Cyber educators to Congress: Let us handle it

Industry, academia aim to retool programs to develop a cybersecurity workforce

Cybersecurity certification programs, universities and technical schools have failed to produce a professional workforce with the skills needed to protect our critical infrastructure, industry observers say, but they also are warning Congress against imposing federal regulations on the profession as industry and academia retool their training and educational programs.

In a survey of 700 security professionals released today, nearly three-quarters of respondents agreed there is a shortage of IT security personnel in government, and most blamed the lack of a defined career path. Nearly half said that current information security certification programs, which are increasingly required in both government and the private sector, are inadequate and do not address the needed skills.

The survey, conducted by the International Information System Security Certification Consortium, or ISC-Squared, does not identify a solution to the problem, but seven out of 10 respondents agreed that the answer was not a government-run board of examiners to oversee licensing of security professionals.

A number of industry organizations have written to Congress to push this point of view.


Related stories:

Agencies hard hit by shortage of cybersecurity pros

Cybersecurity boot camps are a start toward a skilled workforce


Some observers have identified the global shortage of cybersecurity professionals as a threat to the growth and security of an increasingly digital world economy, as well as to U.S. national security. The ISC-Squared survey focused more on the skills gap in the workforce than on the manpower shortage.

ISC-Squared is a leading certification body and issues the flagship Certified Information Systems Security Professional certificate, along with others. Organization president W. Hord Tipton acknowledged the shortcomings of professional certification programs.

The CISSP is the most popular certification, “but it’s not the solution to all of your problems,” he said. “Only for some of them.”

He also said that its requirements impose something of a career roadblock. “We probably built the wrong credential first in terms of a career path,” he said. The CISSP, established in 1993, requires five years of experience in at least two of the domains it covers, creating a five-year gap between entrance to the workforce and the possibility of professional certification. That is being addressed by the development of new, entry-level certifications.

But, “certification is just part of the answer,” Tipton said. Academic degree programs also are needed, and these are falling short in producing the quality and quantity of security professionals needed, he said.

“They are not producing the type of graduate that companies and the government are looking for,” he said. “I’ve been told by some corporate executives that they don’t even recruit at colleges because it takes too long to train the graduates.”

Tipton praised the National Security Agency's Centers of Cybersecurity Excellence program, which supports educational programs in selected universities. He said that schools are beginning to respond to the need for cybersecurity professionals but added that there are too few of them. Making changes in academia “is like turning the Titanic around,” he said.

One school that is in front of the fleet in cybersecurity is the University of Maryland University College, which has established a new Cybersecurity and Information Assurance Department in its graduate school and is offering two graduate degrees and one undergraduate degree in cybersecurity. The graduate program opened this fall with about 550 students, and department chairman Alan Carswell said he expected to have 1,000 students enrolled by spring.

“We’re oriented toward applied education, particularly in the graduate school, providing degrees that will be useful to graduates in the workforce,” Carswell said. “We detected about a year-and-a-half ago that cybersecurity was going to be a very important area for us to get involved in.”

The school recruited a panel of military, civilian government and private-sector experts to advise on the new curriculum, which was reviewed by scholars and practitioners. The classes are six-credit courses, double the usual three credits for most courses, and are demanding, but they also are completely online so that students have flexibility.

“We’re out in front,” Carswell said, but the school is not alone. Cybersecurity programs “are sprouting up like mushrooms." What distinguishes the UMUC program is that it was built from the ground up rather than from a rebranded information assurance or computer science program.

Both Carswell and Tipton agreed on the distinction between education and training and said that neither is adequate on its own. Education provides a foundational understanding that allows a graduate to hit the ground running but does not provide the job-specific skills acquired through training.

The shortfall of a college degree is that it does not have to be updated over time, as is required to maintain professional certification, Tipton said.

In a letter to several senators and representatives this summer, a group of IT industry organizations, including ISC-Squared, CompTIA, ISACA, and ISSA, warned against proposals for federal licensing or oversight of professional certification. Oversight of the profession should be left to the professionals, they said.

“Engaging our global pool of IT security subject-matter experts in the continuing development of both training and certification standards will be critical in achieving our cybersecurity objectives,” the letter states. “To add or replace with another credential could splinter and confuse a market which is consolidating and cooperating effectively.”

The letter advised further study before addressing cybersecurity workforce development legislatively and urged Congress to:

  • Identify multiple sources of information to determine the adequacy of (and gaps in) the current certification process.
  • Weigh whether current and proposed solutions support the goal of achieving a global approach to cybersecurity.
  • Carefully review empirical evidence to determine the correct approach between knowledge-based and performance-based training.
  • Ensure that certification requirements do not become overly technology-specific.

Reader Comments

Mon, Jul 23, 2012

Research indicates it takes 10 years or about 10,000 hours of work in information security to be very proficient. And there is a need for training to keep up with new technology. People certainly will leave for higher pay elsewhere. And replacing that kind of knowledge and skills is far more considering the costs to train a new person. At issue in addition is that corporate leadership are clueless as to how IT Security risk management works. Problems are likely to continue for years.

Tue, Dec 7, 2010

There are plenty of older fully qualified IT pros with advanced security skills. At Cal State Universities and in the UC system they only want to hire cheap under 30 individuals and/or those on visas from India. If you are over 45 you will be told point black that you can't teach an old dog new tricks.

Mon, Nov 29, 2010 Tech

I have a BSCS and a Masters in Information Tech with years of experience. The govt doesn't want people like me. They want kids they can pay GS9 levels to in D.C., which is fine if your living in your mom's basement. Just finished my CISSP, but don't anticipate any govt offers due to my age (40+). The govt gets what they deserve, and no pay raises for 2 years to boot! Way to go!

Thu, Nov 18, 2010 Dan

If the fedral agencies are so hard up for Cyber scurity specialist than why do they do the obvious? Provide the education they want by offering to send them to school or training and then just require a committment of time from them and if they leave early then they would need to pay back the training at a prorated amount. I think a lot of job seekers with some form a computer background would jump at the chance. I know I would.

Thu, Nov 18, 2010 Jeffrey A. Williams

Cybereducators? Well some have good clases that actually do teach good things. Others are out of date technologically speaking and should be discontinued, but often are not due to the $$ involved in them. Still others for SR. +20yr IT security professionals like me are nearly worthless and redundent.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above