Cyber educators to Congress: Let us handle it
Industry, academia aim to retool programs to develop a cybersecurity workforce
Cybersecurity certification programs, universities and technical schools have failed to produce a professional workforce with the skills needed to protect our critical infrastructure, industry observers say, but they also are warning Congress against imposing federal regulations on the profession as industry and academia retool their training and educational programs.
In a survey of 700 security professionals released today, nearly three-quarters of respondents agreed there is a shortage of IT security personnel in government, and most blamed the lack of a defined career path. Nearly half said that current information security certification programs, which are increasingly required in both government and the private sector, are inadequate and do not address the needed skills.
The survey, conducted by the International Information System Security Certification Consortium, or ISC-Squared, does not identify a solution to the problem, but seven out of 10 respondents agreed that the answer was not a government-run board of examiners to oversee licensing of security professionals.
A number of industry organizations have written to Congress to push this point of view.
Agencies hard hit by shortage of cybersecurity pros
Cybersecurity boot camps are a start toward a skilled workforce
Some observers have identified the global shortage of cybersecurity professionals as a threat to the growth and security of an increasingly digital world economy, as well as to U.S. national security. The ISC-Squared survey focused more on the skills gap in the workforce than on the manpower shortage.
ISC-Squared is a leading certification body and issues the flagship Certified Information Systems Security Professional certificate, along with others. Organization president W. Hord Tipton acknowledged the shortcomings of professional certification programs.
The CISSP is the most popular certification, “but it’s not the solution to all of your problems,” he said. “Only for some of them.”
He also said that its requirements impose something of a career roadblock. “We probably built the wrong credential first in terms of a career path,” he said. The CISSP, established in 1993, requires five years of experience in at least two of the domains it covers, creating a five-year gap between entrance to the workforce and the possibility of professional certification. That is being addressed by the development of new, entry-level certifications.
But, “certification is just part of the answer,” Tipton said. Academic degree programs also are needed, and these are falling short in producing the quality and quantity of security professionals needed, he said.
“They are not producing the type of graduate that companies and the government are looking for,” he said. “I’ve been told by some corporate executives that they don’t even recruit at colleges because it takes too long to train the graduates.”
Tipton praised the National Security Agency's Centers of Cybersecurity Excellence program, which supports educational programs in selected universities. He said that schools are beginning to respond to the need for cybersecurity professionals but added that there are too few of them. Making changes in academia “is like turning the Titanic around,” he said.
One school that is in front of the fleet in cybersecurity is the University of Maryland University College, which has established a new Cybersecurity and Information Assurance Department in its graduate school and is offering two graduate degrees and one undergraduate degree in cybersecurity. The graduate program opened this fall with about 550 students, and department chairman Alan Carswell said he expected to have 1,000 students enrolled by spring.
“We’re oriented toward applied education, particularly in the graduate school, providing degrees that will be useful to graduates in the workforce,” Carswell said. “We detected about a year-and-a-half ago that cybersecurity was going to be a very important area for us to get involved in.”
The school recruited a panel of military, civilian government and private-sector experts to advise on the new curriculum, which was reviewed by scholars and practitioners. The classes are six-credit courses, double the usual three credits for most courses, and are demanding, but they also are completely online so that students have flexibility.
“We’re out in front,” Carswell said, but the school is not alone. Cybersecurity programs “are sprouting up like mushrooms." What distinguishes the UMUC program is that it was built from the ground up rather than from a rebranded information assurance or computer science program.
Both Carswell and Tipton agreed on the distinction between education and training and said that neither is adequate on its own. Education provides a foundational understanding that allows a graduate to hit the ground running but does not provide the job-specific skills acquired through training.
The shortfall of a college degree is that it does not have to be updated over time, as is required to maintain professional certification, Tipton said.
In a letter to several senators and representatives this summer, a group of IT industry organizations, including ISC-Squared, CompTIA, ISACA, and ISSA, warned against proposals for federal licensing or oversight of professional certification. Oversight of the profession should be left to the professionals, they said.
“Engaging our global pool of IT security subject-matter experts in the continuing development of both training and certification standards will be critical in achieving our cybersecurity objectives,” the letter states. “To add or replace with another credential could splinter and confuse a market which is consolidating and cooperating effectively.”
The letter advised further study before addressing cybersecurity workforce development legislatively and urged Congress to:
- Identify multiple sources of information to determine the adequacy of (and gaps in) the current certification process.
- Weigh whether current and proposed solutions support the goal of achieving a global approach to cybersecurity.
- Carefully review empirical evidence to determine the correct approach between knowledge-based and performance-based training.
- Ensure that certification requirements do not become overly technology-specific.