The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Some thoughts on “cybersecurity” professionalization and education


[I was recently asked for some thoughts on the issues of professionalization and education of people working in cyber security. I realize I have been asked this many times, I and I keep repeating my answers, to various levels of specificity. So, here is an attempt to capture some of my thoughts so I can redirect future queries here.]

There are several issues relating to the area of personnel in this field that make issues of education and professional definition more complex and difficult to define. The field has changing requirements and increasing needs (largely because industry and government ignored the warnings some of us were sounding many years ago, but that is another story, oft told -- and ignored).

When I talk about educational and personnel needs, I discuss it metaphorically, using two dimensions. Along one axis is the continuum (with an arbitrary directionality) of science, engineering, and technology. Science is the study of fundamental properties and investigation of what is possible -- and the bounds on that possibility. Engineering is the study of design and building new artifacts under constraints. Technology is the study of how to choose from existing artifacts and employ them effectively to solve problems.


The second axis is the range of pure practice to abstraction. This axis is less linear than the other (which is not exactly linear, either), and I don't yet have a good scale for it. However, conceptually I relate it to applying levels of abstraction and anticipation. At its "practice" end are those who actually put in the settings and read the logs of currently-existing artifacts; they do almost no hypothesizing. Moving the other direction we see increasing interaction with abstract thought, people and systems, including operations, law enforcement, management, economics, politics, and eventually, pure theory. At one end, it is "hands-on" with the technology, and at the other is pure interaction with people and abstractions, and perhaps no contact with the technology.

There are also levels of mastery involved for different tasks, such as articulated in Bloom's Taxonomy of learning. Adding that in would provide more complexity than can fit in this blog entry (which is already too long).

The means of acquisition of necessary expertise varies for any position within this field. Many technicians can be effective with simple training, sometimes with at most on-the-job experience. They usually need little or no background beyond everyday practice. Those at the extremes of abstract thought in theory or policy need considerably more background, of the form we generally associate with higher education (although that is not strictly required), often with advanced degrees. And, of course, throughout, people need some innate abilities and motivation for the role they seek; Not everyone has ability, innate or developed, for each task area.

We have need of the full spectrum of these different forms of expertise, with government and industry currently putting an emphasis on the extremes of the quadrant involving technology/practice -- they have problems, now, and want people to populate the "digital ramparts" to defend them. This emphasis applies to those who operate the IDS and firewalls, but also to those who find ways to exploit existing systems (that is an area I believe has been overemphasized by government. Cf. my old blog post and a recent post by Gary McGraw). Many, if not most, of these people can acquire needed skills via training -- such as are acquired on the job, in 1-10 day "minicourses" provided by commercial organizations, and vocational education (e.g, some secondary ed, 2-year degree programs). These kinds of roles are easily designated with testing and course completion certificates.

Note carefully that there is no value statement being made here -- deeply technical roles are fundamental to civilization as we know it. The plumbers, electricians, EMTs, police, mechanics, clerks, and so on are key to our quality of life. The programs that prepare people for those careers are vital, too.

Of course, there are also careers that are directly located in many other places in the abstract plane illustrated above: scientists, software engineers, managers, policy makers, and even bow tie-wearing professors. grin

One problem comes about when we try to impose sharply-defined categories on all of this, and say that person X has sufficient mastery of the category to perform tasks A, B, and C that are perceived as part of that category. However, those categories are necessarily shifting, not well-defined, and new needs are constantly arising. For instance, we have someone well trained in selecting and operating firewalls and IDS, but suddenly she is confronted with the need to investigate a possible act of nation-state espionage, determine what was done, and how it happened. Or, she is asked to set corporate policy for use of BYOD without knowledge of all the various job functions and people involved. Further deployment of mobile and embedded computing will add further shifts. The skills to do most of these tasks are not easily designated, although a combination of certificates and experience may be useful.

Too many (current) educational programs stress only the technology -- and many others include significant technology training components because of pressure by outside entities -- rather than a full spectrum of education and skills. We have a real shortage of people who have any significant insight into the scope of application of policy, management, law, economics, psychology and the like to cybersecurity, although arguably, those are some of the problems most obvious to those who have the long view. (BTW, that is why CERIAS was founded 15 years ago including faculty in nearly 20 academic departments: "cybersecurity" is not solely a technology issue; this has more recently been recognized by several other universities that are now also treating it holistically.) These other skill areas often require deeper education and repetition of exercises involving abstract thought. It seems that not as many people are naturally capable of mastering these skills. The primary means we use to designate mastery is through postsecondary degrees, although their exact meaning does vary based on the granting institution.

