Do you believe that we have a severe shortage, or are you on the side that argues that there are plenty of qualified workers and it is the hiring managers who don’t understand their own position descriptions?
Do you believe that certifications are the path to a prepared cyber workforce, or are you one who relies on more formal education paths? Perhaps you don’t believe in either method for such an esoteric profession.
These disparate thoughts fuel a wonderfully vigorous debate without doing anything to work towards a solution. Recently, the US Department of Homeland Security has taken some steps that may make help to quiet the rabble, and to result in a saner discussion about the topic. Yes, this is the same Department from which the Transportation Safety Administration hails, but this is nothing like an airport check-in.
Take a look at the National Initiative For Cybersecurity Careers and Studies website (NICCS). The site is quite dense, offering resources for training, education, and workforce development. For those of you who love a challenge, it even includes a section on where to find Cyber competitions.
The NICCS site also links to the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. A quick glance at the NICE framework is very reminiscent of the focal areas of the COBIT framework. It has specific skill areas, including “Analyze”, “Investigate”, “Operate and Maintain”, “Oversee and Govern” as well as others. Each one of these headings shows its associated specialty areas. Whether the similarity between the NICE Workforce Framework and COBIT are by design, or mere coincidence, I don’t know.
It is not my mission to promote the NICCS site. The detail on the site will lead anyone who visits to spend more time than originally intended, as the site is simply that good! The best part of the entire initiative is that it is an unbiased look at the cybersecurity profession. It is not selling a particular certification or product. One of the downloadable documents even includes methods for retaining talent.
This is an excellent resource for anyone seeking to fill a cybersecurity role in an organization. It is also an excellent resource for anyone who is seeking to either get started in the field of cybersecurity, or if you are seeking to upgrade your skills. (Probably the most frequent questions asked in the industry are “how do I get started?”, and “how can I advance?”)
There are some failures in the site, as it has a “Mapping tool” that plots relevant skills to a particular job function, and a “Position Description” tool, yet both of these features are only available to government staff. I think the DHS should make these available to the civilian population. (The DHS should also recognize that most security folks are loathe to download a macro-enabled excel file.)
The best part of this initiative is that we are finally seeing solid guidance in a field that for too many years has lacked clear direction. I am optimistic that the debate about whether there is a cybersecurity talent shortage may be able to now shift to one of curiosity about which is the best direction suited for an individual in this remarkably vast profession. A paradigm shift is always a step towards solving a problem.