Pitfalls of Professionalizing InfoSecRaising Barriers to Filling Cybersecurity Jobs
Don't think of cybersecurity as a profession; consider it as a field, says workplace expert Diana Burley. Yet, she says, some occupations within the cybersecurity field could be deemed professions.
But Burley, an associate professor at the Graduate School of Education and Human Development at George Washington University, sees trade-offs when professionalizing an occupation. "On the positive side, professionalization can set a standard set of core values and ethical standards," Burley says in an interview with Information Security Media Group (transcript below). "It can raise the stature of that particular occupation in the eyes of the public."
A disadvantage in her view: "It narrows the supply pipeline for individuals to enter that field because it raises the barriers to entry."
Cybersecurity is experiencing a shortage of individuals to fill vacant jobs in government and industry, so professionalizing certain occupations could hinder the recruitment and retention for those positions by limiting the pool of qualified candidates, she says (see DHS's Huge Cybersecurity Skills Shortage). For instance, a professional designation could require a bachelor's degree, disqualifying individuals who gained the right skills by pursuing an associate's degree at a community college.
"We really have to take an approach that looks specifically at each category [of cybersecurity] and makes determinations about what the goals of professionalization would be for that category, and then what the proper mechanisms for professionalization might be," says Burley, who co-authored the just-published report from the National Academies, Professionalizing the Nation's Cybersecurity Workforce? Criteria for Decision-Making.
In the interview, Burley:
- Defines what makes a professional and explains why cybersecurity as a field doesn't qualify as one;
- Discusses the pros and cons of deeming an occupation within the cybersecurity field a profession;
- Addresses a finding of a National Academies' National Research committee she co-chairs that many cybersecurity occupations require specialized knowledge and some form of intensive advanced training but they haven't sufficiently crystalized into specific professions.
Burley's academic research addresses the understanding of knowledge management initiatives, IT and cybersecurity education and workforce development strategies. She holds two masters of science degrees, one in public management and policy and the other in organization science, as well as a Ph.D. in organization science and information technology from Carnegie Mellon University.
Defining a Profession
ERIC CHABROW: Before we address the question regarding professionalizing the cybersecurity workforce, first define what a profession is.
DIANA BURLEY: A profession starts as an occupation. It moves forward from there where there are professional boundaries associated with that so that we know exactly what activities, skills and knowledge requirements there are for that occupation. But then there are additional criteria that are required for the individuals to perform the work - whether there are ethical standards, educational requirements and certification requirements - something that sets them apart from other people who might perform the duties in that role but not in a professionalized manner.
CHABROW: Where do we stand now with cybersecurity?
BURLEY: We have a mix of people who work in cybersecurity, and I think one of the first takeaways from our report is that cybersecurity should not be considered a profession. It should be considered a field ... [which] is made up of many different occupations, some of which should be professionalized and some of which should not.
CHABROW: Can you give an example or two?
BURLEY: Our committee's work stopped short of identifying which specific occupations ought to be professionalized. What we did is we defined a set of criteria that individuals within the field ought to use in order to determine whether or not a specific occupation should move along the path toward professionalization, depending upon the particular goals of professionalization for that occupation.
Impact of Professionalization
CHABROW: What would be the impact of professionalizing some of these occupations?
BURLEY: There are tradeoffs with professionalizing any occupation, and the tradeoffs are both positive and negative. On the positive side, professionalization can set a standard set of core values and ethical standards. It can raise the stature of that particular occupation in the eyes of the public. It can raise public trust. It can set a certain level of skill requirements and skill expectations for individuals within that particular occupation.
But professionalization also has consequences. It shortens the supply or narrows the supply pipeline for individuals to enter that field because it raises barriers to entry. It adds additional requirements. Professionalization activities have to be done a very thoughtful way to make sure that the professionalization mechanisms do, in fact, match the professionalization goals for the occupation.
CHABROW: Who determines whether a certain occupation or field is a profession? There's no formal certification, is there?
BURLEY: There's no formal certification certainly inside of security, and, to a large extent, the members of that field make some determination about where they believe the occupation is on the spectrum of professionalization and they can work together to determine when different activities are necessary. If there's an external body that has some role and that's made up of government entities or members of that particular occupation, they can work together to make those determinations. It can vary.
If we have a core set of knowledge and skills, and we know what individuals in that particular occupation need to know and do, then we can begin to address some of the professionalization mechanisms. But it all depends on the goal. If the goal is to raise the standard of quality for individuals performing that job, then particular professionalization mechanisms, such as requiring skill-based exams, degrees or certifications, might be appropriate mechanisms to professionalize those occupations. If, on the other hand, it's not a question of the quality of the skill set of the individuals but a question of quantity and needing to have additional people enter the workforce, then there are other mechanisms that they might need to undertake.
