Article Preview
Top1. Introduction
There has been a significant workforce gap and a fast-growing industry demand for qualified cybersecurity professionals globally and in the United States. According to the (ISC)2 Cybersecurity Workforce Study, the shortage of cybersecurity professionals is close to three million globally and about half a million in North America and the majority of the companies surveyed reported concerns of moderate or extreme risk of cybersecurity attacks due to the shortage of dedicated cybersecurity staff ((ISC)2, 2018c). An information security analyst is only one of the career titles in the cybersecurity profession. The latest career outlook published by the United States Labor Department Bureau of Labor Statistics shows that the employment of information security analysts is projected to grow 28 percent from 2016 to 2026, much faster and with better pay than the average for all occupations (US Labor Department BLS, 2018).
Education, training, and professional certifications are common solutions for alleviating shortage of professional staff. However, a recent study shows that top universities in the United States were failing at cybersecurity education with a lack of cybersecurity requirements for graduates and a slow change in curriculum and courses (White, 2016). The national Centers of Academic Excellence in Cyber Defense Education (CAE-CDE) designation program jointly sponsored by the US National Security Agency (NSA) and Department of Homeland Security (DHS) has been a reputable standard for certifying and maintaining high quality of cybersecurity education with rigorous requirements for program evaluation and assessment of cybersecurity knowledge units. However, only less than 300 (or about four percent) of the all colleges and universities in the U.S. have achieved the CAE-CDE designation status so far (Wang, Dawson, & Williams, 2018).
Recognizing the need to develop more and qualified cybersecurity professionals to meet the workforce demand, the U.S. National Initiative for Cybersecurity Education (NICE) recently published the NICE Cybersecurity Workforce Framework (NCWF SP800-181), which specifies cybersecurity professional categories, tasks, job roles as well as knowledge, skills, and abilities (KSAs) needed for cybersecurity jobs (NICE, 2017). These KSAs are also mapped to the cybersecurity knowledge units (KUs) for college and university programs with CAE-CDE designations. An initial effort to map the KSAs with limited cybersecurity certification domains was conducted by Wang and D’Cruze (2019).
Professional certifications are an important supplemental credential system to help select talents and guide the training and development of cybersecurity workforce. In hiring information security analysts, for example, many employers prefer their candidates to have some relevant professional certification in the field, such as Certified Information Systems Security Professional (CISSP) in addition to a minimum of a bachelor’s degree in order to validate the knowledge and best practices required for the job (US Labor Department BLS, 2018). Ideally, the certification process used for developing and selecting qualified professionals in the cybersecurity field should incorporate the job tasks and KSAs specified in the NCWF as well.
There are many different types of certifications for the cybersecurity field with various levels of requirements and rigor. The CISSP (Certified Information Systems Security Professional) certification stands out as a challenging but popular vendor neutral certification choice coveted by cybersecurity professionals and employers. Studies show CISSP as a top cybersecurity credential sought after and most valued by employers (Brown, 2019; (ISC)2, 2017b; ISCN, 2018; Wierschem, Zhang, & Johnston, 2010). This study is motivated by the urgent need and research efforts for viable solutions to the shortage of cybersecurity talent and by the recent study on the CISSP certification by Wang and D’Cruze (2019).