The nation’s cybersecurity challenge stems from threats from a wide array of actors who seek to compromise the confidentiality, integrity, and availability of elements of cyberspace by exploiting flaws in the design, implementation, configuration, and operation of information technology systems. This cybersecurity threat faces individuals, organizations of all sizes, and government at all levels.
The effort to establish a safer and more secure cyberspace will require improvements in many areas, including a cybersecurity workforce that has the capacity and capability to do the job; better tools and techniques that enhance the efficiency and effectiveness of cybersecurity workers; better tools and approaches for risk identification and assessment; better systems design and development; greater incentives to encourage the deployment of better cybersecurity technologies and practices; improvements in end-user behavior through training; and organizational, national, and international measures to deter bad actors.
This report considers the role that professionalization might play in ensuring that the United States has a cybersecurity workforce with enough cybersecurity workers (capacity) with the right knowledge, skills, and abilities (capability). The committee understood its principal tasks to be (1) to consider the role that professionalization could play in enhancing the capacity and capability of the national cybersecurity workforce and (2) to identify criteria that could be used by decision-makers in government and the private sector when considering measures to professionalize the cybersecurity workforce.
In brief, the committee found that although the occupations comprising the field of cybersecurity do require specialized knowledge and some form of intensive advanced training, they have not yet sufficiently crystallized into specific professions. Cybersecurity is a young field, and the technologies, threats, and actions taken to counter the threats that characterize the endeavor are changing too rapidly to risk imposing the rigidities that typically attend professional status. Some organizations may find that professionalization provides a useful degree of “quality control” for those who work in the field, but professionalization also imposes barriers to those who wish to enter the field at a time when demand for cybersecurity workers exceeds supply.
CAPACITY AND CAPABILITY OF THE CYBERSECURITY WORKFORCE
Conclusion 1. More attention to both the capacity and capability of the U.S. cybersecurity workforce is needed.
Conclusion 2. Although the need for cybersecurity workers is likely to continue to be high, it is difficult to forecast with certainty the number of workers required or the needed mix of cybersecurity knowledge and skills.
CYBERSECURITY WORK AND THE CYBERSECURITY WORKFORCE
Conclusion 3. The cybersecurity workforce encompasses a variety of contexts, roles, and occupations and is too broad and diverse to be treated as a single occupation or profession. Whether and how to professionalize will vary according to role and context.
Conclusion 4. Because cybersecurity is not solely a technical endeavor, a wide range of backgrounds and skills will be needed in an effective national cybersecurity workforce.
Conclusion 5. Professionalization has multiple goals and can occur through multiple mechanisms.
Conclusion 6. The path toward professionalization of a field can be slow and difficult, and not all portions of a field can or should be professionalized at the same time.
CRITERIA FOR DECISION-MAKING ABOUT PROFESSIONALIZATION
Conclusion 7. Professionalization has associated costs and benefits that should be weighed when making decisions to undertake professionalization activities.
Professionalization is not a proxy for “better,” but it may be a useful tool in certain circumstances. The following criteria are suggested to help identify cybersecurity specialties and circumstances where professionalization may be appropriate and to assess the potential effects of different professionalization mechanisms:
• Do the benefits of a given professionalization measure outweigh the potential supply restrictions resulting from the additional barriers to entry?
• Does the potential to provide additional information about a candidate outweigh the risks of false certainty about who is actually best suited for a job?
• Do the benefits of establishing the standards needed for professionalization outweigh the risks of obsolescence (when the knowledge or skills associated with the standard are out-of-date by the time a standard is agreed on) and ossification (when the establishment of a standard inhibits further development by workers of their skills and knowledge)?
Recommendation. Activities by the federal government and other entities to professionalize a cybersecurity occupation should be undertaken only when that occupation has well-defined and stable characteristics, when there are observed deficiencies in the occupational workforce that professionalization could help remedy, and when the benefits outweigh the costs.
Cybersecurity is a broad field, and professionalization is something that can be undertaken for specific occupations within the field and not the field as a whole. Before professionalization activities are undertaken for an occupation, two high-level criteria should be met:
1. The occupation has well-defined characteristics. These include stable knowledge and skill requirements, stable roles and responsibilities and occupational boundaries that distinguish the profession from others, well-defined career ladders that provide links to professionalization mechanisms, and agreed-on ethical standards to which members of the profession will be held.
2. There is credible evidence of deficiencies in the occupational workforce, such as skill deficiencies, questions of legitimacy among the current set of practitioners, or concerns about accountability.
The criteria in Conclusion 7 speak to the trade-offs that should be considered by those seeking to professionalize those who work in the field of cybersecurity—including the U.S. government, other U.S. public and private employers, educational institutions, certification bodies, and so forth.
These trade-offs illustrate the complex set of costs and benefits associated with professionalization. Some of the uncertainties may diminish over time, and long-term benefits may ultimately outweigh short-term costs. It may thus be an effective strategy to encourage, rather than require, the use of certain professionalization mechanisms so as to avoid overly restricting supply in the short term while still establishing a long-term path to enhancing quality.
Over time, parts of the cybersecurity field will likely reach the point where professionalization will be warranted. The criteria set forth under the Recommendation can be used by decision makers to judge when that time has come.