Professionalizing the Nation's Cybersecurity Workforce?: Criteria for Decision-Making (2013)

2

Approaches to Professionalization

PROFESSION

Profession has multiple interpretations, ranging from the common use of the word to more formal definitions that spell out the various elements generally associated with the establishment of a profession. The common meaning of profession is “a paid occupation, especially one that involves prolonged training and a formal qualification.”¹

A useful, more comprehensive definition can be derived from suggestions by several speakers at the workshops convened by this committee. That definition identifies the following characteristics of a professional: (1) passing a knowledge and/or performance test, (2) superior completion of study of intellectual basis of the profession, (3) a sustained period of mentored experience/apprenticeship, (4) continuing education, (5) licensing by a formal authority, and (6) ethical standards of behavior with enforcement, including removal from profession.² A field that possesses

_____________

¹New Oxford American Dictionary, third edition, Oxford University Press, 2010.

² Many similar definitions or subsets of this definition appear in the literature. For example, white papers prepared for the National Initiative on Cybersecurity Education use a definition with three elements (a body of knowledge, ethical guidelines, and professional organization that publishes papers and establishes best practices) (Department of Homeland Security, National Initiative for Cybersecurity Education, “The Path toward Cybersecurity Professionalization: Insights from Other Occupations: White Paper,” 2012, available at http://niccs.us-cert.gov/careers/professionalization). The definition used in this report was presented by Franklin Reeder in his remarks at the committee’s December 13, 2012, workshop.

all of these characteristics will almost certainly be recognized as a profession, but not all are required for a field to be recognized as a profession. This broader definition illustrates the different mechanisms for professionalization that might be applied to cybersecurity work.

PROFESSIONALIZATION

Professionalization describes (1) education, training, and other activities that transform a worker into a professional and (2) social processes by which an occupation becomes a profession. Although cybersecurity concerns have existed from the earliest days of shared and networked computers, and there have long been workers responsible for various aspects of computer and network security, it has taken some time for the view of cybersecurity as a distinct occupational field, replete with many subspecialties, to emerge.

Today, a growing number of workers think of themselves as cybersecurity professionals based on their job roles, experience, and expertise, and an array of government and private sector entities are pursuing activities related to professionalization. Professional societies in computer science, computer engineering, and cybersecurity have worked to develop bodies of knowledge and instituted codes of ethics.³ Multiple federal agencies, notably the Department of Defense and the Department of Homeland Security (DHS), the National Security Agency (NSA), and the Office of Personnel Management, have workforce development activities under way. A growing number of educational institutions offer degrees or specializations in cybersecurity, and a National Centers of Academic Excellence program, sponsored by NSA and DHS, certifies education, training, and research programs of 2- and 4-year academic institutions against standards established jointly by those two federal agencies.

A sufficiently large number of certificates and certifications in various cybersecurity skills and specializations have emerged that DHS has developed a searchable online catalog to guide workers and employers.⁴ These include general certifications like the Certified Information Systems Security Professional (CISSP) as well as many specialized certifications. A variety of organizations within and outside the government either require or encourage certification for certain job roles. For example, Department

_____________

³ These include the Association for Computing Machinery’s “Code of Ethics and Professional Conduct,” the IEEE Computer Society’s “Software Engineering Code of Ethics and Professional Practice,” and the International Information Systems Security Certification Consortium’s “Code of Ethics.”

⁴ U.S. Department of Homeland Security, Professional Certifications, available at http://niccs.us-cert.gov/training/professional-certifications.

of Defense Directive 8570⁵ requires CISSP certification of department personnel who perform information assurance functions.⁶

Professionalization can be a bottom-up process driven by those in the occupation, a top-down process driven by employers or the government (as an employer or as a policy maker), or some combination of the two. For an employer, professionalization might mean encouraging or requiring a particular course of academic study, degree, certificate, certification, or professional society membership as a condition of initial and/or continuing employment. For a professional association, professionalization might mean establishing a code of conduct or creating (or recognizing) certifications, training programs, or educational standards. For the government, professionalization might mean encouraging or requiring a particular educational achievement or certifications for its own workforce, supporting the development of curricula, establishing standards for education programs, encouraging the use of certification as a means of regulating the workers whose jobs affect the health and safety or property of others, or requiring (at either the federal or state level) licensure for particular occupations.

