How to build a better cybersecurity workforce

By Suzanne Kubota
Senior Internet Editor

There’s a critical shortage of cybersecurity professionals. The questions are how to fix the problem and what the problem is.

“The problem is both of quantity and quality,” according to a recent report from the CSIS Commission on Cybersecurity for the 44th Presidency.

“It is the consensus of the Commission that the current professional certification regime is not merely inadequate; it creates a dangerously false sense of security….”


But certification is not the problem if you ask front-line information security professionals from government and industry, says ISC-squared.

So they did.

In the Survey on Human Capital Crisis Recommendations, ISC-squared asked 700 information security professionals for their thoughts on the CSIS proposals for professional licensing through testing and the creation of an examination review board.

When asked “Do you believe a government-run Board of Examiners would close this gap (between existing certification programs and the specific cybersecurity skills that are needed in the workplace)?” 69.0% said no.

Hord Tipton, executive director of ISC-squared and a former CIO at the Interior Department, told Federal News Radio, “licensing is trying to solve the wrong problem.”

Instead, said Tipton, the long term solution “really must be built…and sustained upon the existing education, training and certification infrastructure.”

A licensing board that would “make it illegal to practice IT security without a license,” said Tipton, would be a major setback to work that has already been done and would be a major setback against meeting the shortage of people.

While he agrees there does need to be oversight, “we must clearly define what the problems are and then develop a plan about going about doing that.”

One of the problems discussed in ISC’s survey has to do with a lack of a career path.

If you talk to any security professional, you won’t find a high percentage that actually started out with the intent of being an information technologist or specifically an information technologist specializing in security. We do not have the academic base that’s longstanding like the medical profession, legal profession, even the accountants and CPAs. Those are well entrenched within the academic system and people can come up and there’s a very familiar career path.

“What we need to do,” said Tipton, “is work with schools to build a pipeline.”

And not just the government. Tipton said the effort should involve every stakeholder. “We have to work together. It really doesn’t matter who does it. There’s plenty of room here for everyone. We shouldn’t toss out or ignore things that are established.”

This story is part of Federal News Radio’s daily Cybersecurity Update brought to you by Tripwire. For more cybersecurity news, click here.