Vviewpoints

24 CoMMuniCations of the aCM | feBRuARy 2014 | voL. 57 | No. 2

The Thousands of serious cyber attacks occurring daily high-light the critical need for a workforce with the requi-site skillset and of sufficient

size to meet growing and increasingly complex demands. Yet despite sig-nificant investments in the develop-ment of the cybersecurity workforce from governments across the globe, the U.S. and many other nations lack a sufficient supply of well-trained cy-bersecurity professionals. It is often argued that this workforce shortage, and the consequent openness to at-tack, is a pressing security threat fac-ing the U.S.1

Professionalization—activities such as certification, licensure, and skill-based competency exams—has been advanced as a strategy for creat-ing a workforce capable of address-ing the growing cybersecurity threat.

To explore this argument, the U.S. Department of Homeland Security sponsored a National Research Coun-cil committee, which we led. What fol-lows are insights largely drawing on the study and although the impetus

for asking the question at this mo-ment came from the U.S. government, the issues and analysis would have general applicability. Our key ques-tion was: What is the role that profes-sionalization might play in enhanc-ing the capacity and capability of the U.S. national cybersecurity workforce? This question led to a complex mosaic of answers to the cybersecurity work-force issue.

the Cybersecurity WorkforceDespite descriptions of the cyberse-curity workforce as a “profession”—meaning a single occupational cat-egory, it is not. Rather, cybersecurity is a broad field comprised of many occupations spanning the range from highly technical to the manage-ment- or policy-oriented. Some of these occupations may be ready for professionalization, while others are

privacy and security Would cybersecurity professionalization help address the cybersecurity crisis?Evaluating the trade-offs involved in cybersecurity professionalization.

DOI:10.1145/2556936 Diana L. Burley, Jon Eisenberg, and Seymour E. Goodman

Despite descriptions of the cybersecurity workforce as a “profession”—meaning a single occupational category—it is not.

viewpoints

feBRuARy 2014 | voL. 57 | No. 2 | CoMMuniCations of the aCM 25

Vi

LL

US

tr

at

io

n b

y g

ar

y n

ei

LL

problem with current approaches to professionalization. Realistically, such professionalization can only be undertaken for specific occupations within the field, but not for the field as a whole.

ProfessionalizationProfessionalization is the process by which an occupation (or an individual who works within that occupation) is transformed through education, training, and other activities into a professional. Each occupation must exhibit some set of well-defined char-acteristics before professionalization activities commence. Not all of these characteristics or standards must be met, but the level of occupational readiness for professionalization is higher when more of them are. Readi-ness for professionalization, however, does not imply the occupation should

not. Others are yet to be defined. Still others may never be defined either be-cause the fluidity of the roles and re-sponsibilities change too rapidly to al-low for categorization or because they are hybrid occupations that blend cy-bersecurity responsibilities with oth-er, often unrelated work roles. Given the great diversity of roles, respon-sibilities, and contexts, the fact that professionalization measures may be warranted in a particular subfield and context should not be confused with a broad need for professionalization.

Before professionalization activi-ties are undertaken for an occupation, the profession itself must have well-defined characteristics: stable knowl-edge and skill requirements, stable job roles, occupational boundaries, and career ladders.

˲ Stable knowledge and skill re-quirements: The occupation should

have a stable (but not necessarily stat-ic) common body of knowledge on which members of the profession can be judged to a generally agreed upon standard. This does not imply, how-ever, that the occupation is static; even within a rapidly evolving profession, core knowledge elements that remain stable can be identified.

˲ Stable roles and responsibilities and occupational boundaries that dis-tinguish the profession from others.

˲ Well-defined career ladders that are linked to professionalization mechanisms.

˲ Agreed-upon ethical standards to which members of the profession will be held and a mechanism for remov-ing noncompliant individuals from the professional ranks.

The fact that the current cyberse-curity workforce is a field of multiple occupations highlights a significant

viewpoints

26 CoMMuniCations of the aCM | feBRuARy 2014 | voL. 57 | No. 2

stricts the flow of qualified workers. ˲ The Sieve: The sieve function is

of particular concern in cybersecurity where many members of the work-force function in hybrid positions and are subject to professionalization requirements in those other roles. Consider, for example, the healthcare professional who has added cyberse-curity responsibilities to her portfolio and must meet a double set of require-ments. If the professionalization re-quirement is necessary to determine or verify skill requirements then it may be appropriate. If, on the other hand, the requirement has been imple-mented without regard to remedying a specific deficiency, then it may unnec-essarily burden and ultimately encour-age the departure of the individual from the workforce.

