New Report: Avoid Premature or Overly Broad Professionalization of Rapidly Evolving Cybersecurity Field
WASHINGTON — The nation’s cybersecurity work force is too broad and diverse to be treated as a single occupation or profession, and decisions about whether and how to professionalize the field will vary according to role and context, says a new report from the National Research Council. Defined as the social process by which an occupation evolves into a profession, such as law or medicine, professionalization might involve prolonged training and formal education, knowledge and performance testing, or other activities that establish quality standards for the workforce.
The report suggests that professionalization measures in the field of cybersecurity should only be undertaken for specific occupations that have well-defined and stable characteristics, when there are observable work force deficiencies that professionalization could resolve, and if the benefits of professionalization outweigh the costs.
“Many aspects of the cybersecurity field are changing rapidly, from new technologies to the types of threats we face to the ways offensive and defensive measures are carried out,” says Diana Burley, co-chair of the committee that wrote the report and associate professor of human and organizational learning at the George Washington University in Washington, D.C. “Premature or blanket professionalization strategies will likely hinder efforts to build a national cybersecurity workforce of sufficient quality, size, and flexibility to meet the needs of this dynamic environment.”
The cybersecurity work force comprises workers in the private and nonprofit sector, all levels of civilian government, and the military. It encompasses a wide variety of roles and responsibilities and requires an array of skills and abilities that include behavioral and management aspects in addition to technical expertise. While there are indications that demand will continue to be high for cybersecurity workers, the evolving nature of the field makes it difficult to forecast the number of workers that will be required or the mix of knowledge and skills that will be needed, the report says.
Professionalization has the potential to attract workers and establish a long-term path to enhancing quality of the work force, but measures such as standardized education or requirements for certification all have associated advantages and disadvantages. The report lists a number of trade-offs that should be weighed carefully by employers, professional organizations, and governments when deciding whether and how to undertake professionalization activities.
For example, education certificates or formal certification can be helpful to employers who otherwise may find it difficult to evaluate the skills and knowledge of job applicants. But it takes time to develop common curricula and reach consensus on what core knowledge and skills should be assessed. Once a certification is issued, those standards run the risk of becoming obsolete, and workers may not have incentives to update their skills. In addition, some of the most talented individuals in cybersecurity are self-taught, and the requirement of formal education or training may deter potential employees from entering the field.
Cybersecurity specialties and circumstances where professionalization may be appropriate should meet several criteria before any actions are taken, the report says. First, an occupation should have well-defined characteristics, which may include a core set of knowledge and skill requirements that remain stable even within a rapidly changing environment, boundaries that distinguish the occupation from others, or agreed-upon ethical standards. Second, there should be evidence of occupational shortcomings that could be remedied by a professionalization measure. This could include skill deficiencies, questions of legitimacy among the current set of practitioners, or concerns about accountability. The report cites digital forensics as one example of a cybersecurity occupation where professionalization efforts have proved successful in identifying quality standards, but notes that agencies implement professionalization mechanisms differently to meet those standards.
Finally, the benefits of a given professionalization mechanism should outweigh any potential negative effects. Over time, professionalization could help build a higher quality work force with a standardized set of specific skills and help employers identify the best candidates to meet their needs. But this should be weighed against the changing context of cybersecurity that includes both evolving threats and fluid job responsibilities. Although some measures can help increase awareness and desirability of the profession and increase the number of individuals who consider cybersecurity as a career, they can also create additional barriers to entry that inadvertently screen out suitable candidates, discourage out-of-the-box thinking, and narrow the pipeline of potential workers. Careful consideration of these potential effects will help inform decisions about whether and how to professionalize the field of cybersecurity, the report says.
The study was sponsored by U.S. Department of Homeland Security. The National Academy of Sciences, National Academy of Engineering, Institute of Medicine, and National Research Council make up the National Academies. They are private, independent nonprofit institutions that provide science, technology, and health policy advice under a congressional charter granted to NAS in 1863. The Research Council is the principal operating agency of the National Academy of Sciences and the National Academy of Engineering. For more information, visit http://national-academies.org. A committee roster follows.
Lauren Rugani, Media Relations Officer
Chelsea Dickson, Media Relations Assistant
Office of News and Public Information
202-334-2138; e-mail firstname.lastname@example.org