Cyber Is NICE Work, If You Can Get it

Cybersecurity is not one of the attractive career fields that tend to draw job seekers in droves to job fairs, especially among today’s young people now entering the work force, experts say. It has been a fairly ill-defined occupation, and that has led to the creation of a U.S. government office to work to codify requirements and job descriptions. It also has prompted a discourse about whether to professionalize the line of work as the United States struggles with a critical shortage of experts qualified to keep safe the networks that handle the cornucopia of personal, government and business information in the booming digital world.

“Building the cybersecurity work force is a critical issue,” says Michael Kaiser, executive director of the National Cyber Security Alliance (NCSA), a non-profit organization founded in 2001 as a public-private partnership working primarily with the Department of Homeland Security to promote cybersecurity awareness for home users, businesses and primary and secondary education. “Over the last several years, we’ve been conducting research with Raytheon around millennials’ attitude toward careers in cybersecurity. We’ve been trying to help figure out how we can attract more young people into the cybersecurity fields.”

The conditions also spawned the creation of the National Initiative for Cybersecurity Education (NICE), which set in motion the creation of the national cybersecurity work force framework to establish a common cybersecurity work force glossary for the U.S. government, and by extension, the private sector. “Within the human resources offices, we started something two years ago that got posted for the first time, which is a cybersecurity work force framework,” says Bill Newhouse, program lead for NICE and a cybersecurity adviser in the Security Outreach and Integration Group of the Computer Security Division, Information Technology Laboratory at the National Institute of Standards and Technology (NIST). “And having that framework gave us the language defining cybersecurity more consistently. Now we’re able to build other materials around that so that we can start teaching teachers and offering more [programs] down into the lower [grades], into the middle schools and high school levels.”

To many, it might seem surprising that two-thirds of the respondents to the 2014 NCSA-Raytheon survey, those ages 18 to 26, replied that they did not know or were not sure what cybersecurity actually is. “We still see there is a lot of definitional issues for young people,” Kaiser says. “And frankly, ask cybersecurity people in cybersecurity what a cybersecurity professional is and you’re not going to get a very clear answer either.”

But respondents who are 26 years old today were high school seniors eight years ago, and “eight years ago, cybersecurity was much less on people’s minds than it is today,” Kaiser points out. “I would expect to see this number increase very rapidly as time goes on. We do have a societal shift that will help us to some degree, and there is a lot more awareness now in general on the issue.”

Additionally, while 41 percent of respondents reported they were told of cybersecurity as a potential career during high school by a person in an authoritative role—be it a teacher, guidance counselor, career counselor or an adult in an after school program—they didn’t have the in-school means to pursue training. “Unfortunately, we also asked if they had access to computers classes in high school to build the skills necessary for cyber careers, and 64 percent said they did not,” Kaiser adds.

The nation’s rush to embrace cyberspace not only exposed the government, private companies, financial institutions and academia to vulnerabilities such as debilitating cyber attacks, it also created an unintended quandary seemingly benign on the surface of the issue: The sprint to adoption left authorities unable to provide an accurate accounting of work force personnel when needed and left officials with a head scratcher of a question: Who makes up the work force that is cybersecurity?

Cybersecurity today is at the forefront of national focus, with billions of dollars spent on development of technologies and procedures to shore up vulnerabilities, and universities and colleges establishing cybersecurity-specific degree programs. Millennials want to know more about the field and want to know if they might be good at it, Kaiser asserts. Too often, headhunters pitching the careers focus on the high earning potential. “If we’re going to talk to young people about these jobs, we need to understand that they want more information about what the careers are, and they need to know whether they would be good at it.” Of the respondents, 48 percent felt they needed more information about the job while 34 percent were piqued by the opportunity to earn a good living.

Until recently, having a unified road map to categorize different jobs within the cybersecurity field led to a chaotic inventory of the skills among the available work force, explains NIST’s Newhouse. The framework was codified and signed into law by President Barack Obama in December 2014.

The Defense Department is leveraging the NICE framework to establish the foundation for its own cyberspace work force framework, using a significant amount of the content with an aim of enhancing the department’s communication and interoperability with industry and other federal agencies, says Stephanie Keith, the department’s Cyberspace Workforce Strategy and Policy Division chief. “Development of the NICE work force framework was informed and vetted with academia and training institutions, thus creating a mechanism to expand the cyberspace work force pipeline,” Keith says.

