Cybersecurity experts came together during a panel discussion on when and how to professionalize the emerging field on Friday at the George Washington University’s Elliott School of International Affairs.
The conversation centered around a National Academies report coauthored by Diana Burley, an associate professor in the Graduate School of Education and Human Development. “Professionalizing the Nation’s Cybersecurity Workforce? Criteria for Future Decision-Making” examined what increased training or skills can be given to cybersecurity practitioners to professionalize the diverse and growing field. The study was sponsored by the U.S. Department of Homeland Security.
Her presentation was followed by a panel that included Ronald Layton, the deputy chief information officer of the United States Secret Service; Michael Papay, vice president and chief information security officer at Northrop Grumman Information Systems; Philip Reitinger, senior vice president and chief information security officer of Sony Corporation; and Tony Sager, founding member of the Council on Cybersecurity.
The event encompassed the goals of GW’s Cybersecurity Initiative, a university-wide effort launched last December to address and effect change in a pressing national and international issue. The GW Cybersecurity Initiative is one of the university's many interdisciplinary initiatives, which include the Global Women's Initiative and efforts in sustainability, autism and computational biology.
Director of the Cybersecurity Initiative Frank Cilluffo moderated the discussion and, along with Cybersecurity Initiative Coordinator Rhea Siers, provided brief opening remarks to the audience.
“Just yesterday, I had the opportunity to sit down with two presidents of two of the finest education institutes, GW and Auburn University. You know that this issue is top-tier and front and center when you have presidents of universities discussing curricula of cybersecurity. A lot of the discussion was very similar to the terrific Academies report Diana led,” Mr. Cilluffo said.
Dr. Burley explained the report sought to answer two questions: What is the role professionalization might play in developing the capacities and capabilities of the nation’s cybersecurity workforce, and what criteria can decision-makers use when considering this task?
Dr. Burley and her team conducted a thorough investigation of the cybersecurity field by holding three public workshops and drawing information from a range of reports and statistics. Twelve cybersecurity experts vetted the final report.
The report contends that because the nation’s cybersecurity workforce is so broad and diverse, decisions about how to professionalize the field will vary according to the role and context. Dr. Burley described that in gathering research, she found analyses that claimed the cybersecurity workforce needs 10,000 more people, while others cited up to 1 million people. Dr. Burley also explained that experts should remember the field encompasses many roles and responsibilities—there are technical cybersecurity jobs alongside roles more focused on policy or law.
“All these individual tasks make up the field of cybersecurity,” she said.
Her committee made a single recommendation: Cybersecurity entities looking into professionalization should move forward when three criteria are met. First, an occupation must have well-defined and stable characteristics. Second, there should be evidence of deficiencies that could be remedied by professionalization. Finally, the tradeoffs of professionalizing should outweigh the costs.
The panelists went through several of Dr. Burley’s points and also offered their own insights.
Mr. Sager emphasized that cybersecurity is a field where knowledge and information is constantly evolving. Ensuring that cybersecurity professionals are kept up-to-date with new skills will be crucial to the field, he said.
“If you’re in this kind of field, then our concern is how do we make the latest knowledge available to all our practitioners? It’s not the teaching, it’s the infrastructure that identifies the best practice and puts it in people’s hands,” Mr. Sager said.
Dr. Layton pointed out that when recruiting a cybersecurity workforce, the ability to collaborate is just as important as the hard skills a person brings.
“We cannot discount the social side of this,” Dr. Layton said. “Show up with a STEM degree, a great attitude and a big cup of coffee.”
Dr. Papay added that role models are critical to attracting future members of the cybersecurity workforce. He explained that the field is reaching a point where leaders and pioneers must rise to serve as an example and guide young people interested in potentially entering cybersecurity.
“We’re evolving to a spot where we’re going to have to identify those leaders… so people can say, ‘Yeah, this is a real profession now, this is where I’m headed.’ These leaders will serve as role models to the people I want to hire,” he said.
Mr. Reitinger observed further that leaders need to make cybersecurity courses and jobs “cool” in order to expand the cyber workforce. He also noted the challenge of retention, especially when “talented people working in a civilian U.S. government agency could make 50 percent more, if not double or triple, by walking out the door.”
The panelists took questions and shared thoughts on how to inspire young people to invest in cybersecurity careers, how to raise awareness of cybersecurity jobs and the role of universities in educating professionals in the field.
“This is an area that we’re going to continue to build out on, both in terms of GW and across the country,” Ms. Siers concluded.
"Professionalizing the Nation’s Cybersecurity Workforce? Criteria for Future Decision-Making” can be downloaded here.