So, consider some the bottom line questions of "professionalization" -- what is, exactly, the profession? What purposes does it serve to delineate one or more niche areas, especially in a domain of knowledge and practice that changes so rapidly? Who should define those areas? Do we require some certification to practice in the field? Given the above, I would contend that too many people have too narrow a view of the domain, and they are seeking some way of ensuring competence only for their narrow application needs. There is therefore a risk that imposing "professional certifications" on this field would both serve to further skew the perception of what is involved, and discourage development of some needed expertise. Defining narrow paths or skill sets for "the profession" might well do the same. Furthermore, much of the body of knowledge is heuristics and "best practice" that has little basis in sound science and engineering. Calling someone in the 1600s a "medical professional" because he knew how to let blood, apply leeches, and hack off limbs with a carpenter's saw using assistants to hold down the unanesthitized patient creates a certain cognitive dissonance; today, calling someone a "cyber security professional" based on knowledge of how to configure Windows, deploy a firewall, and install anti-virus programs should probably be viewed as a similar oddity. We need to evolve to where the deployed base isn't so flawed, and we have some knowledge of what security really is -- evolve from the equivalent of "sawbones" to infectious disease specialists.

We have already seen some of this unfortunate side-effect with the DOD requirements for certifications. Now DOD is about to revisit the requirements, because they have found that many people with certifications don't have the skills they (DOD) think they want. Arguably, people who enter careers and seek (and receive) certification are professionals, at least in a current sense of that word. It is not their fault that the employers don't understand the profession and the nature of the field. Also notable are cases of people with extensive experience and education, who exceed the real needs, but are not eligible for employment because they have not paid for the courses and exams serving as gateways for particular certificates -- and cash cows for their issuing organizations. There are many disconnects in all of this. We also saw skew develop in the academic CAE program.

Here is a short parable that also has implications for this topic.

In the early 1900s, officials with the Bell company (telephones) were very concerned. They told officials and the public that there was a looming personnel crisis. They predicted that, at the then-current rate of growth, by the end of the century everyone in the country would need to be a telephone operator or telephone installer. Clearly, this was impossible.

Fast forward to recent times. Those early predictions were correct. Everyone was an installer -- each could buy a phone at the corner store, and plug it into a jack in the wall at home. Or, simpler yet, they could buy cellphones that were already on. And everyone was an operator -- instead of using plugboards and directory assistance, they would use an online service to get a phone number and enter it in the keypad (or speed dial from memory). What happened? Focused research, technology evolution, investment in infrastructure, economics, policy, and psychology (among others) interacted to "shift the paradigm" to one that no longer had the looming personnel problems.

If we devoted more resources and attention to the broadly focused issues of information protection (not "cyber" -- can we put that term to rest?), we might well obviate many of the problems that now require legions of technicians. Why do we have firewalls and IDS? In large part, because the underlying software and hardware was not designed for use in an open environment, and its development is terribly buggy and poorly configured. The languages, systems, protocols, and personnel involved in the current infrastructure all need rethinking and reengineering. But so long as the powers-that-be emphasize retaining (and expanding) legacy artifacts and compatibility based on up-front expense instead of overall quality, and in training yet more people to be the "cyber operators" defending those poor choices, we are not going to make the advances necessary to move beyond them (and, to repeat, many of us have been warning about that for decades). And we are never going to have enough "professionals" to keep them safe. We are focusing on the short term and will lose the overall struggle; we need to evolve our way out of the problems, not meet them with an ever-growing band of mercenaries.

The bottom line? We should be very cautious in defining what a "professional" is in this field so that we don't institutionalize limitations and bad practices. And we should do more to broaden the scope of education for those who work in those "professions" to ensure that their focus -- and skills -- are not so limited as to miss important features that should be part of what they do. As one glaring example, think "privacy" -- how many of the "professionals" working in the field have a good grounding and concern about preserving privacy (and other civil rights) in what they do? Where is privacy even mentioned in "cybersecurity"? What else are they missing?

[If this isn't enough of my musings on education, you can read two of my ideas in a white paper I wrote in 2010. Unfortunately, although many in policy circles say they like the ideas, no one has shown any signs of acting as a champion for either.]

[3/2/2013] While at the RSA Conference, I was interviewed by the Information Security Media Group on the topic of cyber workforce. The video is available online.


Posted by Marc Noble
on Saturday, March 2, 2013 at 09:28 AM

This is about the clearest picture I’ve seen or heard enunciated on information security workforce issues.  We could certainly use more clear thinkers in the DC area like Gene.

Posted by Stephen Northcutt
on Monday, March 4, 2013 at 10:10 PM

This is a very hard problem. I think the biggest focus on training needs to be in two year “community” colleges. We need screwdriver turners.

At the current level of sophistication, I am concerned it will be very hard for a 4 yr institution to produce graduates that what industry needs turnkey UNLESS employers are simply looking for demonstrated aptitude with a strong emphasis on terminology, concepts and problem solving skills.