Does the potential to provide addi-tional information about a candidate outweigh the risks of false certainty about who is actually best suited for a job? Certificates and certifications may provide useful tools for vetting job candidates, but overreliance on them may screen out some of the most talented and suitable individu-als. This is particularly true in cyber-security today, where some of the most effective workers develop their skillsets through informal methods (for example, self-taught hackers). Or-ganizations that do not already have a sophisticated cybersecurity workforce may place a greater value on profes-sionalization measures because they make it easier for them to identify qualified workers. However, at a time when few think the cybersecurity situ-ation is improving, and where “side-ways” thinking may be at a premium, creativity and innovation may be lost with overly rigid screening. Moreover, given the fluid and changing nature of cybersecurity work, the knowledge, skills, and abilities actually needed in a particular job can change, and work-ers’ roles and responsibilities can also shift rapidly.

Do the benefits of establishing the standards needed for professionaliza-tion outweigh the risks of obsolescence (when the knowledge or skills associ-ated with the standard are out of date by the time a standard is agreed on) and ossification (when the establish-ment of a standard inhibits further

be professionalized, nor does it iden-tify the appropriate professionaliza-tion mechanism. It simply means the occupation could be professionalized if circumstances warrant the activity. At this point, the question becomes what are the deficiencies within the occupation that could be alleviated through professionalization.

The process of professionalization is initiated based on some deficiency in the occupational workforce—a lack of public trust, questionable skill or performance, weak behav-ioral or ethical standards, low status, noncompliance with regulatory or le-gal requirements, ill-defined career pathways, or unregulated labor sup-ply (when a steady flow of workers is desired or necessary). But as has been stated, the cybersecurity workforce challenge is one of capacity and ca-pability. This statement, though com-pelling, is not sufficient to initiate professionalization activities.

Rather, we must unbundle this statement and ask difficult ques-tions about the precise nature of the need. If the workforce need is for more accountability in the mainte-nance of hands-on skillsets within a particular occupation, then the pro-fessionalization mechanism should be focused on continuing education requirements and skill-based testing. If, on the other hand, the nature of the workforce challenge is related to troubling examples of ethical lapses, then professionalization activities should focus on some type of com-pliance mechanisms from a formal authority. The alignment of profes-sionalization strategies with specific workforce challenges is necessary to ensure the deficiency is, in fact, ad-dressed. It is also critical to ensuring the possible negative consequences of professionalization do not out-weigh the good.

trade-offs of ProfessionalizationEven when the professionalization ac-tivity is aligned with the occupational deficiency, it will have associated trade-offs. These costs and benefits should be considered before embarking on a professionalization activity.

Do the benefits of a given profes-sionalization mechanism outweigh the potential supply restrictions resulting

from the additional barriers to entry? Professionalization can serve as a magnet that attracts people to the oc-cupation, as a funnel that restricts the supply of people entering the occupa-tion, or as a sieve that filters people out of the occupation based on in-creased requirements.

˲ The Magnet: Professionalization may increase the supply over time as it helps increase awareness and desir-ability of that profession, and thus in-creases the number of individuals who consider cybersecurity as a career. By helping define roles and career paths, it can also help workers identify suit-able jobs and help employers identify suitable workers. Specialization and stratification may also help address supply issues, much as the introduc-tion of nurse practitioners and physi-cal assistants expanded the workforce providing primary medical care.

˲ The Funnel: No one would argue against restricting the supply of un-qualified individuals in a workforce. Certainly, professionalization mecha-nisms that address the capability of the workforce should be in place if capability is a concern. However, overly narrow professionalization or mismatched mechanisms may un-necessarily filter out qualified workers whose skills are needed. For example, the requirement for entry-level, tech-nical employees to hold a bachelor’s degree when an associate’s degree and passing a skill-based exam may be more appropriate unnecessarily re-

Before professionalization activities are undertaken for an occupation, the profession itself must have well-defined characteristics.

viewpoints

feBRuARy 2014 | voL. 57 | No. 2 | CoMMuniCations of the aCM 27

development by workers of their skills and knowledge)? It takes time to reach consensus on the standards needed to establish a curriculum or certifica-tion, and it can be difficult to reach convergence, given the rate of change in underlying technologies and the rapid pace at which the context and threat evolves. Following receipt of a degree or certification, workers may stop developing their skills and knowledge. Strategies for addressing these challenges, including focusing assessments as much as possible on fundamental concepts, segmenting a field (where possible) into sufficiently narrow specialty roles, adopting more nimble processes for updating con-tent, and requiring continuing edu-cation and periodic recertification to refresh requirements.

