Should the IT security field be professionalized? It's not such an easy question to answer, says Ronald Sanders, the former human capital officer at the U.S. Office of the Director of National Intelligence.
Sanders, a vice president at the business consultancy Booz Allen Hamilton, is a member of a National Academy of Sciences panel that's exploring the ramifications of professionalizing IT security practitioners.
"The question began as, 'How can cybersecurity become more professionalized?'" Sanders says in an interview with Information Security Media Group [see transcript below]. "We've actually taken a step back and asked the antecedent question: Should it be? That has led us to this struggle over how to define a profession. If you define it like you would the medical or legal profession, it has consequences."
One key issue, he says, is the role formal education would play in licensing or certifying an IT security professional. "We all know of the self-taught genius who's a cyberwizard and, in my humble opinion, we can't do anything that prevents those self-taught geniuses from contributing and being part of the U.S. cyberworkforce," Sanders says.
In the interview, Sanders:
- Addresses how a cybersecurity profession could be defined, including the adoption of a code of ethics, a convention most other professionals have;
- Discusses the evolution of the characteristics of the cybersecurity practitioner; and
- Contemplates how the self-taught IT security specialist who lacks an academic degree would fit into the cybersecurity profession.
Sanders is also the consultancy's first Booz Allen Hamilton fellow and supports federal and other clients in the areas of human capital, learning and organizational transformation. He played a key role in establishing the Office of the Director of National Intelligence and the integration of the intelligence community within the U.S. federal government. Sanders also served as the Office of Personnel Management's first associate director for human resource policy, with responsibility for all service policies and programs for millions of federal employees and retirees.
Defining the Role
ERIC CHABROW: What's a cybersecurity professional?
RON SANDERS: The nature of the threat and the nature of the environment are so dynamic that it's been kind of hard to pin down. This originally started as a subset of the information technology professional, and I'll put profession in quotes because we found that word's loaded. When we say profession, do we mean like a doctor, lawyer or a pilot with licensing requirements? Just as a footnote, while those certainly ensure quality - before you want to be cut by a surgeon you would like to make sure he or she is board-certified - they tend to constrain supply.
Your opening hit it on the head. ... Cyber-experts are in high demand and short supply. That's one aspect. The other is that the profession is changing from computer network defense - building the electronic bunkers that protect an organization's networks and data, and that organization could be public or private - to something more. We've always had, for example, cyberthreat analysts who need to know things like malware and forensics. We're seeing the work evolve into cyber-intelligence analysts, people who can look at organizations or states and figure out what their cybercapabilities are and what their intentions are, sort of a classic intelligence analysis function, but in this case involving cyber. The same thing with forensics - it used to be that it was all about code, viruses and malware. Given the broad threats to an organization's networks and data, and frankly the ability to range in cyberspace to conduct commerce, I think these folks are turning more into cyberdetectives. Cyberthreats may be both electronic and physical, so the skills sets are emerging. The field is so dynamic that trying to define the cyberprofession has been problematic.
One of the defining characteristics of a profession is a code of ethics, an ethos. It's pretty clear that cyberwork ought to have one, because of the nature of that work, because of what people who do cyberwork are typically entrusted with - PII, personal information, classified information, very sensitive information that once leaked or spilled is hard to recover. If you buy the notion that's a defining characteristic, we ought to be thinking about what the ethics of cyber work look like.
Code of Ethics
CHABROW: Who would determine what those ethics should be?
SANDERS: That's another interesting question because there's no universal governing body that would even figure out what the skill sets are. I'm sure your participants are familiar with the National Institute of Standards and Technology's NICE Initiative. I wish they would get a better acronym than National Initiative for Cybersecurity Education. They deserve tremendous credit for literally coming up with a Rosetta Stone for cyberwork, especially areas of work roles, competencies, knowledge of skills and abilities for cyberwork. It's been a really fast-moving target, but the folks at NIST and their leading inter-agency team that has been working on this - I'll emphasize their leadership here - have put together a taxonomy that has remained relatively current.
