A ‘cybersecurity profession’: what are we talking about?

First published in the Mandarin.

Over the last ten years, there has been a quiet but persistent conversation about the future of professions. But we live in a post-truth world, where politicians and the media continue to wage a war on science and expertise. The democratisation of knowledge ensures that ‘Dr Google’ is the first call for any medical diagnosis. Our core life skill is wading through misinformation, and expertise has taken a battering.

For decades, those entering the workforce (often encouraged by their parents) aspired to become doctors, lawyers, engineers, or architects. These professionals were respected community members with specialist knowledge in disciplines that could benefit us all.

In return, society granted professionals the autonomy to develop and apply that knowledge to help us all. Surgeon and writer Atul Gawande neatly sums up the independence and responsibility given to professions and professionals:

The public has granted us extraordinary and exclusive dispensation to administer drugs to people, even to the point of unconsciousness, to cut them open, to do what would otherwise be considered assault because we do so on their behalf—to save their lives and provide them comfort.

Society constructed the professional landscape we now take for granted over many years. However, today, the idea of ‘professional’ has been diluted, and the behaviour of some professionals and professional bodies should be questioned more closely.

In this environment, the cybersecurity profession is in the early stages of its journey toward professionalism. It is a tough time to start a profession, but it is becoming increasingly apparent that we need those who value the disciplines and responsibilities of professionalism.

The importance of cybersecurity to national prosperity and security ensures that it must become a profession. The government has already recognised this and is steadily shunting the collection of cybersecurity occupations in this direction.

The question for cybersecurity practitioners is, ‘What sort of profession should it become?’

Why should cybersecurity be a profession?

Cybersecurity will emerge as a profession due to its increasing importance to national prosperity and security. It has moved from a novel business function accompanying the pervasive spread of technology to a societal concern.

As Sue Gordon, a former principal deputy director of national intelligence, noted in response to the 2021 Colonial Pipeline attack:

It’s all fun and games when we are stealing each other’s money. When we are messing with a society’s ability to operate, we can’t tolerate it.

Cybersecurity’s move toward professionalisation offers an opportunity to set a professional agenda that differs from established engineering, health, and legal professions. This agenda should start with a clear view of cybersecurity’s nature, which will affect not only the agenda but also the proper design of the profession.

A multidisciplinary profession with an interdisciplinary core

Cybersecurity operates in an ever-present, always-on, intelligent, adaptive, and adversarial environment. Responding to the latest technical threats has driven change, adaptation, and innovation. However, the future of innovation in cybersecurity is likely to be systemic, particularly in places where cybersecurity intersects with social and organisational concerns. At these intersections, cybersecurity has the potential to be a catalyst for organisational integration.

Cybersecurity has evolved from a technical response to a growing technology problem to an omnipresent organisational concern. It has also transformed from a discrete and isolated function requiring technical leadership to a systemic problem requiring the dynamic blending of diverse interdisciplinary backgrounds focused on building organisational resilience through intelligence, cooperation, and collaboration.

Cybersecurity is a problem that involves IT professionals, software developers, hardware and network engineers, penetration testers, data scientists and analysts, legal and compliance professionals, forensic investigators, psychologists and behavioural scientists, project managers, human resources and training professionals, business executives and general managers, policymakers and public administrators, auditors and accountants, educators, and academic researchers.

Cybersecurity is no longer a purely technical problem but a human, legal, and organisational problem. Collaboration at this level requires new and different forms of evidence, the ability to agree on critical questions and core interests, and consensus about the desired outcome.

The cybersecurity profession is poised to make a crucial transition from an occupation of parts to a profession of systems—a multidisciplinary profession with an interdisciplinary core.

Three design principles for a cybersecurity profession

Typically, professionals exercise control and power over their expertise and often over other occupations expected to work with the professional. Because their work is based upon knowledge and lengthy training, professionals expect the quality of their work to be assessed only by other professionals, and they expect their work to be autonomously performed. They may perform their work within bureaucratic settings of various sorts, but ultimately, their loyalty is focused on their profession or professional association. Professional associations often wield peer review and practitioner control over the profession.

A multidisciplinary cybersecurity profession would build on, expand, and modify these traditional professional principles.

1.     Ethics, Values, and Professional Responsibility.

Ethics, values, and responsibility remain core to professionalism. The recent ethical disasters in ‘professional’ multinational accounting firms reminded us that when things go wrong, it is usually due to a failure in ethics and values.

Cybersecurity is a profession at the centre of ethical decision-making. Ethical dilemmas in cybersecurity are complex and often involve trade-offs between security, privacy, transparency, and legality. These include (but are not limited to) handling sensitive information, balancing privacy and security, data breaches and reporting, responsible disclosure, and surveillance.

Cybersecurity professionals must navigate these dilemmas by adhering to ethical principles, professional guidelines, and legal obligations while considering their professional responsibilities and the broader societal impact of their decisions.

Ethical decision-making in cybersecurity requires carefully balancing conflicting interests and values. Professionals must be equipped to handle these challenges while maximising security and ethical integrity.

