So What is it I Do, Again?

On 18 September 2013 the National Research Council of the National Academy of Sciences released a report with, what would seem a benign conclusion: namely, that cybersecurity should be viewed as an occupation, not a profession. It apparently took a panel of highly-educated and well-connected contributors to come to this less-than-stunning conclusion. They determined -- apparently through research -- that my chosen career field is rapidly changing and is “too broad and diverse to be treated as a single profession”. I’m not sure how much the Department of Homeland Security paid for that analysis, but I would have been happy to provide similar conclusions for half their investment.

None of the report really addresses why the question was asked. Presumably, DHS was seeking ideas for hiring, training, and retaining people with critical security skills. How that evolved into a requirement for a report on the potential professionalization for security experts, I couldn’t begin to guess. In some cases, human resources teams like to use professionalization as a shortcut to assessing a potential employee’s skill set. They allow an outside body to certify applicants via lengthy exams and documented courses of preparation to save them the trouble of trying to match skills to jobs. It makes your job a lot easier if you can say you need a Bravo256, and Sally is a certified Bravo256 – the way the military categorizes career fields. Plug-and–play jobs.

This concept is far from new. In medieval Europe, for one example, a variety of guilds arose during the twelfth century. These guilds were formed from groups of merchants or craftsmen who laid claim to exclusive rights for their services in a town or city. In many cases, they grew into the local governing body simply through the exercise of their influence. To the public, the guild offered to ensure that townsfolk would get quality products and services. By hiring a guild member, it was claimed, both peasants and landholders could avoid charlatans and those who performed shoddy work. The guild, however, served the dual purpose of keeping guild members’ wages and fees high while creating momentous barriers for potential rivals.

Fortunately for all of us, the report recognized this two-edged sword. It noted that premature professionalization of the field could “discourage out-of-the-box thinking and narrow the pipeline of potential workers”. It did stop short of pointing out how these new-age guilds are used to dramatically reduce competition and inflate salaries for insiders. There is room for a wide range of creative solutions for our security challenges. Limiting who gets to play is so twelfth century.


John McCumber is a security and risk professional, and author ofAssessing and Managing Security Risk in IT Systems: A Structured Methodology,from Auerbach Publications. If you have a comment or question for him, e-mail