Finally, for the first time, as people begin to adopt that taxonomy it lets us define the work and actually count the cyber-experts that we have working for us. Before it was like trying to count apples and oranges, and now we finally got this Rosetta Stone that lets us catalog the folks with cyberskills and actually figure out what those skills look like and then figure out how many we need.
CHABROW: You're on a panel at the National Academy of Sciences addressing whether or not the cybersecurity profession needs to be more professionalized. Can you tell us a little bit about what's going on there? What are some of the issues?
SANDERS: The Department of Homeland Security is sponsoring the study. They've asked the National Academy to conduct it so that they get as objective and independent a view as possible. The way these panels work is we've held a series of public forums in Washington, in San Francisco coinciding with the RSA conference, and then most recently in San Antonio where people can come and express their views on that question. The question began as, "How can cybersecurity become more professionalized?" We've actually taken a step back and asked the antecedent question: Should it be? That has led us to this struggle over how to define a profession. If you define it like you would the medical or legal profession, it has consequences.
As we try to figure out what the definition looks like, that definition has to be adapted to the nature of cyberwork, how dynamic it is, and then figure out whether we should adopt some sort of licensing and certification regime for the U.S. cyberworkforce, whether that will, on one hand, improve quality but, on the other hand, potentially decrease supply. I will speak personally here, not on behalf of the panel [because] we're still doing our work. We all know of the self-taught genius who's a cyberwizard and, in my humble opinion, we can't do anything that prevents those self-taught geniuses from contributing and being part of the U.S. cyberworkforce. That too is one of the questions we're struggling with.
CHABROW: That could be a problem if there are certain standards to define a profession, such as education standards. I've heard from many people that one of the problems some organizations have is that they ignore people who may have the smarts but don't have the degrees.
SANDERS: Right. The work is evolving. It's now becoming as much a matter of analytic skills and critical-thinking skills as it is having the technical knowledge. As [the profession] evolves from analyzing cyberthreats and malware to analyzing state or non-state actors, cybercapabilities and intentions, it requires a slightly different skills set: less technical, more analytical and reasoning skills, [as well as] critical-thinking skills. You can't do anything that excludes people who have skills in those areas from being part of the workforce. Supply is tight enough.
Supply Chain of IT Security Pros
CHABROW: How tight is that supply, or could it be that we're looking in the wrong areas to find people who can do those skills?
SANDERS: We all know intuitively that it's tight, because the market for really, really good cyber folks is very competitive. Booz Allen contributed to a study that (ISC)² did most recently, the Global Information Security Workforce Study. It had good news and bad news in it. It said that the cyberworkforce people who have these skills, even as amorphous as the definition may be, has grown by about 11 percent. That number was derived by surveying lots and lots of folks who conduct cyberwork. The bad news here is that it's not growing fast enough to keep pace with demand, and that demand upticks every time there's a headline. Everybody who's listening in on this program probably knows what's going on in U.S. Cyber Command and other parts of the federal government. They're in the market for even more folks with cyber skills, and that's just going to increase the competition for them.
Improving the Pipeline
CHABROW: Sounds very hopeless. Is it?
SANDERS: On the plus side, stemming from some of the work that NIST has done with the National Initiative for Cybersecurity Education, we're beginning to focus on the long-term pipeline, K-12 and higher education. DHS and NSA certify so-called centers of academic excellence; they actually certify colleges and universities that have met their high standards for curricula in information assurance and now, I believe, cybersecurity.
It takes a while for that extended pipeline to work, but it's beginning to work as more and more people - especially younger people - are getting interested in this kind of work. But that takes a long time to respond. It's not growing nearly as fast as demand, but hopefully at some point in the future it will reach equilibrium. In the meantime, there's lots of work for cyber folks. There's lots of work for the colleges and universities that train them, as well as the other training providers, like SANS Institute, to take raw material, get folks up to speed and then get them at terminals doing this kind of stuff.