Cybersecurity should be professionalized

It's time to institute national standards and licensing requirements for cybersecurity professionals, Pell Center says

The time is ripe for industry and government stakeholders to consider professionalizing cybersecurity, according to a report from Salve Regina University's Pell Center for International Relations and Public Policy ( download PDF).

Demand for cybersecurity skills is increasing exponentially, but the educational, training and certification processes to prep people for careers in the field continue to be highly decentralized, ad hoc and non-standard.

"We not only have a shortage of the highly technically skilled people required to operate and support systems already deployed, but also an even more desperate shortage of people who can design secure systems, write safe computer codes" and create the tools needed to prevent, detect and mitigate attacks and system failures, the study said.

Too many organizations lack the right skills for building and managing secure infrastructures and for dealing with attacks. And those wishing to pursue careers in cybersecurity as a career, have few clearly defined roles and career paths, the authors of study noted.

"There remains a noticeable mismatch between [the] burgeoning demand for cybersecurity talents and the efforts under way to develop professionals who can build and manage secure, reliable digital infrastructures," they wrote.

The Pell study calls for the creation of a nationally recognized association to set professional standards and education and training requirements for cybersecurity similar to what the American Medical Association (AMA) does in the medical field.

It calls on government and industry stakeholders to consider establishing professional associations for each specialty within the cybersecurity field and to develop a common body of knowledge for each specialty. In order to professionalize the field, stakeholders will also need to establish certification and licensing requirements for each specialty as well as apprenticeship and residency requirements.

In many ways, the current situation in the cybersecurity field is similar to what existed in the medical field before it was professionalized, said Francesca Spidalieri, cyber leadership Fellow at Pell Center and one of the two authors of the report.

"There were a lot of self-described doctors, but no standards," she said. "We need some kind of focal point to gather around to foster minimum, basic standards and frameworks so people have a way to navigate the cybersecurity field."

Currently, it is difficult to determine the actual skills and abilities of professionals based on their education or certification credentials, she said. It is even harder to map those skills to real-world job requirements, she said.

"There's nothing that prioritizes different educational programs. There are no standards across different specialties. There is no single organization that can take ownership of this field" as the AMA and the American Bar Association do, Spidalieri said.

Establishing a central body to oversee cybersecurity will involve the participation of all stakeholders, including employers and educational, training and private certification institutes, she said.

One way to get started might be to set up a Federally Funded Research and Development Center (FFRDC) similar to the Department of Defense's Software Engineering Institute, she noted.

The Pell report is not the first to propose professionalizing cybersecurity. The Center for Strategic and International Studies (CSIS), for instance, put forward a similar set of cybersecurity recommendations for President Barack Obama during his first term.

Critics of such proposals have argued that the sheer diversity of the field -- and the fast pace at which cybersecurity is evolving -- make it very hard to professionalize. Many have argued that cybersecurity is too broad to be treated as a single profession and maintain that the field is still too young to be professionalized.

Alan Paller, director of research at the SANS Institute, one of the largest cybersecurity training organizations in the U.S., said professionalization is practical -- but only within the technical roles. "But more than half have non-technical roles, so it wouldn't work across the whole profession."

Where skills are measurable, in areas such as forensics, incident response and penetration testing, employers and the nation deserve a better way of ensuring a person doing the work has the right knowledge and skills, Paller said.

"If it is more general, as in security management, then the variability makes reliable assessment impossible. Note, there is no certification and professional bodies for corporate management -- only for more specific, technical areas," he said.

James Lewis, senior fellow and director at CSIS, called the Pell proposal a good one, but something that will take a long time to implement.

"You need to identify what people need to know, then find a way to train and certify them," Lewis said. "There is real resistance from some job holders who are largely self-taught and the existing certification entities, who fear their business would be threatened," Lewis said. "Think how long it took to get an AMA or ABA, and we're just at the beginning for cybersecurity."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about it careers in Computerworld's IT Careers Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityIT careers

More about ABASANS InstituteTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place