Executive Summary

The nation’s cybersecurity challenge stems from threats from a wide array of actors who seek to compromise the confidentiality, integrity, and availability of elements of cyberspace by exploiting flaws in the design, implementation, configuration, and operation of information technology systems. This cybersecurity threat faces individuals, organizations of all sizes, and government at all levels.

The effort to establish a safer and more secure cyberspace will require improvements in many areas, including a cybersecurity workforce that has the capacity and capability to do the job; better tools and techniques that enhance the efficiency and effectiveness of cybersecurity workers; better tools and approaches for risk identification and assessment; better systems design and development; greater incentives to encourage the deployment of better cybersecurity technologies and practices; improvements in end-user behavior through training; and organizational, national, and international measures to deter bad actors.

This report considers the role that professionalization might play in ensuring that the United States has a cybersecurity workforce with enough cybersecurity workers (capacity) with the right knowledge, skills, and abilities (capability). The committee understood its principal tasks to be (1) to consider the role that professionalization could play in enhancing the capacity and capability of the national cybersecurity workforce and (2) to identify criteria that could be used by decision-makers in government and the private sector when considering measures to professionalize the cybersecurity workforce.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 1
Executive Summary The nation’s cybersecurity challenge stems from threats from a wide array of actors who seek to compromise the confidentiality, integrity, and availability of elements of cyberspace by exploiting flaws in the design, implementation, configuration, and operation of information technology systems. This cybersecurity threat faces individuals, organizations of all sizes, and government at all levels. The effort to establish a safer and more secure cyberspace will require improvements in many areas, including a cybersecurity workforce that has the capacity and capability to do the job; better tools and techniques that enhance the efficiency and effectiveness of cybersecurity workers; better tools and approaches for risk identification and assessment; better systems design and development; greater incentives to encourage the deployment of better cybersecurity technologies and practices; improve- ments in end-user behavior through training; and organizational, national, and international measures to deter bad actors. This report considers the role that professionalization might play in ensuring that the United States has a cybersecurity workforce with enough cybersecurity workers (capacity) with the right knowledge, skills, and abilities (capability). The committee understood its principal tasks to be (1) to consider the role that professionalization could play in enhancing the capacity and capability of the national cybersecurity workforce and (2) to identify criteria that could be used by decision-makers in govern- ment and the private sector when considering measures to professionalize the cybersecurity workforce. 1

OCR for page 1
2 PROFESSIONALIZING THE NATION’S CYBERSECURITY WORKFORCE? In brief, the committee found that although the occupations compris- ing the field of cybersecurity do require specialized knowledge and some form of intensive advanced training, they have not yet sufficiently crys- tallized into specific professions. Cybersecurity is a young field, and the technologies, threats, and actions taken to counter the threats that charac- terize the endeavor are changing too rapidly to risk imposing the rigidi- ties that typically attend professional status. Some organizations may find that professionalization provides a useful degree of “quality control” for those who work in the field, but professionalization also imposes barriers to those who wish to enter the field at a time when demand for cyber­ security workers exceeds supply. CAPACITY AND CAPABILITY OF THE CYBERSECURITY WORKFORCE Conclusion 1. More attention to both the capacity and capability of the U.S. cybersecurity workforce is needed. Conclusion 2. Although the need for cybersecurity workers is likely to continue to be high, it is difficult to forecast with certainty the number of workers required or the needed mix of cybersecurity knowledge and skills. CYBERSECURITY WORK AND THE CYBERSECURITY WORKFORCE Conclusion 3. The cybersecurity workforce encompasses a variety of con- texts, roles, and occupations and is too broad and diverse to be treated as a single occupation or profession. Whether and how to professionalize will vary according to role and context. Conclusion 4. Because cybersecurity is not solely a technical endeavor, a wide range of backgrounds and skills will be needed in an effective national cybersecurity workforce. PROFESSIONALIZATION Conclusion 5. Professionalization has multiple goals and can occur through multiple mechanisms. Conclusion 6. The path toward professionalization of a field can be slow and difficult, and not all portions of a field can or should be professional- ized at the same time.

OCR for page 1
EXECUTIVE SUMMARY 3 CRITERIA FOR DECISION-MAKING ABOUT PROFESSIONALIZATION Conclusion 7. Professionalization has associated costs and benefits that should be weighed when making decisions to undertake professionaliza- tion activities. Professionalization is not a proxy for “better,” but it may be a useful tool in certain circumstances. The following criteria are suggested to help identify cybersecurity specialties and circumstances where professional- ization may be appropriate and to assess the potential effects of different professionalization mechanisms: • Do the benefits of a given professionalization measure outweigh the poten- tial supply restrictions resulting from the additional barriers to entry? • Does the potential to provide additional information about a candidate outweigh the risks of false certainty about who is actually best suited for a job? • Do the benefits of establishing the standards needed for professionalization outweigh the risks of obsolescence (when the knowledge or skills associated with the standard are out-of-date by the time a standard is agreed on) and ossification (when the establishment of a standard inhibits further development by workers of their skills and knowledge)? Recommendation. Activities by the federal government and other entities to professionalize a cybersecurity occupation should be undertaken only when that occupation has well-defined and stable characteristics, when there are observed deficiencies in the occupa- tional workforce that professionalization could help remedy, and when the benefits outweigh the costs. Cybersecurity is a broad field, and professionalization is something that can be undertaken for specific occupations within the field and not the field as a whole. Before professionalization activities are undertaken for an occupation, two high-level criteria should be met: 1. The occupation has well-defined characteristics. These include stable knowledge and skill requirements, stable roles and responsibilities and occupational boundaries that distinguish the profession from others, well- defined career ladders that provide links to professionalization mecha- nisms, and agreed-on ethical standards to which members of the profes- sion will be held. 2. There is credible evidence of deficiencies in the occupational workforce, such as skill deficiencies, questions of legitimacy among the current set of practitioners, or concerns about accountability.

OCR for page 1
4 PROFESSIONALIZING THE NATION’S CYBERSECURITY WORKFORCE? The criteria in Conclusion 7 speak to the trade-offs that should be considered by those seeking to professionalize those who work in the field of cybersecurity—including the U.S. government, other U.S. public and private employers, educational institutions, certification bodies, and so forth. These trade-offs illustrate the complex set of costs and benefits asso- ciated with professionalization. Some of the uncertainties may ­ iminish d over time, and long-term benefits may ultimately outweigh short-term costs. It may thus be an effective strategy to encourage, rather than require, the use of certain professionalization mechanisms so as to avoid overly restricting supply in the short term while still establishing a long- term path to enhancing quality. Over time, parts of the cybersecurity field will likely reach the point where professionalization will be warranted. The criteria set forth under the Recommendation can be used by decision makers to judge when that time has come.