Cyber security is both an art and a science. As an art, there are subjective elements which constitute ‘best practice’ for one organisation (or industry sector, or geographical region etc.), but objective universal best practices are difficult to establish because risk profiles differ. On the other hand, as a science, cyber security is also a process of discovery and testing – skilled practitioners building shared knowledge about technologies and those who use them. These practitioners learn from each other, often brought together by common causes (see social messages) to form a community of professionals.
The cyber security community, like scientific professions it wants to emulate, is by its nature cooperative rather than competitive. The community as a whole has more to gain by members improving collectively, than members gain by improving individually. This means members share knowledge and experiences to enrich others, lifting the community at large and making life difficult for malicious actors. The community spirit is the embodiment of the social messages cyber security has to offer. Community can also be a factor in improving diversity in the cyber security workforce, where women and people from ethnic minority backgrounds tend to be underrepresented1. Community can help inspire and guide new workforce entrants from these backgrounds through role models and mentoring
To take advantage of the community aspects of the cyber security profession, two things are required. Firstly, cyber security workforces in the public and private sectors should be shaped by the same frameworks and standards. At present, the private sector cyber security workforce has largely grown and organised itself organically, driven by market forces. Conversely, public sector workforces are more likely to be shaped by – or at least more likely to be compelled to adopt – frameworks and standards which have been produced or approved by central governments. But this risks creating two communities; and the benefits of having a community could be better realised by simplifying from two to one. Agreeing a plan for domestic adoption of frameworks and standards between private and public sectors would help toward this simplification. Secondly, there is a need to track uptake and impact of these efforts.
The strength of the community grows with more members, so active promotion of international efforts towards cyber security workforce professionalisation and tracking increased membership is required to maximise impact. Spreading the message about efforts at large fora such as the Global Cyber Capacity Building Conference in Geneva in May 2025 is likely to raise awareness and encourage new joiners.2