Shortage of Government Cyber Positions
CHABROW: [With] the federal government, there's a DHS [inspector general] report that came out talking about a shortage of cybersecurity positions in the Department of Homeland Security. Would professionalization at all have any impact on that? There's a big discussion going on right now about defining different occupation categories.
BURLEY: There's a big discussion about that right now, and part of the challenge that we found with reports such as the one that you cite is that the specific occupations weren't necessarily associated with specific professionalization activities. It's our feeling that a blanket approach to professionalization activity will do more harm to the development of the cybersecurity workforce than good, and so we really have to take an approach that looks specifically at each category and make determinations about what the goals of professionalization would be for that category, and then what the proper mechanisms for professionalization might be.
Finding People in a Professionalized Field
CHABROW: Would professionalizing a specific occupation at all make it more difficult to find people in that area?
BURLEY: Yes it could. For example, for many entry-level positions in the federal government, there's a bachelor's degree requirement. For some of ... the technician-type positions, students are able to get the skills through a community college and get an associate's degree. They could pass a test that would be a skill-based test to show and demonstrate that they have the requisite skills and abilities to do the job. But the professionalization mechanism that takes place is that bachelor's degree requirement. In that instant, what the professionalization mechanism is doing is it's actually making it more difficult to fill those positions without respect to whether or not the individuals vying for those positions have the requisite skill set. That's what we mean when we say that we really have to understand what the goal of the professionalization activity is and to make sure that the goal matches the particular mechanism that has been put in place to professionalize the occupation.
CHABROW: Should the government be careful in defining different occupations because you could end up excluding qualified people if you try to approach it in what's recognized as a professional manner?
BURLEY: They should be careful in determining professionalization activities and shy away from blanket approaches to professionalization. There's no one-size-fits-all. Rather, look at occupational category by occupational category and determine what the goals of professionalization for that particular category are. Then, apply appropriate professionalization mechanisms to meet that goal.
InfoSec's Rapid Evolution
CHABROW: Information security rapidly evolves and so do skills required to secure it. Occupations that no one ever heard or imagined existed maybe a decade ago have become commonplace. Is such a rapid change a hindrance in the field of cybersecurity in these certain occupations to be determined as a profession?
BURLEY: Absolutely. One of the key criteria for moving forward with the professionalization effort is that you're able to identify that core set of knowledge that everyone in that profession needs to have. ... [T]he field is rapidly evolving in such a manner, either because the technology continues to evolve or the nature of the threat continues to evolve. ... It doesn't have to be completely stable, but it has to be stable enough that we're able to identify the basic core set of skills and abilities that an individual practicing in that occupation needs to have. Then, it's very difficult for us to design professionalization activities that would make sure that the individuals do in fact have that knowledge. That's absolutely a concern.
CHABROW: I know many people with different types of skills or occupations and they actually move about from one occupation to another within the cybersecurity field. Is that different from other professions or not?
BURLEY: It seems to be more pervasive in cybersecurity. I think there are really two pieces to your question. One is that many individuals who consider themselves to be a part of the cybersecurity workforce also consider themselves to be a part of another workforce, whether that's a general IT workforce, law enforcement workforce or some other aspect of their job, so they're hybrid cybersecurity workers. When you put professionalization mechanisms in place for the cybersecurity aspect of the job, it takes time and attention away from the activities that they have to maintain for the aspects of their jobs, often times the overwhelming majority components of their job. So, there's a challenge there for individuals to sit in these hybrid roles where cybersecurity is not the only thing that they do.
The other piece of that is, part of defining an occupation is that there are occupational boundaries that clearly distinguish one occupation from another. In addition to those boundaries are career pathways that are in place. When you have individuals who might have other components to their job, they might move about and their jobs frequently change. It's very difficult to identify your pathways and the occupational boundaries that would allow them to identify with that specific occupation, again hindering their ability to engage in professionalization activity.
CHABROW: You spent a lot of time and effort to produce this report. What do you hope the outcome of the report is?
BURLEY: I hope that people will take a step back from some of the blanket approaches to professionalization and really begin to understand that it's not a question of quality or quantity, but it's a question of alignment and making sure that we're putting the right approaches in place that will help us to fill the cybersecurity workforce of both the highest quality and sufficient quantity to meet the needs of the nation.