The Defense Department plans to expand it, establishing a new level of detail to the framework by identifying the cyber work roles for each specialty area, she adds. “This level of detail will allow the DOD [Defense Department] to more accurately identify the capabilities required to conduct cyber work; facilitate human capital management processes; target recruiting, retention and training activities; develop career progression programs; and standardize qualification requirements.

“The Department of Defense has an overarching Defense Cyberspace Workforce Strategy (DCWS) to address work force transformation required to maintain a strategic advantage in cyberspace,” Keith continues. “The DCWS focuses efforts to establish work force requirements, produce consistency and applicability of cyberspace skills and abilities, as well as promote a greater understanding of cybersecurity responsibilities as technology advances. As stated in the DCWS, the development of DOD’s Cyberspace Workforce Framework provides the building blocks for a capable, prepared and adaptive cyberspace work force by standardizing work roles and qualifications, and enabling the unity and interoperability needed for consistent understanding, common training and joint operations.”

In addition to setting a consistent definition of cybersecurity and the defense work force, NICE’s mission is to educate school-aged children about cybersafety and promote careers in the field to attract the next generation of cyberwarriors. “That is certainly a goal, to establish that notion that cybersecurity is a good future career,” Newhouse says. “There is a general sense that we don’t have a large enough work force, so the pipeline needs to be addressed.”

NIST helps by facilitating high school internships and undergraduate research fellowships to let students come and work with government experts in the field. NICE efforts seek to have cybersecurity curriculums better integrated into Department of Education’s science, technology, engineering and mathematics (STEM) work. “Where does cybersecurity fit into STEM?” Newhouse asks. “All STEM fields rely on computing and information technology and network and device infrastructure. Cyberspace and the cybersecurity properties of that space are relevant to all the STEM fields. My hope is to add cybersecurity into those STEM conversations so that, if there is an opportunity for us to describe doing math that supports a cybersecurity concept, we need to create more evidence of that.”

NICE too formed a partnership with the National Science Foundation (NSF), an independent federal agency with the aim of promoting the progress of science and secure national defense. With an annual budget of $7.3 billion in fiscal 2015, the NSF is the funding source for roughly 24 percent of all federally supported basic research conducted by colleges and universities in the United States. In fields of mathematics, computer science and social sciences, the NSF is the major source of federal backing in the government’s push to help transform cyberspace by making it safer.

In December 2011, the NSF teamed with the National Science and Technology Council to focus on a coordinated federal strategic plan for cybersecurity research and education. Additionally, the NSF has the CyberCorps: Scholarship for Services program, which pushes for cybersecurity education and work force development through a reciprocal scholarship program in which students studying cybersecurity receive scholarship awards and in return work after graduation for a federal, state, local or tribal government organization in a position related to cybersecurity.

For young students to be attracted to the career field, they have to be connected to the Internet, an initiative pushed recently by the White House. “We’re working to connect 99 percent of America’s students to high-speed Internet—because when it comes to educating our children, we can’t afford any digital divides,” President Obama said in February at the Summit on Cybersecurity and Consumer Protection at Stanford University in California. “It’s why we’re helping more communities get across to the next generation of broadband faster, with cheaper Internet, so that students and entrepreneurs and small businesses across America, not just in pockets of America, have the same opportunities to learn and compete as you do here in the Valley.”

NICE provides for an ongoing, voluntary public-private partnership with the goal of improving cybersecurity and strengthening research and development in the field, work force development and education and public awareness and preparedness, Newhouse explains. “Defining the cybersecurity population consistently, using standardized terms, is an essential step in ensuring that our country is able to educate, recruit, train, develop and retain a highly-qualified work force,” reads the NICE website.

The broadness and diversity of the cybersecurity work force make it difficult to treat jobs as a single occupation or profession, leading to discussions on whether to professionalize the field. “The question of professionalizing is actually a complex one, and it’s not a simple answer to say whether or not professionalization would help resolve the challenge,” says Diana Burley, associate professor at George Washington University and co-chair at the National Academies’ Committee on Professionalizing the Nation’s Cybersecurity Workforce. “Because the field of cybersecurity includes many different occupations, each with the potential for different deficiencies, we really have to look at the individual occupations within that field.”

A benefit of professional certifications, for example, would provide a way for hiring managers to vet candidates knowing they have met uniform requirements. But because it is such a dynamic field, the move could prevent managers from hiring candidates who did not go through a traditional education process, but prove to be creative thinkers and an asset to the organization using different parameters. “It would be dangerous to professionalize the entire field in the same way at the same time,” Burley explains. A blanket change “might do more harm than good.”