At the graduate level, people can choose a specific focus area to master, forensics or penetration testing ( I do not think exploiting existing systems has been over emphasized by anyone).

Certifications. Gosh I need to be careful here my friend, but it should simply mean that the successful candidate meets a minimum standard. Where someone got the idea it means they are a Jedi Knight is totally beyond me.

Loved your parable, Gene Kim used to talk about IT as being most similar to the meat packing industry at the turn of the century, it is clear we have a ways to go.

Spaf sez:

Great comments, Steve.

We may need more screwdriver turners right now, but that is only because the designs and infrastructure are so bad. One of my main points is that if we focus on turning out screwdriver turners, we will be stuck needing more of them and never get better ... screws?  It may be a 80/20 split is needed, or a different ratio, but we need to make a sustained investment in fixing things from the source outwards.  From a purely U.S. standpoint, even if we turn every adult into a “screwdriver turner” we will still be overwhelmed by the Chinese, Russians, etc.  They have far more people and attackers don’t need to go one-on-one with defenders.  We can’t win by numbers.  We need to be smarter.

My comment about certifications is that people focus on the minimal requirements of certifications to get them and specify them, and there are reasons they may get stagnant and become a least common denominator.  We see that in many places, where the certificate has become more important than the skills.

Posted by Rob
on Tuesday, March 5, 2013 at 12:19 AM

I agree mostly with the post. I would even be more of an alarmist, which I didn’t think was possible. The domain is maturing and broadening at a pace that I don’t think any of us fully appreciate. If you see how long it takes to graduate, train, and allow a graduate to gain a bit of professional experience, we are no way near the number of qualified people with some reasonable experience in this area. The few that are talented have great opportunities, but they are overworked and left with little time to try to solve the enduring problems, because most of the personnel cannot deal with immediate problems that to be honest cannot be left unresolved.

I would add one discipline on the X-axis: Policy, which in my view includes a few disciplines such as but not limited to political scientists, business majors, economists, and international relations experts.  In short, “Policy” represents those that are in the decision-making apparatus of an organization. 

[Spaf sez: I have Policy on the Y axis because it intersects with science/engineering/technology.]

The disconnect in Policy:

—I have found those that graduate with advanced degrees particularly a PhD in a technical discipline and have an aptitude for policy skip over trying to gaining some experience in the field.  They may spend a year or so to “check the box” and act like they have worked the issue.  They feel the PhD somehow should get them “ahead” and move to policy too quickly without having a good understanding of some of the hurdles and where policy could help and where it wouldn’t. 

—On the flip side, I find that people well versed in policy with some experience have a poor understanding of this domain and the underlying technologies.  They are often too focused on how the technology works, and then have trouble understanding the history and underlying problems. 

—In both cases, I find the inability for each to leverage the others knowledge makes each type of person jump to decisions that are focused on the “now”, because they feel compelled to act.  One may look to control the problem by regulating technology, because they don’t understand it.  The other may focus on trying to convince others solving this problem is in their interest without understanding or appreciating the complexity or breadth of problems those people deal with in their profession (e.g. convince industry this is an a pressing economic issue during a recession).  This sweeping approach to “save industry” discredits the person as well as the field.  Pointed regulation and broad strokes are common and poor approaches to policy.

Policy like most things rarely solves an immediate problem but creates an environment that has a chance of being more successful in the years to follow.  Much like a plant: it grows by the inch but dies by the foot.  There is no guarantee, and we should not expect to see immediate results.  One area is investing in education, which you have “preached” for your entire career as an educator.  There are many others.  That said, we should not only be focused on the future.  There are real problems today that cannot be ignored.  You may have read about a few of them in the press.

Posted by No Real Name Given
on Sunday, March 10, 2013 at 12:21 AM

It is more than understandable that DOD is not able to find requisite skills, if not manpower. Fact is that somewhere all these theories and programs for creating of a pool of cyber security professionals must encompass the hacking community. In my personal opinion, the best hackers would make the best security professionals, because they approach the problem not from a theoretical but the hacker’s end. I think institutions should make effort to convert, include and induct these talented people—often youngsters and college-going kids into this pool of skilled professionals. I doubt if approaching this disciple like any other with class-room teaching would ever meet industry’s needs nor solve problems.


Spaf sez:  I have written and spoken about this many other times & places—the skill set to break things is NOT the same skill set to protect things.  People without training, or training only in breaking systems are not really useful as defenders and architects, and this has been proven repeatedly.  Meanwhile, defenders definitely need some understanding of attack techniques but that is not useful as primary education.

As far as how to approach teaching this, the right way is with resources, materials, exercises, and lectures with balance and coverage.  But that takes resources few places have now, and as the clamor for more graduates increases, it will do little to support the thoughtful development of better pedagogy.  That was one of the thrusts of my essay.

Leave a comment

Commenting is not available in this section entry.