How do you define a cybersecurity “professional’?

Would slapping “professional” label create barriers to entry that inadvertently screen out suitable cybersecurity candidates?

How or should the cybersecurity workforce be formally professionalized?  The National Research Council this week issued a report that looks at the issues around how to professionalize a field it describes as so broad and diverse it could be hard to even treat it as a single occupation or profession.

"Many aspects of the cybersecurity field are changing rapidly, from new technologies to the types of threats we face to the ways offensive and defensive measures are carried out," says Diana Burley, associate professor of human and organizational learning at the George Washington University  and co-chair of the committee that wrote the report entitled 'Professionalizing the Nation's Cybersecurity Workforce?.' "Premature or blanket professionalization strategies will likely hinder efforts to build a national cybersecurity workforce of sufficient quality, size, and flexibility to meet the needs of this dynamic environment."

[NEWS: The world's craziest contraband]

The group wrote that professionalization might involve prolonged training and formal education, knowledge and performance testing, or other activities that establish quality standards for the workforce.

The report suggests that "professionalization measures in the field of cybersecurity should only be undertaken for specific occupations that have well-defined and stable characteristics, when there are observable work force deficiencies that professionalization could resolve, and if the benefits of professionalization outweigh the costs."

Professionalization has the potential to attract workers and establish a long-term path to enhancing quality of the work force, but measures such as standardized education or requirements for certification all have associated advantages and disadvantages. The report lists a number of trade-offs that should be weighed carefully by employers, professional organizations, and governments when deciding whether and how to undertake professionalization activities, the National Research Council said.

For example, education certificates or formal certification can be helpful to employers who otherwise may find it difficult to evaluate the skills and knowledge of job applicants.  But it takes time to develop common curricula and reach consensus on what core knowledge and skills should be assessed.  Once a certification is issued, those standards run the risk of becoming obsolete, and workers may not have incentives to update their skills.  In addition, some of the most talented individuals in cybersecurity are self-taught, and the requirement of formal education or training may deter potential employees from entering the field the National Research Council said.

Over time, professionalization could help build a higher quality work force with a standardized set of specific skills and help employers identify the best candidates to meet their needs.  But this should be weighed against the changing context of cybersecurity that includes both evolving threats and fluid job responsibilities.  Although some measures can help increase awareness and desirability of the profession and increase the number of individuals who consider cybersecurity as a career, they can also create additional barriers to entry that inadvertently screen out suitable candidates, discourage out-of-the-box thinking, and narrow the pipeline of potential workers.  Careful consideration of these potential effects will help inform decisions about whether and how to professionalize the field of cybersecurity, the report says.

While there are indications that demand will continue to be high for cybersecurity workers, the evolving nature of the field makes it difficult to forecast the number of workers that will be required or the mix of knowledge and skills that will be needed, the report says.

Follow Michael Cooney on Twitter: nwwlayer8 and on Facebook

Check out these other hot stories:

FBI warns "Beta Bot" malware can kill your anti-virus programs, steal data

Energy Department spends $30M to bolster utility cybersecurity tools

Orbital Science just made private space arena way more interesting

DARPA hunts airplane-like spacecraft that can go Mach 10

MIT team says space weather has taken out satellites

Air Force whacks 52-year old space fence

NASA: Voyager spacecraft has crossed over into interstellar space

Fearless IT guy trying to fly across the Atlantic on helium balloons

Obvious?  Not so much:  TSA reminds you not to travel with hand grenades

"Oddball" asteroid - the  third largest near-Earth rock -- is really a comet

Copyright © 2013 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022