GOALS FOR PROFESSIONALIZATION

Historically, professionalization has had one or more of the following goals: (1) to establish standards that enhance the quality of the workforce; (2) to regulate workers whose jobs can affect the health, safety, or property of others; (3) to enhance public trust and confidence; (4) to enable compliance with regulatory or legal requirements; (5) to enhance the status of an occupation; (6) to establish a monopoly or otherwise regulate the supply of labor to advance the interests of its members; (7) to guide the behavior of practitioners in the field, especially when it comes to morally or ethically ambiguous activities; or (8) to establish and standardize roles (and the associated knowledge, skills, and abilities) and pathways so as to better align supply and demand, increase awareness of career paths, and facilitate recruitment and retention by employers.⁷

An additional, often unstated but important, goal is to establish a shared set of values, culture, ethos, and mindset for a profession. These

_____________

⁵ Department of Defense, DOD 8570.01-M: Information Assurance Workforce Improvement, Washington, D.C., 2012.

⁶ As of this writing, the Department of Defense is reevaluating certification requirements. Zachary Fryer-Biggs, Experts say DoD workers undertrained, Federal Times, February 16, 2013.

⁷ This set of goals draws on observations offered by workshop participants and includes elements commonly found in the literature on professionalization. See, for example, W.J. Orlikowski, and J.J. Baroudi, The information systems profession: Myth or reality?, Information Technology and People 4(1):13-30, 1988.

commonalities can contribute to people’s ability to work together effectively, particularly across roles within an organization and across organizations.

SPECIFIC MECHANISMS FOR PROFESSIONALIZATION AND HOW THEY AFFECT WORKFORCE CAPACITY AND CAPABILITY

Codes of Conduct or Ethics

Codes of conduct or ethics fall into two types: (1) enforceable codes whose breach can lead to revocation of a certification, or even removal from the profession, and (2) nonenforceable codes that are generally associated with membership in a professional society. Although workshop participants did not cite examples of where ethical violations had been an issue, more than one participant observed that some cybersecurity workers are placed in positions that involve significant responsibility and trust. A possible concern with such codes is how they affect the recruitment of “black hats” (i.e., those who have violated computer security laws or rules in the past) into “white hat” jobs. This issue is likely to recede over time as the supply of qualified workers grows, reducing the need to hire those with criminal or otherwise less trustworthy backgrounds. Another issue is that some specialized cybersecurity jobs that involve offensive operations or active defense might run afoul of codes that do not take such work into account, a tension that other fields have had to consider in developing their ethical standards.

Education

Education for cybersecurity is provided at the undergraduate level by both 2- and 4-year institutions, which offer a wide range of courses, programs, and degrees focused on cybersecurity and as a component of computer science and engineering, management information system, and other information technology (IT)-related courses, programs, and degrees. Cybersecurity education can also be provided in non-IT contexts, such as in business or public policy programs.

Certificates and Certifications

Certificates are generally associated with training or education courses and verify through examination that particular content was learned in courses or curricula. They are generally “good for life” and cannot be revoked, although a certificate’s relevance to an employer will diminish over time, especially in a fast-moving field like cybersecurity. They serve as an indication of knowledge at a particular point in time.

Certification is a formal procedure by an authorized or accredited body.⁸ It is based on a study of the factors that predict success in a job and relies on examinations that meet testing standards. Certifications are time limited and require periodic recertification, and there are procedures in place to remove certification for ethical breaches or knowledge deficiencies. Certification can also be applied to the content of education and training programs as well as individuals. The Centers for Academic Excellence programs described above certifies that the education, training, and research programs meet an external standard.

A challenge associated with developing or updating a certification is that it takes time to reach consensus on the knowledge and skills to be assessed. This creates challenges in an area like cybersecurity where the underlying technologies, threats, and context are fast moving. One risk is obsolescence—the knowledge or skills tested for are out-of-date by the time the certification is issued. Another risk is ossification—when the establishment of a standard inhibits evolution of skills and knowledge because those certified may not be incentivized to learn beyond what was included in the last certification test. Organizations that offer certifications can address these challenges by focusing assessments as much as possible on fundamental concepts, by adopting nimble processes for updating content, and by requiring periodic recertification. Continuing education is especially important, both in the context of certifications and more broadly for the workforce, given the rapid rate of change in cybersecurity knowledge.

