National Academies Press: OpenBook
« Previous: Front Matter
Suggested Citation:"Executive Summary." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×

Executive Summary

The nation’s cybersecurity challenge stems from threats from a wide array of actors who seek to compromise the confidentiality, integrity, and availability of elements of cyberspace by exploiting flaws in the design, implementation, configuration, and operation of information technology systems. This cybersecurity threat faces individuals, organizations of all sizes, and government at all levels.

The effort to establish a safer and more secure cyberspace will require improvements in many areas, including a cybersecurity workforce that has the capacity and capability to do the job; better tools and techniques that enhance the efficiency and effectiveness of cybersecurity workers; better tools and approaches for risk identification and assessment; better systems design and development; greater incentives to encourage the deployment of better cybersecurity technologies and practices; improvements in end-user behavior through training; and organizational, national, and international measures to deter bad actors.

This report considers the role that professionalization might play in ensuring that the United States has a cybersecurity workforce with enough cybersecurity workers (capacity) with the right knowledge, skills, and abilities (capability). The committee understood its principal tasks to be (1) to consider the role that professionalization could play in enhancing the capacity and capability of the national cybersecurity workforce and (2) to identify criteria that could be used by decision-makers in government and the private sector when considering measures to professionalize the cybersecurity workforce.

Suggested Citation:"Executive Summary." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×

In brief, the committee found that although the occupations comprising the field of cybersecurity do require specialized knowledge and some form of intensive advanced training, they have not yet sufficiently crystallized into specific professions. Cybersecurity is a young field, and the technologies, threats, and actions taken to counter the threats that characterize the endeavor are changing too rapidly to risk imposing the rigidities that typically attend professional status. Some organizations may find that professionalization provides a useful degree of “quality control” for those who work in the field, but professionalization also imposes barriers to those who wish to enter the field at a time when demand for cybersecurity workers exceeds supply.

CAPACITY AND CAPABILITY OF THE CYBERSECURITY WORKFORCE

Conclusion 1. More attention to both the capacity and capability of the U.S. cybersecurity workforce is needed.

Conclusion 2. Although the need for cybersecurity workers is likely to continue to be high, it is difficult to forecast with certainty the number of workers required or the needed mix of cybersecurity knowledge and skills.

CYBERSECURITY WORK AND THE CYBERSECURITY WORKFORCE

Conclusion 3. The cybersecurity workforce encompasses a variety of contexts, roles, and occupations and is too broad and diverse to be treated as a single occupation or profession. Whether and how to professionalize will vary according to role and context.

Conclusion 4. Because cybersecurity is not solely a technical endeavor, a wide range of backgrounds and skills will be needed in an effective national cybersecurity workforce.

PROFESSIONALIZATION

Conclusion 5. Professionalization has multiple goals and can occur through multiple mechanisms.

Conclusion 6. The path toward professionalization of a field can be slow and difficult, and not all portions of a field can or should be professionalized at the same time.

Suggested Citation:"Executive Summary." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×

CRITERIA FOR DECISION-MAKING ABOUT PROFESSIONALIZATION

Conclusion 7. Professionalization has associated costs and benefits that should be weighed when making decisions to undertake professionalization activities.

Professionalization is not a proxy for “better,” but it may be a useful tool in certain circumstances. The following criteria are suggested to help identify cybersecurity specialties and circumstances where professionalization may be appropriate and to assess the potential effects of different professionalization mechanisms:

Do the benefits of a given professionalization measure outweigh the potential supply restrictions resulting from the additional barriers to entry?

Does the potential to provide additional information about a candidate outweigh the risks of false certainty about who is actually best suited for a job?

Do the benefits of establishing the standards needed for professionalization outweigh the risks of obsolescence (when the knowledge or skills associated with the standard are out-of-date by the time a standard is agreed on) and ossification (when the establishment of a standard inhibits further development by workers of their skills and knowledge)?

Recommendation. Activities by the federal government and other entities to professionalize a cybersecurity occupation should be undertaken only when that occupation has well-defined and stable characteristics, when there are observed deficiencies in the occupational workforce that professionalization could help remedy, and when the benefits outweigh the costs.

Cybersecurity is a broad field, and professionalization is something that can be undertaken for specific occupations within the field and not the field as a whole. Before professionalization activities are undertaken for an occupation, two high-level criteria should be met:

1. The occupation has well-defined characteristics. These include stable knowledge and skill requirements, stable roles and responsibilities and occupational boundaries that distinguish the profession from others, well-defined career ladders that provide links to professionalization mechanisms, and agreed-on ethical standards to which members of the profession will be held.

2. There is credible evidence of deficiencies in the occupational workforce, such as skill deficiencies, questions of legitimacy among the current set of practitioners, or concerns about accountability.

Suggested Citation:"Executive Summary." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×

The criteria in Conclusion 7 speak to the trade-offs that should be considered by those seeking to professionalize those who work in the field of cybersecurity—including the U.S. government, other U.S. public and private employers, educational institutions, certification bodies, and so forth.

These trade-offs illustrate the complex set of costs and benefits associated with professionalization. Some of the uncertainties may diminish over time, and long-term benefits may ultimately outweigh short-term costs. It may thus be an effective strategy to encourage, rather than require, the use of certain professionalization mechanisms so as to avoid overly restricting supply in the short term while still establishing a long-term path to enhancing quality.

Over time, parts of the cybersecurity field will likely reach the point where professionalization will be warranted. The criteria set forth under the Recommendation can be used by decision makers to judge when that time has come.

Suggested Citation:"Executive Summary." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×
Page 1
Suggested Citation:"Executive Summary." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×
Page 2
Suggested Citation:"Executive Summary." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×
Page 3
Suggested Citation:"Executive Summary." National Research Council. 2013. Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making. Washington, DC: The National Academies Press. doi: 10.17226/18446.
×
Page 4
Next: 1 Cybersecurity, the Cybersecurity Workforce, and Its Development and Professionalization »
Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making Get This Book
×
Buy Paperback | $34.00 Buy Ebook | $27.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Professionalizing the Nation's Cybersecurity Workforce? Criteria for Decision-Making considers approaches to increasing the professionalization of the nation's cybersecurity workforce. This report examines workforce requirements for cybersecurity and the segments and job functions in which professionalization is most needed; the role of assessment tools, certification, licensing, and other means for assessing and enhancing professionalization; and emerging approaches, such as performance-based measures. It also examines requirements for the federal (military and civilian) workforce, the private sector, and state and local government. The report focuses on three essential elements: (1) understanding the context for cybersecurity workforce development, (2) considering the relative advantages, disadvantages, and approaches to professionalizing the nation's cybersecurity workforce, and (3) setting forth criteria that can be used to identify which, if any, specialty areas may require professionalization and set forth criteria for evaluating different approaches and tools for professionalization. Professionalizing the Nation's Cybersecurity Workforce? Criteria for Decision-Making characterizes the current landscape for cybersecurity workforce development and sets forth criteria that the federal agencies participating in the National Initiative for Cybersecurity Education—as well as organizations that employ cybersecurity workers—could use to identify which specialty areas may require professionalization and to evaluate different approaches and tools for professionalization.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!