A recent report on professionalization in the cybersecurity workforce confirmed the views of many government experts that the field is much too young, diverse and understaffed to begin introducing stricter standards.
Ernest McDuffie, head of the National Initiative for Cybersecurity Education at the National Institute of Standards and Technology, said NICE leaders and many cybersecurity experts already had a "presupposed view" that the cybersecurity field was not ready to be professionalized, even before a report released last week by the National Academies of Sciences came to the same conclusion. The report was a focus of the 4th annual NICE workshop held last week, McDuffie said.
“Cybersecurity is more than just a single profession; it really represents a field with a number of occupations and professions,” McDuffie told Wired Workplace. “Some of them are much more mature than others, and most if not all of them are still evolving. It would be premature to start going down the road to licensing.”
Even the certification bodies now emphasize that cybersecurity professionals must have more than the ability to pass a test; they must also demonstrate that they have hands-on skills, McDuffie said. That’s another element the professionalization report addressed – how life experience can often be equivalent to degree programs, he added.
Those elements have been a focus of the NICE initiative, so much that leaders have emphasized not only the importance of having a pipeline of top-notch cyber talent but also skilled and knowledgeable human resources professionals who can effectively discern what life experiences and skills may be equivalent to certain degree programs, McDuffie said.
“You have to be fairly sophisticated in your understanding of the cybersecurity field to really do effective human resources work,” McDuffie said. “We’re really trying to promote additional training and education in that space for those professionals as well.”
The National Academies report, which was sponsored by the Homeland Security Department, is likely to be reviewed by the White House to inform future policy decisions, McDuffie said.
Going forward, Homeland Security also is reviewing the first version of its National Cybersecurity Workforce Framework, a blueprint for categorizing and creating a common language for defining cyber jobs. The updated version, which is expected in the first quarter of 2014, will incorporate changes requested by federal workers and the public, McDuffie said.
The Office of Personnel Management also is moving forward with implementing data elements of the workforce framework, which will give government for the first time real data on cybersecurity employees and their job responsibilities in the federal government. Implementation of those data elements is expected by the end of fiscal 2014, McDuffie said. “Once we have those actual numbers, we’ll be able to do a real gap analysis about the requirements, how many workers we need and what type we need,” he said. “Once we get to that point, we can start thinking about recruitment, sustainability and succession planning.”