Certificates and certifications are especially helpful to employers who may find it otherwise difficult to evaluate the skills and knowledge of job applicants, especially small organizations that do not have a hiring manager with deep cybersecurity expertise.⁹ Even in these cases, certificates and certifications may not be dispositive but may be given greater weight. In addition to providing evidence of competence, certificates and certifications may be useful indicators of interest and commitment to work in a field and provide a useful complement or supplement to academic degrees in establishing knowledge and commitment.

A number of workshop participants observed that some certifications play a useful role in helping employers determine that an applicant has been exposed to a minimum level of knowledge. CISSP certification is

_____________

⁸ The distinction between certificates and certifications is reflected in American National Standards Institute, “Assessment Based Certificate Programs,” ANSI/NOCA Standard 1100, 2009. The definitions used here are drawn from a presentation at the March 28, 2013, workshop, by Roy Swift, American National Standards Institute.

⁹ As observed above, another possibility for such organizations is to outsource cybersecurity work (e.g., consultants) or outsource some of the responsibility (e.g., via software as a service).

a canonical example. Others observed that many qualified and, indeed, very highly qualified applicants can be found who do not have a CISSP or other certification, and so requiring such certification would undesirably restrict the candidate pool.

Views expressed by workshop participants with respect to the value of certificates and certifications in the context of their own careers or workplaces varied. Some indicated that certificates and certifications had helped advance their careers and/or were perceived as valuable credentials within their organizations. Other participants observed that certificates and certifications were not viewed so positively in some contexts—that other factors, such as experience, demonstrated ability, or educational achievement, were seen as better measures. A few said that they sometimes omitted listing them on their resumes for this reason.

Certificates and certifications also play a role in establishing the qualifications and credibility of those who testify in court, and thus it is no surprise that several certifications in digital forensics are now offered. Interestingly, at the committee’s December 2012 workshop, participants from two federal government organizations described entirely different approaches to certification of forensic experts. One sought to have all of the organization’s experts certified to enhance the experts’ credibility in court, while the other discouraged certification out of concern that a capable expert might for some reason not pass a particular certification exam and that this fact could be used to question the expert’s court testimony irrespective of the expert’s actual knowledge and skills.

Licensure

Licensure involves a government restriction on practice without a license, generally involving public safety or trust. It may establish standards for legal liability in the case of negligent practice. In engineering fields, a small fraction of workers with degrees in engineering fields are licensed as professional engineers. For example, a licensed civil engineer responsible for approving a bridge design is assumed to be able to state with some certainty that the bridge will stand under stated conditions. By contrast, for software and security no equivalent knowledge exists, which is one reason that licensure has not taken hold in the related area of software engineering. Also, cybersecurity is carried out in an adversarial environment where human behavior plays a central role. As a result, it likely is too early for licensure in cybersecurity, at least broadly, but the approach may have some utility in the future as the underlying science and engineering practice improves.

TIMESCALES FOR PROFESSIONALIZATION

The path toward professionalization of an occupation is generally a long one, and debates about the best approach can continue for decades. There has, for example, been a multi-decade discussion about professionalization of software engineering, with no consensus as yet reached among workers, professional organizations, and employers. In that regard, for example, the Association for Computing Machinery has taken a public position that is unfavorable to licensing of software engineers, while the Institute of Electrical and Electronics Engineers has been more receptive. Today, only one state, Texas, recognizes professional software engineers, and the software industry remains largely “policed” by the marketplace.

Even in a field as old as medicine, professionalization has continued to evolve. More than 100 years ago, the Flexner report¹⁰ spurred education reforms and greater professionalization of medical practice. Professionalization mechanisms in medicine have also seen significant evolution during this time. For example, medicine has increasingly been subdivided into distinct specialty roles (e.g., the emergence of board-certified specialties and subspecialties) that have made it easier to identify specific certification criteria in the face of expanding and evolving knowledge and skill requirements. Even today, debate about how the necessary skills and knowledge for medical students are best acquired through classroom education and hands-on practice continues, reflecting the growing body of scientific knowledge, the increasing complexity of clinical care, and the evolving socioeconomic context in which medicine is practiced.¹¹ An important and open question is whether cybersecurity will endure in anything like its present form over the timescales in which professionalization emerged and matured in professions like medicine, law, and aviation.