These trade-offs illustrate the com-plex set of costs and benefits associ-ated with professionalization. Some of the uncertainties may diminish over time, and long-term benefits may ul-timately outweigh short-term costs. It may, thus, be an effective strategy to encourage, rather than require, the use of certain professionalization mecha-nisms so as to avoid overly restricting supply in the short term while still es-tablishing a long-term path to enhanc-ing quality.

ConclusionContinued attention to the capac-ity and capability of the cybersecurity workforce is needed. Over time, parts of the cybersecurity field will likely reach the point where professionaliza-tion will be warranted. But blanket pro-fessionalization strategies will hinder efforts to build a national cybersecurity workforce of sufficient size, scope, and ability to meet the demands of the rap-idly evolving field. The criteria set forth in the National Research Council Pro-fessionalization of the Nation’s Cyberse-curity Workforce? report2 can be used by decision-makers to judge when that time has come.

Activities by the U.S. federal govern-ment and other entities to profession-alize cybersecurity should be under-taken only when the occupations and specific occupational characteristics have been defined, when there are observed deficiencies in the occupa-tional workforce that professionaliza-

tion could help remedy, and when the benefits of those activities outweigh the costs. When stakeholders believe those conditions have been met, we suggest they convene subject matter experts to outline a professionaliza-tion strategy—including timeline, process, and other implementation details.

This process will take time. But the path to professionalization of a field is slow and difficult, and not all por-tions of a field can or should be profes-sionalized at the same time. Until that time, our work to develop a national cybersecurity workforce of sufficient capacity and capability should move away from overly broad generaliza-tions based on anecdotal evidence and context-specific challenges, toward a set of targeted activities that meet identified and specific occupational workforce deficiencies.

References1. homeland Security advisory Council. Cyber Skills

Task Force Report. department of homeland Security, Washington, d.C., 2012.

2. national research Council. Professionalizing the Nation’s Cybersecurity Workforce?: Criteria for Decision-Making. the national academies Press, Washington, d.C., 2013.

Diana L. Burley (dburley@gwu.edu) is an associate professor of human and organizational Learning in the graduate School of education and human development at george Washington University.

Jon Eisenberg (Jeisenbe@nas.edu) is the director of the Computer Science and telecommunications board at the national research Council in Washington, d.C.

Seymour (Sy) E. Goodman (seymour.goodman@cc.gatech.edu) is a professor of international affairs and Computing, jointly at the Sam nunn School of international affairs and the College of Computing at the georgia institute of technology.

the views expressed in this viewpoint are those of the authors and do not necessarily reflect those of the national research Council, the Committee on Professionalizing the nation’s Cybersecurity Workforce, which wrote the report, or the U.S. department of homeland Security, which sponsored the study.

Copyright held by author/owner(s).

Continued attention to the capacity and capability of the cybersecurity workforce is needed.

Calendar of Eventsmarch 19–21multimedia systems conference 2014, singapore,sponsored: sIgmm,contact: roger Zimmermann,email: rogerz@comp.nus.edu.sg

march 24–28design, automation and Test in europe,dresden, germany,sponsored: sIgda,contact: gerhard fettweis,email: gerhard.fettweis@tu-dresden.de

march 24–28symposium on applied computing,gyeongju, republic of Korea,sponsored: sIgapp,contact: sung shin,email: sung.shin@sdstate.edu

march 26–28eye Tracking research and applications,safety harbor, fL,sponsored: sIgchI, sIggraph,contact: pernilla Qvarfordt,email: pernilla.qvarford@gmail.com

march 29–april 212th annual/Ieee/acm International symposium on code generation and optimization, orlando, fL,sponsored: sIgmIcro, sIgpLan,contact: david Kaeli,email: kaeli@ece.neu.edu

march 30–april 2International symposium on physical design,petaluma, ca,sponsored: sIgda,contact: cliff chin ngai sze,email: csze@us.ibm.com

may 6–9acm The first annual International conference on nanoscale computing and communication,atlanta, ga,contact: Ian f. akyildiz,email: ian@ece.gatech.edu

may 7–9gender and IT appropriation, science and praxis in dialogue – forum for Interdisciplinary exchange,siegen, germany,contact: Wulf volker,email: volker.wulf@uni-siegen.de