Are cybersecurity professions a profession or a vocation? When we consider the current cybersecurity labor shortage, our existing assumptions about the nature of cybersecurity jobs may exacerbate the shortfall. For this reason, we may need to consider new ways of thinking about cybersecurity jobs and the appropriate institutional structures that need to be put in place to rapidly increase the available workforce.
When we look at the broader labor market, there is a clear distinction between certain job categories. Whether in the military (enlisted vs. officer), healthcare (med techs vs. doctors/nurses), or manufacturing (blue-collar vs. white-collar), this distinction allows these various industries to tailor their training and hiring to meet a wide range of labor needs in their respective fields. A common factor that distinguishes these job categories is a college degree: a college degree is not required for professional employment, but it is often required for professional jobs.
Within the cybersecurity industry, the prevailing mindset is that security practitioners are professionals. So, a direct consequence of this mindset is that a college degree is required for many cybersecurity jobs. A recent (ISC2) indicates that 86% of today’s cybersecurity workforce has a bachelor’s degree or higher. Additionally, a quick search of Indeed.com shows around 46,000 cybersecurity jobs, of which 33,000 (>70%) require a degree. However, many cybersecurity practitioners I know would rightly say that a college degree is not necessary for most cybersecurity jobs, and strict adherence to this requirement disqualifies many deserving candidates. . But removing the college degree requirement begs the question: are these really professional jobs or should they be recast as professional jobs?
I would say that these jobs should be seen as vocations rather than professions. Although many cybersecurity workers take pride in their professional status, many of their jobs (and thousands of unfilled cybersecurity jobs) are truly professional in nature and could be filled by people with the level of vocational training. appropriate. In vocational schools, students focus almost entirely on learning the skills of their trade. By immersing themselves in a particular area, students practice real-world skills they will need and can apply in the workplace. Additionally, this training period can proceed at an accelerated pace that produces qualified candidates in one or two years, or even sooner.
With respect to professional tasks, a general difference between professional and professional roles is the expectation that someone in a professional role is empowered/charged with the responsibility to make more significant risk management decisions. But what about a college education that qualifies someone for the professional ranks to make such decisions? In college, students are required to learn other disciplines aside from their majors. College students are encouraged to think laterally and connect the dots between several disparate fields by studying various subjects simultaneously. However, this approach takes an average of four years or more before these candidates enter the labor market.
In many other labor markets, there is a ratio of about 4:1 between professional jobs and professional jobs. Compare that to the 1:2 ratio we see in the cybersecurity job market. After four years, we could have up to four times the number of professional cybersecurity workers for every professional cybersecurity worker. But since the cybersecurity labor market offers only one professional job for every two professional jobs, we will have an imbalance that will potentially take away job opportunities from those who take a faster professional path and leave critical positions unfilled.
As we head into 2022, the severe cybersecurity labor shortage will continue to threaten our ability to properly defend our digital ecosystem and our way of life. Building on the successful scaling models seen in other labor markets, we should examine which of our unfilled jobs can be addressed through skills training and adapt our hiring practices to enable similar scaling fill gaps in the labor market. At the same time, we should partner with cybersecurity-focused job training and education programs that allow a wider range of job seekers to qualify for these opportunities. By re-examining some of our traditional cybersecurity roles in light of professional opportunities, we can build a more robust and adaptive workforce that can better defend against the complex cybersecurity threats of the 21st century.