Professionalizing the Cybersecurity Workforce

Aland Kuang University of California, Los Angeles

Introduction
Ever since humanity has discovered the power of computers,
we also have been finding ways to exploit them, and so
emerges the field of cybersecurity. Lie the many innovations
that other computer science fields en!oy, cybersecurity
experiences its own maturation. "rom the first self#replicating
program, to the first information warfare policy, and to
$tuxnet, cybersecurity has come a long way. Even though we
have many papers of %enial of $ervice Attacs &%o$', we do
not have a clear picture of how to organi(e our cyber defense
tas forces. )he Committee on *rofessionali(ing the +ation,s
Cybersecurity -orforce was tased to examine this very
issue. At the end of their report, they concluded that .whether
and how to professionali(e /cybersecurity0 will vary
according to role and context.1
2&p34'
-hile indeed
cybersecurity is a complex field, it is not only important that
cybersecurity professionals be held at similar standards but
also academic institutions must also contribute professionals
to the field.
What is Cybersecurity?
At its core, cybersecurity .focuses on protecting computers,
networs, programs and data from unintended or
unauthori(ed access, change, or destruction.1
5
A specialist
often ensures an organi(ation,s security protocol is strictly
followed but also implements defense mechanisms that deter
infiltration. 6t seems that this is a highly technical !ob but in
fact, it also re7uires understanding how attacers thin and
how policies should be managed. "or instance, a computer
forensics specialist should understand how to reconstruct a
suspect,s computer session and also how the law re7uires
court evidence to be handled. As we can see, cybersecurity is
an interdisciplinary field that fans out into a wide range of
applications, and thus, difficult to organi(e into a coherent
definition.
Why Consider Professionalization?
6t is 7uite reasonable to thin that cybersecurity is a field that
should not be professionali(ed. A goal of professionali(ation
is to regulate the worers by means of enforcing codes of
conduct and ethics. )hese regulations may hamper the wor
of a cybersecurity specialist because combating cyber threats
often re7uires flexibility and maneuverability around a
system,s control mechanisms. -hile this is a legitimate
concern, since cybersecurity wor often deals with sensitive
information, it is important that employers now that their
employees are held at a certain standard of conduct by
another controlling entity. "urthermore, professionali(ing
often .enhance/s0 public trust and confidence.1
2&p89'
)rust and
confidence are probably the most important factors for a
cybersecurity worer to ride upon. :therwise, not only may
the specialist lose their !ob, it limits their ability to do their
wor without having to report their every movement to the
supervisors. ;oreover, having a professional title garners
respect from the public because the !ob is not something that
any ordinary person can pic up but rather it re7uires honing
and specific sill sets that cannot be easily learned without
proper guidance. As we can see, there are many reasons to
professionali(e cybersecurity and the benefits liely outweigh
the negatives.
Demand and Supply
6n order to !ustify the need to professionali(e cybersecurity
worers, we must first identify that there is a demand for
professionals from employers and the sheer number of
available worers. According to the <ureau of Labor
$tatistics, employment is !ust over =>>,>>> for the occupation
.information security analysts.1
2&p5'
-ith such a vague !ob
title, it is very difficult to measure the demand for
cybersecurity worers. 6f we do choose to professionali(e this
!ob, then it will be more simpler to estimate the demand for
worers and subse7uently, the supply for the available !ob
title because we will have created a more concrete !ob
description. )hus, rather than asing companies about their
need for .information security analysts,1 we will be able to
as specific professions in cybersecurity about their demand
in industry.
Professionalization
A big issue about professionali(ation is how we go about
professionali(ing cybersecurity. )he common method to do
this is through certification. ./Certification serves0 as an
indication of nowledge at a particular point in time.1
2&p85'