A priority for the emerging cybersecurity profession is well-defined ethical standards that are transparent and enforced through community governance. Education and training in cybersecurity ethics and moral decision-making must be multidisciplinary.

2.     Education and careers (not just skills)

Skills gaps have long been the dominant feature of the discussion about the cybersecurity workforce. The responsibility for the gap and the lack of investment in the workforce pipeline oscillates between government, industry, and the education sector, failing to land firmly where the accountability lies.

Today, new entrants and practitioners seeking to stay current in cybersecurity face an impenetrable tangle of short courses, microcredentials, and degree-course qualifications. Universities, vocational education, specialist cybersecurity training firms, and product vendors offer the ‘must-have’ knowledge, skill or experience.

The cybersecurity profession's responsibility is to build a well-rounded, adaptable, and sustainable workforce. To this end, it would focus on lifelong learning for professionals that can be digested and applied at the speed of the profession’s evolution. This would catalyse government, industry, and educators to invest in and innovate cybersecurity education.

The innovation required in cybersecurity education is twofold.

First, the profession's applied and practitioner nature requires an education and credentialling strategy that acknowledges the spectrum from applied practitioner to multidisciplinary professional.

Second, it requires pathways from vocational to higher education that engage the industry in course design and delivery; for example, cybersecurity could lead other professions to implement degree apprenticeships and continuous reskilling. This departs from traditional professional education, which starts with an undergraduate degree and often requires mastery through postgraduate qualifications.

The United Kingdom’s National Cyber Security Centre has developed a cybersecurity education certification scheme and a comprehensive ‘Body of Knowledge’ that distils expert knowledge to provide the foundations for cybersecurity education. Notably, the certification includes Cyber Security Graduate Apprenticeships that bridge the gap between practical experience and academic education.

These educational offerings reinvent what were once known as ‘sandwich’ degrees. They also show the willingness of government, industry, and universities to collaborate on professionalisation.

Keeping pace with cybersecurity's rapid change remains a challenge. An untapped opportunity is to create a pathway from hands-on practitioner to degree-qualified professional for new entrants without degrees.

Cybersecurity constantly evolves, responding to new threats, technologies, and regulatory requirements. It must provide sufficient educational foundations while enabling professionals to adapt quickly to new challenges and technologies. Cybersecurity is a profession that will push for innovation in education design and delivery.

Moving away from cybersecurity skills lists will encourage career-focused education strategies that address cybersecurity skill gaps. This will also open multidisciplinary career pathways, promoting an interdisciplinary approach.

3.     Cybersecurity is critical to organisational resilience

Australia’s prosperity depends on its digital economy. Consumer expectations of frictionless service and security will continue to increase, and failures or disruptions will damage government and business reputations. The Minister’s introduction to the 2023-2030 Australian Cyber Security Strategy bluntly states,

Cyber security is an urgent national problem, and we need to act now. After a decade of malaise, Australia has fallen behind.

A robust and professional cybersecurity workforce organised as a profession is critical to resilience in our organisations and institutions.

An area for professional debate is whether cybersecurity remains a subset of IT or general security. The rise of the Chief Information Security Officer (CISO), responsible for integrating cybersecurity into business decision-making, suggests that the way forward is already evident. However, the way the CISOs operate within government and industry varies greatly. For many, exercising professional autonomy remains subject to executive management maturity.

Autonomy is an essential component of a professional association. Lawyers, doctors, and other professionals working with a management hierarchy may need to balance professional responsibilities against organisational intent. The OPTUS and Medibank cybersecurity incidents showed that the government does not exclusively hold sensitive data, and executive decision-making regarding business cybersecurity breaches can be flawed.

A vital consideration for an emerging cybersecurity profession is how it exercises professional responsibilities within a standard bureaucratic and managerial structure that could have an agenda that undermines traditional concepts of professional autonomy and expertise.

Cybersecurity starts from a different (potentially more demanding) place than traditional professions. It will emerge from within the organisation rather than responding to a community need that will later be incorporated into its management hierarchies.

Established professions such as doctors, lawyers, and nurses exercise considerable autonomy over work and professional standards in organisations. In times of organisational uncertainty or ethical dilemmas, they also have a clear organisational voice that reflects their professional standing.

When managerial decisions impinge on professional expertise and limit autonomy, the ability to call on a framework and actions to make good decisions becomes paramount.

The path to a profession

The multidisciplinary nature of cybersecurity distinguishes it from other professions. It is starting from a different place and has the potential to evolve toward being a profession with an interdisciplinary core as its defining feature.

We live in a rapidly evolving technological society, and it is increasingly difficult to imagine whether many of us can live outside it. Our dependence on technology has spurred the government and community to demand greater assurance that cybersecurity professionals have the skills, knowledge, and ethical standards to safeguard critical systems and sensitive data. Internally, cybersecurity practitioners want clearer career and knowledge pathways. They will also enjoy public and organisational recognition of the profession's contribution to safeguarding the community.

Cybersecurity is vital to national prosperity and security and must become a profession. Practitioners who can see the critical contribution of their craft to society will determine the type of profession.