National Academies Press: OpenBook
Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×

Professionalizing
the Nation’s
Cybersecurity
Workforce?

Criteria for Decision-Making

Committee on Professionalizing the Nation’s Cybersecurity Workforce:
Criteria for Future Decision-Making

Computer Science and Telecommunications Board

Division on Engineering and Physical Sciences

NATIONAL RESEARCH COUNCIL
OF THE NATIONAL ACADEMIES

THE NATIONAL ACADEMIES PRESS

Washington, D.C.

www.nap.edu

Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×

THE NATIONAL ACADEMIES PRESS  500 Fifth Street, NW   Washington, DC 20001

NOTICE: The project that is the subject of this report was approved by the Governing Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engineering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance.

This project was supported by the U.S. Department of Homeland Security under Contract No. HSHQDC-11-D-00009, Task Order No. HSHQDC-12-J-00157. Any opinions, findings, conclusions, or recommendations expressed in this publication are those of the author(s) and do not necessarily reflect the view of the organizations or agencies that provided support for this project.

International Standard Book Number-13: 978-0-309-29104-0
International Standard Book Number-10: 0-309-29104-6

Additional copies of this workshop summary are available for sale from the National Academies Press, 500 Fifth Street, NW, Keck 360, Washington, DC 20001; (800) 624-6242 or (202) 334-3313; http://www.nap.edu.

Copyright 2013 by the National Academy of Sciences. All rights reserved.

Printed in the United States of America

Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×

THE NATIONAL ACADEMIES

Advisers to the Nation on Science, Engineering, and Medicine

The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal government on scientific and technical matters. Dr. Ralph J. Cicerone is president of the National Academy of Sciences.

The National Academy of Engineering was established in 1964, under the charter of the National Academy of Sciences, as a parallel organization of outstanding engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. C. D. Mote, Jr., is president of the National Academy of Engineering.

The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine.

The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in providing services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Ralph J. Cicerone and Dr. C. D. Mote, Jr., are chair and vice chair, respectively, of the National Research Council.

www.national-academies.org

Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×

This page intentionally left blank.

Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×

COMMITTEE ON PROFESSIONALIZING THE NATION’S CYBERSECURITY WORKFORCE: CRITERIA FOR FUTURE DECISION-MAKING

DIANA L. BURLEY, George Washington University, Co-Chair

SEYMOUR E. GOODMAN, Georgia Institute of Technology, Co-Chair

MATT BISHOP, University of California, Davis

MISCHEL L. KWON, Mischel Kwon and Associates, LLC

KEVIN R. MURPHY, Colorado State University

PHILIP M. NECHES, Foundation Ventures, LLC.

CHARLES “CASEY” O’BRIEN, National CyberWatch Center, Prince George’s Community College

RONALD P. SANDERS, Booz Allen Hamilton

Staff

JON EISENBERG, Director, Computer Science and Telecommunications Board

ENITA A. WILLIAMS, Associate Program Officer (through April 2013)

SHENAE BRADLEY, Senior Program Assistant

Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×

COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD

ROBERT F. SPROULL, Oracle (retired), Chair

LUIZ ANDRÉ BARROSO, Google, Inc.

ROBERT BRAMMER, Brammer Technology, LLC

EDWARD FRANK, Apple, Inc.

JACK L. GOLDSMITH III, Harvard Law School

SEYMOUR E. GOODMAN, Georgia Institute of Technology

LAURA M. HAAS, IBM Amalden Research Laboratory

ROBERT HOROWITZ, Stanford University

MICHAEL KEARNS, University of Pennsylvania

ROBERT KRAUT, Carnegie Mellon University

SUSAN LANDAU, Radcliffe Institute for Advanced Study

PETER LEE, Microsoft Corporation

DAVID E. LIDDLE, U.S. Venture Partners

BARBARA LISKOV, Massachusetts Institute of Technology

JOHN STANKOVIC, University of Virginia

JOHN A. SWAINSON, Dell, Inc.

PETER SZOLOVITS, Massachusetts Institute of Technology

ERNEST J. WILSON, University of Southern California

KATHERINE YELICK, University of California, Berkeley

Staff

JON EISENBERG, Director

VIRGINIA BACON TALATI, Program Officer

SHENAE BRADLEY, Senior Program Assistant

RENEE HAWKINS, Financial and Administrative Manager

HERBERT S. LIN, Chief Scientist

LYNETTE I. MILLETT, Associate Director

ERIC WHITAKER, Senior Program Assistant

For more information on CSTB, see its website at http://www.cstb.org; write to CSTB, National Research Council, 500 Fifth Street, NW, Washington, DC 20001; call (202) 334-2605; or e-mail CSTB at cstb@nas.edu.

Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×

Preface

The federal National Initiative for Cybersecurity Education (NICE) aims to “enhance the overall cybersecurity posture of the United States by accelerating the availability of educational and training resources designed to improve the cyber behavior, skills, and knowledge of every segment of the population.”1 One of the issues being considered as part of NICE is the role of professionalization in enhancing the cybersecurity workforce. The U.S. Department of Homeland Security (DHS), one of the agencies carrying out activities under NICE, lists three questions regarding the role of professionalization on the National Initiative for Cybersecurity Careers and Studies webpage on cybersecurity professionalization:

• Is cybersecurity ready to be professionalized across the nation?

• Which jobs within the cybersecurity field should be professionalized and to what degree?

• Should the federal government lead this effort single handedly?2

That page goes on to describe the present study, sponsored by DHS, on professionalization. Box P.1 provides the full statement of task. To carry out the study, the Committee on Professionalizing the Nation’s Cyber-

_____________

1 U.S. Department of Homeland Security, National Initiative for Cybersecurity Careers and Studies (NICCS), About the National Initiative for Cybersecurity Education, available at http://niccs.us-cert.gov/footer/about-nice.

2 U.S. Department of Homeland Security, National Initiative for Cybersecurity Careers and Studies, Professionalization, available at http://niccs.us-cert.gov/careers/professionalization.

Page viii Cite
Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×

BOX P.1 Statement of Task

An ad hoc committee will conduct a study that would consider approaches to increasing the professionalization of the nation’s cybersecurity workforce. It would examine workforce requirements for cybersecurity and the segments and job functions in which professionalization is most needed; the role of assessment tools, certification, licensing, and other means for assessing and enhancing professionalization; and emerging approaches, such as performance-based measures. It would also examine requirements for the federal (military and civilian) workforce, the private sector, and state and local government.

Three public workshops would be held in the course of the study as the principal data-gathering events to obtain input on the foregoing issues from education and training institutions and public and private sector employers of cybersecurity workers. The committee will develop the respective agendas, select and invite speakers and discussants, and moderate the discussions. Subsequently, the committee will prepare a report, drawing on the workshops. The report would characterize the current landscape for cybersecurity workforce development and set forth criteria that the federal agencies participating in the National Initiative for Cybersecurity Education—as well as organizations that employ cybersecurity workers—could use to identify which specialty areas may require professionalization and to evaluate different approaches and tools for professionalization.

security Workforce: Criteria for Future Decision-Making was convened under the auspices of the Computer Science and Telecommunications Board of the National Research Council (Appendix A).

The statement of task speaks broadly about a range of matters to be considered or examined. With one exception noted below, the committee did explore all of these points. Consistent with discussions with DHS before and during the study as well as with the time and resources available for the study, the committee took as its central task to do what is called for in the final sentence of the statement of task—to prepare a report that would

Characterize the current landscape for cybersecurity workforce development and set forth criteria that the federal agencies participating in the National Initiative for Cybersecurity Education—as well as organizations that employ cybersecurity workers—could use to identify which specialty areas may require professionalization and to evaluate different approaches and tools for professionalization.

Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×

In developing this report, the committee identified three essential elements—(1) understanding the context for cybersecurity workforce development; (2) considering the relative advantages, disadvantages, and approaches to professionalizing the nation’s cybersecurity workforce; and (3) setting forth criteria that can be used to identify which, if any, specialty areas may require professionalization—and set forth criteria for evaluating different approaches and tools for professionalization. As called for in the statement of task, the committee considered these in the context of the national cybersecurity workforce—and, in particular, not just with respect to the federal government workforce. One issue that is listed in the statement of task but is not addressed in this report is the question of approaches to performance assessment. The reason for this omission is simple: the committee did not hear about this point at the workshops it convened. The committee believes that this issue will merit more attention in the future as professionalization measures are implemented and refined.

The principal input to this study came from a series of three workshops convened by the study committee and held in Washington, D.C., San Francisco, California (coinciding with and partly co-located with the RSA Conference), and San Antonio, Texas. An additional data-gathering meeting with approximately 25 attendees was held at the Cybercorps Scholarship for Service principal investigators’ meeting on January 10, 2013, in Arlington, Virginia. Agendas for the three workshops organized by the committee are provided in Appendix B. Speakers at the workshops came from organizations associated with the education and development of cybersecurity workers (community colleges, colleges, and universities; organizations that provide certificates and certifications, and professional associations); organizations that employ cybersecurity workers (federal, state, and local government and a wide array of private sector firms). Speakers also included students and a diverse set of people who hold cybersecurity jobs or whose positions significantly involve cybersecurity. Within the federal government, speakers came from civilian, law enforcement, defense, and intelligence agencies. Speakers from private firms included individuals from the information technology, cybersecurity, entertainment, banking and finance, and manufacturing sectors. Lists of speakers and participants in the three workshops are provided in Appendix C. A principal focus of the workshops and other interactions was to understand how organizations think about cybersecurity jobs and the role of professionalization. In the course of these presentations and discussions, the committee heard almost every imaginable point of view, and many points were both corroborated and contradicted by other speakers.