TRADE-OFFS ASSOCIATED WITH PROFESSIONALIZATION

Chapter 1 described some of the uncertainties associated with the current and future supply and demand for cybersecurity workers and the diversity of contexts in which cybersecurity work is done. This chapter has outlined the range of potential professionalization measures and some of the associated advantages and disadvantages. Taking these together,

_____________

¹⁰ A. Flexner, Medical Education in the United States and Canada: A Report to the Carnegie Foundation for the Advancement of Teaching, Merrymount Press, Boston, Mass., 1910.

¹¹ There is a rich literature on the future of medical education and the recommendations of the Flexner report. See, for example, M. Cooke, D.M. Irby, W. Sullivan, and K.M. Ludmerer, “American medical education 100 years after the Flexner Report,” New England Journal of Medicine 355(13):1339-1344, 2006.

the committee identified a set of trade-offs associated with actions to professionalize the cybersecurity workforce. These include the following:

• Quality versus quantity. Improvements in quality that can be shown to result from professionalization mechanisms should be weighed against supply restrictions that the resulting additional barriers to entry would create. Professionalization can be both a funnel (restricting people from entering the field) and a magnet (attracting people to the field). It can also act as a sieve if people who moved from general IT or other positions into cybersecurity roles find themselves subject to new professionalization requirements and then move out of cybersecurity. This tension comes into play when employers expect job candidates to already have experience and credentials, rather than investing in on-the-job training. The time and cost associated with obtaining the required education, training, experience, and credentials will discourage some from entering the field.

• Standardization versus dynamism. The value of standardization associated with development of common curricula or certifications should be weighed against the time it takes to reach consensus on standards, given the rate of change in underlying technologies, the introduction of new technologies, and the rapid pace at which the context and threat evolve.

In other words, the benefits of standardization should be weighed against the risks of obsolescence (the knowledge or skills associated with the standard are out-of-date) and ossification (the establishment of a standard inhibits evolution of skills and knowledge).

• Broad versus niche needs. Given the great diversity of roles, responsibilities, and contexts, the fact that professionalization measures (e.g., certification) may be warranted in a particular subfield and context (e.g., digital forensics) should not be confused with a broad need for professionalization.

• Better information for employers versus false certainty. Certificates and certifications provide some ability to vet job candidates, but overreliance on them may screen out some of the most talented and suitable individuals. This is particularly true in cybersecurity, in which some of the most proficient cyber experts have developed their skill sets through informal methods (e.g., self-taught hackers). Organizations that do not already have a sophisticated cybersecurity workforce may place a greater value on professionalization measures, which make it easier for them to identify qualified workers. However, at a time when few think the cybersecurity situation is improving, out-of-the-box thinking may be at a premium but may be lost with overly rigid screening.

• Certainty about worker capabilities versus uncertainty about actual job requirements. Increased certainty about the capabilities of a professional that may result from professionalization should be weighed against the

uncertainty about what skills, knowledge, or abilities are actually needed in a particular role and uncertainty about how roles may change as the technological, organizational, and threat context evolves.

• Specificity versus flexibility. Employers and their hiring managers and human resource staff will seek sufficient specificity to assure that a candidate has the right set of skills and abilities for a position. They may also seek specificity simply to make it easier to identify candidates (although at the risk of overlooking candidates who may be suitable but lack the specified qualifications). At the same time, job boundaries are never firm, and in the evolving world of cybersecurity, roles and needs can be especially fluid, which means that enough flexibility to select candidates who are more broadly suited for that range of possible roles is also important.

• Stimulation of supply and better matching of supply to demand versus restriction of supply. Professionalization may increase supply over time as it helps increase awareness and desirability of a profession and thus increases the number of individuals who consider cybersecurity as a career. By helping define roles and career paths, professionalization can help workers identify suitable jobs and employers identify suitable workers. On the other hand, defining the field in terms of a specific set of exams, certificates, degrees, or the like will narrow the pipeline of future candidates for the field and thus may constrain supply.

The committee believes that careful consideration of these trade-offs will help inform decision-making by employers, professional organizations, and governments about whether and how to undertake activities to professionalize the cybersecurity workforce. They do not represent “either/or” choices, but trade-offs to be weighed. Conclusion 7 of this report presents these trade-offs as questions to pose about any given professionalization effort.