By: JOHN R PLATT, IEEE
Do you know how to become a cybersecurity professional? Do you know what courses to take, which certifications are needed, and what skills employers require? As a hiring manager, can you assess whether your new hire knows how to write secure mobile apps, defend systems against cyberattacks, or protect customer credit-card data?
The truth is, not many people can answer those questions. And that uncertainty, experts say, is a problem for the cybersecurity industry. Its rapid growth during the past decade has led to an unclear educational path for students. There is also an absence of generally accepted qualifications that tell hiring managers and human resources departments which job candidates have the right experience and credentials.
“This confusion causes the profession to grow less efficiently than it could,” says IEEE Senior Member Greg Shannon, chief scientist for the CERT Division at Carnegie Mellon University Software Engineering Institute, in Pittsburgh, and chair of the IEEE Cybersecurity Initiative. “People can’t say, ‘These are the credentials I need’ and ‘This is how much it is going to cost me to get them.’”
The lack of clarity, Shannon says, has contributed to a widespread shortage of trained, experienced cybersecurity professionals. Similarly, it has created a challenge for employers to hire people with the right skills. HR reps find themselves confronted with a variety of certifications from about two dozen organizations.
“There are people out there who are being positioned, rightly or wrongly, beyond their skills to address cybersecurity,” Shannon says. “Meanwhile, not enough new people are entering the profession to fill the void.”
LET’S SET STANDARDS
To bridge the gap, researchers from the Pell Center at Salve Regina University, in Newport, R.I., are calling on the cybersecurity industry to create professional standards for those in the field. In July, they issued “Professionalizing Cybersecurity,” a report that calls for an overarching professional association to create clear paths for a variety of careers.
“What we propose is not just a way to put more people in the pipeline,” says Pell Fellow Francesca Spidalieri, who coauthored the report with Lt. Col. Sean Kern, a Pell Center adjunct fellow with the U.S. Air Force. “It is also about guaranteeing that those in the industry reach the highest professional standards.”
The industry has tried to respond to the needs of the marketplace by developing certifications and other educational standards for various career paths. However, these have sprung up individually. They often overlap each other and leave gaps.
The report found that cybersecurity is composed of 31 different specialties dealing with such areas as information assurance compliance, systems security architecture, and digital forensics. These specialties are served by at least 23 different certification programs from such organizations as the American Society for Industrial Security, the Computer Security Institute, and the International Society for Professionals in E-Commerce. Plus, the field is rife with conflicting definitions and competing requirements.
Universities should establish a more unified educational path for students interested in a cybersecurity career, Kern says, noting, “There are no nationally or internationally accredited programs that universities can adhere to and publicize in a way that a student can say, ‘That’s where I can obtain the kind of education I need to get started in the cybersecurity profession.’”
LEARNING THE LANGUAGE
The Pell report offers recommendations for developing a more organized cybersecurity profession, including establishing clear bodies of knowledge and educational paths for the 31 workforce specialties.
“You really have to have that body of knowledge, along with some means of assessing if a person understands that knowledge and can apply it creatively against whatever problems an organization faces,” Spidalieri says. “That’s the language of a profession.”
There are many different roles to fill in cybersecurity, says IEEE Senior Member Gary McGraw, chief technology officer of Cigital—a software security firm in Dulles, Va.—and a volunteer for the IEEE Cybersecurity Initiative.
“Each role needs to have its own education and experience path,” McGraw says. “If you think of security like medicine, you need first responders, nurses, doctors, brain surgeons, and everything in between.”
The largest cybersecurity certification program, the Certified Information Systems Security Professional (CISSP), would serve the emergency medical responders, nurses, and maybe doctors, but it wouldn’t help the brain surgeons and other specialists, McGraw says.
“Organizing a common body of knowledge in any area is always useful,” he says. “A CISSP certification guarantees only that you have a modicum of knowledge about a swath of cybersecurity. Your knowledge may be wide but not very deep.”
Spidalieri and Kern also call for each specialty to develop its own code of ethics, something currently lacking. “Part of what we learn in engineering these systems correctly is how to break in,” McGraw says. “You need to break into systems and find security flaws before hackers do.” Otherwise, he points out, some will use those same skills for nefarious purposes.