During the course of the study, the committee also reviewed reports related to the cybersecurity workforce in general and to its profession-

Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×

alization in particular. These reports provide a variety of perspectives on the need, demand, and supply for cybersecurity workers, the sorts of skills required, and ways of improving the capacity and capability of the workforce. Some of these reports focused on the federal government workforce, while others looked at the workforce more broadly. Some are independent analysis, and others were prepared by groups with a particular interest in some aspect of workforce issues.

Chapters 1 and 2 provide context regarding the cybersecurity challenge, the role of the cybersecurity workforce in addressing this challenge, and the role that professionalization might play. Chapter 3 provides the committee’s analysis and its conclusions and recommendation.

We would like to thank the Department of Homeland Security for sponsoring this study and acknowledge in particular the assistance of Robin “Montana” Williams, branch chief, Cybersecurity Education and Awareness, U.S. Department of Homeland Security. We would also like to acknowledge the contributions made by the speakers and participants at the three workshops organized by the committee.

Diana Burley and Seymour Goodman, Co-Chairs
Committee on Professionalizing the
Nation’s Cybersecurity Workforce:
Criteria for Future Decision-Making

Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×

Acknowledgment of Reviewers

This report has been reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise, in accordance with procedures approved by the National Research Council’s Report Review Committee. The purpose of this independent review is to provide candid and critical comments that will assist the institution in making its published report as sound as possible and to ensure that the report meets institutional standards for objectivity, evidence, and responsiveness to the study charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process. We wish to thank the following individuals for their review of this report:

Byron Collie, Goldman Sachs Group, Inc.,

Stephen Cooper, Stanford University,

Paul E. Gray, Massachusetts Institute of Technology,

Cynthia Irvine, Naval Postgraduate School,

John D. Johnson, Deere & Company,

Anita Jones, University of Virginia,

Susan Landau, privacyink.org,

Fred Oswald, Rice University,

Michael Papay, Northrup Grumman Corporation,

Franklin S. Reeder, Reeder Group, Inc., and

Eugene Spafford, Purdue University.

Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×

Although the reviewers listed above have provided many constructive comments and suggestions, they were not asked to endorse the conclusions or recommendations, nor did they see the final draft of the report before its release. The review of this report was overseen by R. Stephen Berry, University of Chicago (emeritus). Appointed by the National Research Council, he was responsible for making certain that an independent examination of this report was carried out in accordance with institutional procedures and that all review comments were carefully considered. Responsibility for the final content of this report rests entirely with the authoring committee and the institution.

Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×
Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×
Page R1
Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×
Page R2
Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×
Page R3
Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×
Page R4
Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×
Page R5
Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×
Page R6
Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×
Page R7
Page viii Cite
Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×
Page R8
Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×
Page R9
Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×
Page R10
Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×
Page R11
Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×
Page R12
Page xiii Cite
Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×
Page R13
Suggested Citation:"Front Matter." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×
Page R14
Next: Executive Summary »
Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making Get This Book
×
Buy Paperback | $34.00 Buy Ebook | $27.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Professionalizing the Nation's Cybersecurity Workforce? Criteria for Decision-Making considers approaches to increasing the professionalization of the nation's cybersecurity workforce. This report examines workforce requirements for cybersecurity and the segments and job functions in which professionalization is most needed; the role of assessment tools, certification, licensing, and other means for assessing and enhancing professionalization; and emerging approaches, such as performance-based measures. It also examines requirements for the federal (military and civilian) workforce, the private sector, and state and local government. The report focuses on three essential elements: (1) understanding the context for cybersecurity workforce development, (2) considering the relative advantages, disadvantages, and approaches to professionalizing the nation's cybersecurity workforce, and (3) setting forth criteria that can be used to identify which, if any, specialty areas may require professionalization and set forth criteria for evaluating different approaches and tools for professionalization. Professionalizing the Nation's Cybersecurity Workforce? Criteria for Decision-Making characterizes the current landscape for cybersecurity workforce development and sets forth criteria that the federal agencies participating in the National Initiative for Cybersecurity Education—as well as organizations that employ cybersecurity workers—could use to identify which specialty areas may require professionalization and to evaluate different approaches and tools for professionalization.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!