When we talk about cybersecurity, are we talking about a profession or a vocation? What should the field look like in order to provide better security for individuals, enterprises and critical infrastructure?
These questions were brought into focus by a new study published by the Pell Center at Salve Regina University, which endorses the idea of creating a professional association to address shortcomings in the security industry.
“There is a widening gap between the supply and demand of qualified cybersecurity professionals,” said Francesca Spidalieri, co-author of the study. Prepared in collaboration with Lt. Colonel Sean Kern, USAF, the study aims to raise awareness of the need for “an overarching organizational framework to develop, manage, and oversee the training, education, certification and continuous development of a qualified cybersecurity workforce.”
The framework would potentially benefit the industry as a whole and serve to support the public good, strengthening the profession in the face of a rapidly evolving threat landscape. However, to answer the original question, Jane Holl Lute, President and CEO of the Council on CyberSecurity, noted: “Security is for some, the latter, and for many, the former. Yet for still many more—including those who don’t have to do it—a job.”
There’s general agreement among many, including those of us at the Council on CyberSecurity, that the cybersecurity profession, or at least certain roles within the field, should be professionalized. Among other benefits, a professionalized workforce would provide predictability in the competence of those charged with securing our data and systems. However, the real challenges come in how we would implement such a strategy and how we would even organize to effect necessary changes.
The medical profession serves as a reference model, but there is not yet the general consensus or legal framework that would compel the same government intervention, at least for now. Whereas state-mandated licensure is the main driver in medicine, we don’t know yet if the same licensure will be required in cybersecurity, as critical as the field has grown to be.
We could look at law, but the same imperative is there—we need licensure for people who will argue before a court of law. We could look at civil engineers who build bridges, but the state is also compelled to act in the interest of public safety. Maybe the fields of accounting or architecture are closer comparisons, where regulation plays a part, particularly in setting standards of practice, but the professionalization itself is managed more by the professionals themselves.
So, whether the Federally Funded Research and Development Center (FFRDC) idea has merit or not, it may be some time before the federal government really moves in to deliberately professionalize the field. More likely, laws and regulations will begin to catch up to technology, setting some reasonable standards of due care, and the competencies necessary to implement those standards will naturally follow. Only then, will certifying bodies ensure they are aligned.
In the meantime, the government will continue to serve important functions like establishing common taxonomy and reference frameworks, such as the National Initiative for Cybersecurity Education (NICE), and will continue to influence the market as a major buyer of products and services.
Furthermore, to offer a generalization, broad systemic changes tend to be driven by either a deliberate government intervention or the dynamics of the market, where new ideas and innovations play out, letting the winners set the standard.
While we wait to see how aggressively government intervenes, and as we let the open market of training programs and certifications continue to grow, a third approach is to build a broad coalition of many stakeholders and work toward professionalization through consensus. But this can be very challenging when competing interests are at stake.
In the current situation,, there are already many profitable certifying bodies pitching their certifications as the best ones. Additionally, they have resisted previous to establish an independent third-party to “certify the certifiers.”
So, our efforts at the Council on Cybersecurity focus on tackling the challenge at two levels and from two directions:
1. Enterprise-level workforce management, by developing manpower maps, workforce management guidelines, maturity models, etc. (We are working to publish a CyberSecurity Workforce Handbook in October 2014)
2. Individual and role-level competency models, such as our Mission Critical Roles Project, as an input to Common Bodies of Knowledge (CBKs) used by existing certification bodies
1. Provider-side, by offering input to certifiers and working toward common standards
2. Buyer-side, by helping enterprises understand what and who they need as they procure products and services, and hire cybersecurity professionals
At the moment, our primary approach is focused on the buyer (or demand) side, as we believe the providers will adjust to the needs of the buyers, who are slowly but surely becoming better informed and better able to distinguish good from bad. The good providers know that it’s not just about providing a great product or service, it’s about helping the customer and buyer understand what they need to have.
By focusing on workforce development and management oriented on cybersecurity best practice, as providers,buyers and independent entities like the Council, we can further enable the much-needed professionalization of the cybersecurity workforce.
About the Author: Maurice Uenuma is the Chief Operating Officer of the Council, responsible for implementing the organization’s value proposition through its programs and activities. Maurice was formerly with Dell, where he led global, cross-functional teams to establish sales intelligence and decision support capabilities for the $8+Billion IT services business, led the market development team for a $900+Million regional business and served as the operations lead for strategic sales, applying sales best practices to the largest contract pursuits worldwide. Prior to Dell, he was with Perot Systems as a strategist on the enterprise planning group, where he facilitated strategic planning at the corporate and business unit levels. Maurice was also an officer in the United States Marine Corps, where he led infantry platoons, deployed to combat operations as a company executive officer during Operation Iraqi Freedom, and served on the general staff of 1st Marine Division.
Editor’s Note: The opinions expressed in this and other guest author articles are solely thoseof the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Infosec: A Growing Need of Businesses and Industries Worldwide
- The Role of Security in Creating a Standard of Due Care
- Boards Should Worry, Too: 5 Corporate Principles to Better Cyber Risk Oversight
- Some Stick & Rudder for Your Security Bread & Butter
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock