The U.S. Department of Homeland Security recently sponsored a study assessing the prospects of professionalizing the nation’s cybersecurity workforce. Currently, the sector is populated by a diverse range of analysts, programmers and managers who share a common obligation to ethically handle data and evaluate risks in the contexts of public safety and national security. Associated initiatives could create ethical government-wide standards and also require all employees to obtain advanced certification befitting their great responsibilities
However, the National Research Council of the National Academy of Sciences, which conducted the study with DHS’ support, concluded that the time is not right for professionalization and standards-setting, characterizing cybersecurity as less a profession than an occupation that attracts a particularly disparate group of individuals. Writing for Network World, Layer 8′s Michael Cooney acknowledged the possible benefits of professionalization while highlighting its main drawbacks.
“Over time, professionalization could help build a higher quality workforce with a standardized set of specific skills and help employers identify the best candidates to meet their needs,” wrote Cooney. “But this should be weighed against the changing context of cybersecurity that includes both evolving threats and fluid job responsibilities.”
Can agencies strike the right balance between attracting a diverse collection of talent and encouraging adherence to technical and ethical standards? The question is more pressing than ever in light of the government’s recent struggles with employee recruitment and retention.
Federal agency staffing shortages make professionalization a tough sell
A recent report from the Government Accountability Office found an alarmingly high vacancy rate among federal cybersecurity agencies. Twenty-two percent of jobs at the Office of Cybersecurity and Communications, a satellite of the National Protection and Programs Directorate, were unfilled, due to what the report characterized as a long vetting process and challenges in recruiting.
The implementation of cyber security standards could aggravate staffing shortages, by requiring even entry-level candidates to obtain extra certification. Ultimately, intelligence gathering and analysis would suffer, as fewer individuals contribute and the barriers to entry become more imposing.
However, professionalization may have the potential to address the recruiting issue. Commenting on the GAO report for NextGov, Brittany Ballenstedt pointed out that many open cybersecurity positions suffer from a lack of clearly enumerated responsibilities and skills. Accordingly, they may scare away skilled applicants who do not know what to expect in terms of career path. Since NPDD employees are pigeonholed into many different occupational series, their cybersecurity skills may be utilized very differently from one context to the next, leading to high turnover rates and complicating the government’s efforts to document personnel trends. Moreover, agencies cannot provide useful data on hiring and attrition because cybersecurity jobs do not belong to a unified job series.
In its assessment of the challenges that plague cybersecurity staffing, the GAO report cited the specific case of Transportation Security Administration recruiting efforts. The TSA has experienced trouble attracting qualified candidates in some parts of the U.S., which may indicate the catch-22 that government agencies face with respect to professionalization. On the one hand, implementing formal standards would likely raise the bar even higher and instantly disqualify some candidates. However, with clearer sets of responsibilities and discernible career arcs, it is possible that TSA recruiters could win over candidates who would otherwise opt for safer paths.
Recommendations from the GAO and NRC
The GAO made no specific recommendations for the cybersecurity staffing situation, although it pleaded for consistency in how DHS agencies report recruiting costs. Ultimately, such a practice could alert the government to the sheer amount of time and money being channeled into often futile recruiting efforts, which alternately struggle with vague job postings and stringent requirements.
The NRC coordinators were much more straightforward, advising against the immediate implementation of cybersecurity standards. Their rationale centered on cybersecurity’s newness compared to other government sectors, as well as the heterogenous nature of its workforce. Since cybersecurity employees may span civilian and military institutions, alongside nonprofit and corporate companies in the private sector, predicting employee trends, or prescribing a uniform set of standards, may be an overly ambitious goal that effectively removes some of the security community’s distinctive advantages: The scope of its outlook and expertise.
“Many aspects of the cybersecurity field are changing rapidly, from new technologies to the types of threats we face to the ways offensive and defensive measures are carried out,” said George Washington University associate professor of human and organizational learning Diana Burley, also one of the NRC committee’s co-chairs. “Premature or blanket professionalization strategies will likely hinder efforts to build a national cybersecurity workforce of sufficient quality, size, and flexibility to meet the needs of this dynamic environment.”
However, the NRC encouraged agencies to think about certification requirements on a job-by-job basis. It argued that standards should only be implemented for occupations with clearly defined responsibilities, and only if they can be identified as solutions to major issues inherent in the current system, such as a widespread skill deficiency.
Can cybersecurity ever be professionalized?
Looking ahead, the NRC’s suggested piecemeal approach may be a realistic alternative to possibly heavy-handed standardization. But even if implemented, would such measures ever transform cybersecurity into a coherent, professionalized public sector field?
Many cybersecurity professionals, especially on the programming side, are self-taught, indicating a possible cultural and educational barrier to professionalization.
“It would be very hard to professionalize the field of cybersecurity,” Coventus CEO Sarah Isaacs told CSO. “The complexities are such that the subject matter experts in any particular security field are not necessarily individuals that have passed exams certifying their level of knowledge or competence, but rather independent thinkers that have pieced together solutions, programs, and assessments from years of hands-on experience and analysis of event details.”
Meeting cybersecurity goals – keeping individuals and institutions safe from financial harm, privacy intrusions or attacks – may indeed require security organizations to retain a flexible structure that attracts skilled workers from many different backgrounds. At the same time, the cybersecurity community could certainly benefit from an ongoing conversation about the ethical and professional standards that it should strive to meet, even if they are not rigidly codified.