6ndeed, certification is important to employers because an
employer would be able to have a basic understanding of the
nowledge of the prospective employee and that they are
being held at a certain ethical standard by the occupation.
Examples of current professionally recogni(ed certificates
include Certified 6nformation $ystems $ecurity *rofessional
&C6$$*' and Certified *enetration )ester. ?owever, some
employers don,t regard certification as a necessity@ rather,
they loo at experience and educational achievements.
"urthermore, it has been noted that the more silled
cybersecurity specialists don,t hold any certification and this
can seriously hurt the pool of silled applications. <ecause
cybersecurity has a large range of worer types, certification
may not be the route to go when considering
professionali(ing cybersecurity.
Recommendation by Report
)he authors conclude that
.activities by the federal government and other entities to
professionali(e a cybersecurity occupation should be
undertaen only when that occupation has well#defined and
stable characteristics...1
2&p3A'
6n a sense, the report suggests that professionali(ation should
be postponed. Each occupation in cybersecurity is continually
changing as new threats emerge as a result of innovative
technology that is being created every year. )his is definitely
the accurate approach. -ith all the flurry of demand for
cybersecurity worers, we should not immediately conclude
that cybersecurity needs a professional title. -e need to
openly discuss this and act accordingly as the community sees
fit. )his report is the starting point and from here, our next
step is to thin about more ways of professionali(ation, and
more importantly, who should perform the
professionali(ation.
Future is ducation
-hile we wait until each profession has matured, we should
focus on the education aspect of cybersecurity, that is,
training our future cybersecurity professionals. )he first step
is for academic institutions to tae charge and we are seeing
this happen right now. Cal *oly recently opened the Cal *oly
Cybersecurity Center funded by +orthrup Brumman
=
and the
University of $outh "lorida is proposing to build the "lorida
Center for Cybersecurity
4
. -hen universities offer these
programs, the pool of cybersecurity worers will increase as
more students will be able to enroll and learn specific sills
and nowledge re7uired to wor in the field. "urthermore,
governments of all levels and corporations should help fund
these initiatives. Establishing the first stepping stone for
prospective cybersecurity professionals should be a concerted
effort by the whole community.
)he next step is to develop a practical and lean curriculum for
the students and to update our existing curriculum. )he
6nformation $ecurity Curriculum produced in 8AA4 .does not
address /the0 cyber#threats currently faced.1
8&p2'
6n order to
prepare students for fieldwor, the curriculum must cover
preparation, defense, and action, the common mentality of
cybersecurity specialists. )o build upon this sill set,
institutions should provide lab wor for students as cyber
defense demands a more practical approach to teaching. All
of these assets will build a valuable toolbox for students to
tae with them once they enter the field.
Why is ducation Important?
Education does not only help students prepare for industry but
also helps the industry,s organi(ation. )he ultimate goal we
hope is to have cybersecurity, or its sub#fields,
professionali(ed. -ith academic institutions taing the
charge, curriculum will be developed for many cybersecurity
!obs. Cuite possibly over time, refinements will be done to a
curriculum and possibly even more defined occupations will
be created. All of this benefits the progress towards
professionali(ation because there will be more defined !ob
descriptions for each aspect of cybersecurity. "rom there, we
will have a systematic way of bringing a person from a
student to a licensed professional. )hus, rather than fumbling
around countless certifications, we should turn to education
and universities for the solution to professionali(ation.
Conclusion
)he debate about professionali(ation is !ust getting started.
-e have made the first step of identifying a possible need to
professionali(e cybersecurity and have even made some
suggestions as to when and how we should go about this
process. -e should consider pushing universities to tae
charge in preparing the students for field wor and at the
same time shape the very definitions of each profession
within cybersecurity. )he pathway to professionali(ation will
be much more well#defined and in turn, cybersecurity will
begin a new chapter in its history.
References
8. Estrom D, Lunt <, Eowe %, editors. *roceedings of the
3>88 conference on 6nformation technology education@
3>88 :ct 8A#33@ -est *oint, +F. +ew ForG AC;@ 3>88
:ct 3>. A p. doiG 8>.8842H3>452A4.3>4593I
3. Evans J, Eeeder ". A human capital crisis in cybersecurity.
-ashington %CG Center for $trategic and 6nternational
$tudies. 3>8> +ov. 49 p. Available fromG
httpGHHdspace.cigilibrary.orgH!spuiHbitstreamH83=4295IAH=>
>AIH8HAK3>?umanK3>CapitalK3>CrisisK3>in
K3>Cybersecurity.pdfL8
=. Bonslaves. A. Cal poly !oins national cybersecurity
educational effort. *C Advisor /6nternet0. /*lace
Unnown0G /*ublisher Unnown0@ 3>8= /updated 3>8=
+ov 35@ cited 3>8= %ec =0. Available fromG
httpGHHwww.pcadvisor.co.uHnewsHsecurityH=4A8398Hcal#
poly#!oins#national#cybersecurity#educational#effortH
4. ?ayes, $. U$" could become a hub for cybersecurity
training. )ampa <ay )imes /6nternet0. 89 +ov 3>8= /cited
3>8= %ec =0. Available fromG
httpGHHwww.tampabay.comHnewsHeducationHcollegeHusf#
could#become#a#hub#for#cybersecurity#trainingH3823I==
2. +ational Academy of $ciences &U$'. *rofessionali(ing the
nationMs cybersecurity worforceL /6nternet0. -ashington
%C &U$'G +ational Academies *ress. c3>8= /cited 3>8=
%ec =0. Available fromG
httpGHHwww.nap.eduHopenboo.phpL
recordNidO8I449PpageOE3
9. *erera, %. "ierceBovernment6) /6nternet0. /*lace Unnown0G
/*ublisher Unnown0@ 3>8= /updated 3>8= $pep 8I@ cited 3>8=
%ec=0. Available fromG
httpGHHwww.fiercegovernmentit.comHstoryHcybersecurity#
occupation#not#profession#says#reportH3>8=#>A#8I
5. University of ;aryland University College /6nternet0.
Cybersecurity primer. /*lace Unnown0G /*ublisher
Unnown0@ /date unnown0 /cited 3>8= %ec =0. Available
fromG httpGHHwww.umuc.eduHcybersecurityHaboutHcybersecurity#
basics.cfm