The Thousands of serious cyber attacks occurring daily high- light the critical need for a workforce with the requi- site skillset and of sufficient
size to meet growing and increasingly
complex demands. Yet despite significant investments in the development of the cybersecurity workforce
from governments across the globe,
the U.S. and many other nations lack
a sufficient supply of well-trained cybersecurity professionals. It is often
argued that this workforce shortage,
and the consequent openness to attack, is a pressing security threat facing the U.S.
such as certification, licensure, and
skill-based competency exams—has
been advanced as a strategy for creating a workforce capable of addressing the growing cybersecurity threat.
To explore this argument, the U.S.
the Cybersecurity Workforce
Department of Homeland Security
sponsored a National Research Coun-
cil committee, which we led. What fol-
lows are insights largely drawing on
the study and although the impetus
for asking the question at this mo-
ment came from the U.S. government,
the issues and analysis would have
general applicability. Our key ques-
tion was: What is the role that profes-
sionalization might play in enhanc-
ing the capacity and capability of the
U.S. national cybersecurity workforce?
This question led to a complex mosaic
of answers to the cybersecurity work-
Despite descriptions of the cybersecurity workforce as a “profession”—
meaning a single occupational category, it is not. Rather, cybersecurity
is a broad field comprised of many
occupations spanning the range
from highly technical to the manage-ment- or policy-oriented. Some of
these occupations may be ready for
professionalization, while others are
privacy and security
help address the
Evaluating the trade-offs involved
in cybersecurity professionalization.
of the cybersecurity
meaning a single
category—it is not.