Cybersecurity an occupation, not a profession, says report


Cybersecurity as a field is yet too young and the threats change too rapidly for the federal government to undertake its professionalization, concludes a study from a National Academy of Sciences panel commissioned by the Homeland Security Department.

Professionalization is distinct from specialized knowledge, intensive training or education, the report notes; nor is it "a proxy for 'better.'"

Rather, the report says that professionalization means the establishment of standards governing ethics and education, an expectation that workers have certification attesting to minimum levels of knowledge, possibly even restricting practice without a license.

But cybersecurity encompasses "a variety of contexts, roles, and occupations and is too broad and diverse to be treated as a single occupation or profession," the report says. The task force allows for only one possible cybersecurity sub-field where there exists a compelling case for professionalization, that of digital forensics examiners.

"The work is comparatively narrowly defined by procedures and law, the relevant domain of expertise appears to be sufficiently narrow, and the appropriate professionalization mechanism is clear," the report says--conditions absent elsewhere in cybersecurity.

Professionalization acts as a funnel that restricts people from entering a field and as a magnet that attracts people to it, the report says, but notes that overreliance on certification today could screen out some of the most talented and suitable cyber experts.

There are cybersecurity certifications that exist; the report cites ISC(2)'s Certified Information Systems Security Professional as a canonical example. During workshops held as research for the report, however, some CISSPs told the task force they leave the certificate off their resume since in some cybersecurity contexts, experience and demonstrated ability are seen as the better measures.

Moreover, responding to an attack requires anticipating how attackers act, the report says, meaning that in some jobs, an adversarial mindset can be as important as technical skills.

Certification has the additional challenge of requiring time to reach consensus on the knowledge and skills to be assessed. That creates risk that certification standards could fail to keep pace with the fast moving pace of cybersecurity threats or that certification could cause ossification of skills in cyber workers, since "those certified may not be incentivized to learn beyond what was included in the last certification test."

For more:
- go to the download page for the report, "Professionalizing the Nation's Cybersecurity Workforce? Criteria for Decision-Making"
- read a news release on the report

Related Articles:
DHS cyber has problems with hiring, not retention, says Stempfley
DHS launches cybersecurity career website
Federal agencies struggle to define their cybersecurity workforce, finds GAO