A new report from the Pell Center at Salve Regina University in Rhode Island illustrates the challenges in cybersecurity and the need to fill the profession with qualified individuals, with a potential solution in “professionalizing” the career path with global standards.
“Despite the growing scope and sophistication of cyber threats and the development of cyber tools as technical weapons, there are not enough people equipped with the appropriate knowledge, skills, and abilities to protect the information infrastructure, improve resilience, and leverage information technology for strategic advantage,” researchers at the college stated. “In cybersecurity, countermeasures are implemented to reduce risks associated with the vulnerabilities of people, processes, and technology. At present, the predominant trend to combat cyber risks among organizations across all sectors is to pursue the latest security tools and technology.”
Technology is all well and good, they added, but cybersecurity needs to be a “people problem.”
“No matter how good any particular technology may be, its efficacy is limited if it is not effectively adopted and implemented by management teams and correctly used by skilled employees who follow well-defined processes. Otherwise, vulnerabilities will surface that can be leveraged by both internal and external threat actors,” said the Pell researchers. “In short, any technology for combating cyber attacks is only as good as the people who develop, implement, and maintain it.”
In addition to the fact that lack of proper training can lead to cybersecurity problems, studies show there is a major shortage of personnel available to take on the necessary security roles. What’s worse, managers in companies of every type don’t always understand their own needs.
“For those who do wish to pursue cybersecurity as a career, there is a continued lack of clearly defined roles and career paths for this increasingly-vital line of work,” the Pell researchers said. “The talent shortage in the cybersecurity labor market is exacerbated by corporate leaders who should be responsible for building a team of trusted experts, fostering a culture of security, and developing sound strategies to protect their digital investments, but instead display tendencies to treat cybersecurity as an isolated ‘IT problem’ best left to their already overwhelmed IT departments.”
The Pell study advocated introducing agreed upon professional standards, such as those launched by the American Medical Association in the 19th century to “[accelerate] the professionalization of medicine and the establishment of minimum standards in medical training, education and apprenticeship requirements to gain entry to the profession.”
“Like the medical profession of the nineteenth century, the present cybersecurity industry features too many ‘self-taught practitioners’ who have varying degrees of knowledge and training. Unlike the medical field of the 1840’s, the cybersecurity field is increasingly chaotic and fragmented. This will continue without a unifying strategy for professionalization.”
The Pell Center called for a national professional association to be created in order to set forth a code of ethics; required training and education; accreditation; apprenticeships and internships; certification and licensure beyond what already exists; and a common body of knowledge.