged training and formal education, knowledge and performance testing, or other activities that establish quality standards for the workforce.
The report suggests that "professionalization measures in the field of cybersecurity should only be undertaken for specific occupations that have well-defined and stable characteristics, when there are observable work force deficiencies that professionalization could resolve, and if the benefits of professionalization outweigh the costs."
Professionalization has the potential to attract workers and establish a long-term path to enhancing quality of the work force, but measures such as standardized education or requirements for certification all have associated advantages and disadvantages. The report lists a number of trade-offs that should be weighed carefully by employers, professional organizations, and governments when deciding whether and how to undertake professionalization activities, the National Research Council said.
For example, education certificates or formal certification can be helpful to employers who otherwise may find it difficult to evaluate the skills and knowledge of job applicants. But it takes time to develop common curricula and reach consensus on what core knowledge and skills should be assessed. Once a certification is issued, those standards run the risk of becoming obsolete, and workers may not have incentives to update their skills. In addition, some of the most talented individuals in cybersecurity are self-taught, and the requirement of formal education or training may deter potential employees from entering the field the National Research Council said.
Over time, professionalization could help build a higher quality work force with a standardized set of specific skills and help employers identify the best candidates to meet their needs. But this should be weighed against the changing context of cybersecurity that includes both evolving threats and fluid job responsibilities. Although some measures can help increase awareness and desirability of the profession and increase the number of individuals who consider cybersecurity as a career, they can also create additional barriers to entry that inadvertently screen out suitable candidates, discourage out-of-the-box thinking, and narrow the pipeline of potential workers. Careful consideration of these potential effects will help inform decisions about whether and how to professionalize the field of cybersecurity, the report says.
Sign up for CIO Asia eNewsletters.