The Case for Professionalizing Cybersecurity

The shortfall of cybersecurity professionals in this country has been estimated at anywhere from 30,000 to 100,000. There are several initiatives designed to address this, including the Council on CyberSecurity's U.S. Cyber Challenge and the National Centers of Academic Excellence, sponsored by the National Security Agency and the Department of Homeland Security. These and similar efforts may increase the supply of qualified cybersecurity professionals, but it will take time.

The problem is exacerbated by the fact that, as with any relatively new profession, tens of thousands of individuals claim competence in cybersecurity, and it can be hard for an employer — or any organization — to judge. Early ­efforts to develop credentials, although well intentioned, were based on knowledge testing and unmonitored experience.

In a 2010 report prepared under the auspices of the Center for Strategic and International Studies, my colleague, former federal CIO Karen Evans, and I suggested the country needed to develop more rigorous professional credentials as part of a robust cybersecurity program. Our report, "A Human Capital Crisis in Cybersecurity: Technical Pro­ficiency Matters," emphasized security automation to relieve cybersecurity staff of repetitive tasks, "including but not limited to configuration and patch management." We also urged building on existing work to develop a taxonomy of high-level cybersecurity specialties and certifications that would help drive education and training. And we suggested that the federal government, by virtue of the size of its own cyberinfrastructure, lead by example.

The Flip Side

Last year, the Computer Science and Telecommunications Board of the National Research Council issued a report titled "Professionalizing the Nation's Cybersecurity Workforce? Criteria for Decision-Making." Much to our surprise (and dismay), the distinguished panel concluded, in part, "Cybersecurity is a young field, and the technologies, threats and actions taken to counter the threats that characterize the endeavor are changing too rapidly to risk imposing the rigidities that typically attend professional status." The panel recommended, "Activities by the federal government and other entities to professionalize a cybersecurity occupation should be undertaken only when that occupation has well-defined and stable characteristics."

I strongly disagree and would submit that similar arguments might have been made about the practice of medicine in the first quarter of the 20th century. What can organizations do now to protect their critical cyber resources?

• Pay attention to the basics and observe good computer hygiene. There is ­empirical evidence that implementing the Council on CyberSecurity's 20 Critical Controls for Effective Cyber Defense can dramatically reduce organizational risk. Think of it as similar to washing your hands ­frequently during cold and flu season.
• For new systems, ensure that security is built into the system development process — that it is baked in, not bolted on. Can you imagine building a bridge without regard to stress and load, and then asking safety engineers to fix it?
• Deploy automated tools, such as the Center for Internet Security's Configuration Assessment Tool, or one of a growing number of commercial automated tools that can help in continuous monitoring and mitigation.
• If your organization faces higher risk, insist that so-called cybersecurity professionals have demonstrated successful, practical experience in the role you assign them — for example, intrusion detection or network administration.
• Support the development of more rigorous credentials. The poster child for such an effort is work funded by the Energy Department to develop a competency-based job performance model for operators of the smart grid.

Cybersecurity is indeed a dynamic field, and threats seem to change by the minute. Waiting for the field to stabilize, however, is a dangerous notion. With almost daily reports calling into question the robustness of our cyberinfrastructure, now is not the time to engage in a theological debate. There are things we can and must do now to shore up the nation's cyberdefenses.