Professionalizing the National Cyber-Workforce

Last week, the National Academy of Sciences (NAS) released a study on “Professionalizing the Nation’s Cyber Workforce? Criteria for Decision-Making.” The study examined three questions:

1. Is cybersecurity ready to be professionalized across the nation?
2. Which jobs within the cybersecurity field should be professionalized and to what degree?
3. Should the federal government lead this effort single handedly?

The study was commissioned by the Department of Homeland Security. NAS, under the auspices of the Computer Science and Telecommunications Board of the National Research Council, carried out the study by forming a committee and holding several workshops with relevant stakeholders. CompTIA participated in this process and applauds NAS for its inclusiveness and outreach to relevant stakeholders. The primary recommendation from the report was:

Activities by the federal government and other entities to professionalize a cybersecurity occupation should be undertaken only when that occupation has well-defined and stable characteristics, when there are observed deficiencies in the occupational workforce that professionalization could help remedy, and when the benefits outweigh the costs.

Beyond the recommendation, however, the report listed seven conclusions:

1. More attention to both the capacity and capability of the U.S. cybersecurity workforce is needed.
2. Although the need for cybersecurity workers is likely to continue to be high, it is difficult to forecast with certainty the number of workers required or the needed mix of cybersecurity knowledge and skills.
3. The cybersecurity workforce encompasses a variety of contexts, roles and occupations and is too broad and diverse to be treated as a single occupation or profession. Whether and how to professionalize will vary according to role and context.
4. Because cybersecurity is not solely a technical endeavor, a wide range of backgrounds and skills will be needed in an effective national cybersecurity workforce.
5. Professionalization has multiple goals and can occur through multiple mechanisms.
6. The path toward professionalization of a field can be slow and difficult, and not all portions of a field can or should be professionalized at the same time.
7. Professionalization has associated costs and benefits that should be weighed when making decisions to undertake professionalization activities.

While we have some concerns with respect to certain specifics within the report, we feel that this is a positive reinforcement of the ongoing work and effort that surrounds the National Initiative for Cybersecurity Education (NICE). The NICE effort to categorize knowledge, skills and abilities and then map tools and certifications to those skills continues to be a worthwhile exercise aimed at professionalizing the cyber-workforce. We hope it will result in a common lexicon across government, industry and academia so that we can more readily identify what is working and what gaps remain and collectively move toward a better cyber-workforce.