This research examines the issue of supply and demand for cybersecurity professionals to determine how to optimize the output of cybersecurity professionals through a supply chain. It was found that progress is impeded by the lack of a clearly defined and standardized definition of a cybersecurity worker and their associated knowledge, skills, and abilities. There is a known shortage of cybersecurity professionals that is affecting the ability of the United States to fulfil the mandate of President Obama who declared that the protection of our digital infrastructure is a national security priority. The problem with this declaration is that a literature review confirms there is no standard definition of a cybersecurity worker, associated skills, or educational requirements. The cybersecurity workforce to which we speak in this report consists of those who self-identify as cyber or security specialists as well as those who build and maintain the nation’s critical infrastructure. Considering the criticality of the national infrastructure, it is time for the US to take immediate steps to coordinate the development of the cybersecurity field and its associated workforce supply chain.

1. THE BIGGEST THREAT TO THE U.S. DIGITAL
INFRASTRUCTURE: THE CYBER SECURITY
WORKFORCE SUPPLY CHAIN
Aleta Wilson, Ph.D.
Amjad Ali, Ph.D.
1

2. Overview
• Study examines supply and demand for
cybersecurity professionals
• Progress impeded by lack of career field for
cybersecurity professionals
The Obama administration has declared that
Protection of our digital infrastructure is a
national security priority
2

3. Scope
• This study explores activities required to employ
cyber security workers for the
– federal government and
– its contractor community
• These two sectors comprise an estimated 500,000
workers
– who must undergo a significant background
check because
– positions are considered as "national security
positions".
3

4. Scope and Methodology (cont)
• Second focus of study is university level
education and certifications
--------
Methodology
View the cyber workforce through the prism
of a supply chain
In other words.... How to optimize the supply
chain to increase production
4

5. Definition of a Cyber Security
Professional
5

6. Definition of a Cyber Security
Professional - DOL
• DOL Occupational Outlook Handbook does not
contain a definition for cybersecurity professionals
• DOL categories acknowledge positions that involve
people who
– plan, coordinate, and maintain an organization's
information security
– database administrators plan and coordinate security
measures with network administrators
– network engineers "may ... address information security
issues”
6

7. Definition of a Cyber Security
Professional - DHS
• Department of Homeland Security
Secretary Janet Napolitano defines
Cybersecurity professionals as
– employees responsible for "... cyber risk and
strategic analysis; cyber incident response;
vulnerability detection and assessment;
intelligence and investigation; and network and
systems engineering“
7

8. Definition of a Cyber Security
Professional – ISC2
– Frost & Sullivan conducted a survey of 10,413
information security professionals which
indirectly defined security professionals as
those
• employed as Information Security
professionals and
• those who had cyber security as their
primary job function.
8

9. Definition of a Cyber Security
Professional – DOD
DOD usually takes the lead in defining
elements related to cyberspace and
cybersecurity, but according to GAO
"DOD has defined some key cyber-related terms
but it has not yet fully identified the specific
types of operations and program elements that
are associated with full-spectrum cyberspace
operations"
9

10. Definition of a Cyber Security
Professional – Monster.com
• What does the largest job site call them
– Network engineers But where
are the web
– System Administrators designers;
– IT Security Engineers policy folk;
SW
– IT Security Analysts engineers;
etc.
– Network Administrators etc.
10

11. Definition of a Cyber Security
Professional – for this study
• Professionals who have information
security as a major part of their job;
• those who self-identify as cyber or security
specialists; and,
• those who build and maintain the national
critical infrastructure of the computer
systems on which the public and private
sectors have come to rely.
11

12. Now that we’ve defined them….
How do they get to the workplace….
12

13. Supply Chain Management (SCM)
• Viewing the shortage of cybersecurity
workers through SCM
– SCM attacks problem of uncertainty
head-on
• SCM solves two core resource problems
– Shortages and excesses
– Identifies where the chain is broken
13

14. Supply Chain Management (SCM)
• STEM
• Science Engineering
Shortage K to 12 • Technology Math
• Higher Education
• Centers of Excellence
Dilution
• Other Higher Ed Institutions
Higher Ed
• Non- Higher Education Certifiers
• Certifying CISSP (ISC2)
Need • GSEC
Professional • CompTIA Security+ Certification
Certifications
• Vendor certifications
14

15. S.T.E.M. (K to 12)
• Public private partnership will invest
$260M between 2009 and 2019 (like
race to space)
• Growth in STEM jobs is 3X non-
STEM jobs
15

16. University Level Education
• NSA is Certifying Universities, Colleges,
and now Community Colleges
• 124 NCA’s (as of 2010)
– 14 are 2-year institutions
– 2 are 4-year institutions
– 51 are research institutions
– Some fall into more than one category
16

17. Certifications
• Certifications can come from
• Universities $$$$ /
• Value is unkown
• Private sector $$ /
• Highly prized
Highly recognized certificates
17

18. Certifications – Highly Recognized
ORGANIZATIONS AND THEIR CERTIFICATE OFFERINGS
CERTIFYING CERTIFICATION
ORGANIZATION
CERT CSIH
CompTIA Security+
Cisco Systems CCNA Security; CCSP; CCIE Security
EC-Council ENSA; CEH; CHFI; ECSA; LPT; CNDA; ECIH; ECSS; ECVP; EDRP;
ECSP; ESCO
GIAC GSIF; GSEC; GCFW; GCIA; GCIH; GCUX; GCWN; GCED; GPEN;
GWAPT; GAWN; GISP; GLSC; GCPM; GLEG; G7799; GSSP-NET;
GSSP-JAVA; GCFE; GCFA; GREM; GSE
ISAC CISA; CISM; CGEIT; CRISC
(ISC)2 SSCP; CAP; CSSLP; CISSP; ISSAP; ISSEP; ISSMP
ISECOM OPST; OPSA; OPSE; OWSE; CTA
Microsoft MCSE, MCSA
Indication individual is improving herself.
18

19. What’s the Problem
• STEM will not produce for 10 years and then those high
schooler’s have to go to college
• University pipeline is waiting for STEM graduates to enter
• Universities are not graduating enough cyber specialists
• University certificates are new and general
• too soon to determine value
19

20. So What
• US has discovered it is behind the curve in the
production of S.T.E.M graduates
• S.T.E.M skills are needed for cybersecurity
workforce
• War has expanded beyond nation states to
organizations like Wikileaks
• Warfare is expanding into cyberspace and we
do not have war fighters
20

21. So What (cont)
• Focusing on S.T.E.M in K-12 is critical to US
economy
• The field of cybersecurity is being developed
in pieces
• NIST, Microsoft, Cisco, & NSA are each
• Designing standards models, processes, certifications,
and methodologies for the field and many of them
overlap
21

22. Conclusion
• The US government must take immediate steps to
coordinate the development of the cybersecurity field
• The US should task the National Security Agency to take
the lead
• Once the field is defined
– There will be sub-specialties
– There will be a roadmap for obtaining proficiency (like doctors &
lawyers)
– There will be standardized tests
– Estimates on workforce needs can more accurately be determined
– Training and certifications can be organized and synchronized
22

23. Questions and Answers
NSA designated National Center of Academic
Excellence in Information Assurance Education
23