Countries are at different stages of the journey to cyber security professionalisation. Some, such as the aforementioned UK and Ghana, have already made significant policy interventions to professionalise their cyber security workforces. Others are at earlier stages in the process, and with desired end states that do not necessarily replicate across geographies – for example the role of a government in regulating the profession. These differing approaches, and the mismatched stages of the professionalisation process, combine to create tension between desires for harmonisation versus localisation of professional standards.
Global harmonisation would enable workforce mobility, improve accessibility through transparency, and unburden cyber security professionals from competing standards – for example, international recognition of education and training limits the need for a cyber security professional to acquire multiple versions of the same accreditation for different jurisdictions. On the other hand, localisation recognises that countries are different (politically, economically, demographically etc.) and there is no one approach that fits all; local standards serve local needs. A piece of policy innovation that addresses a problem in one country may not work in other countries. For example, through its labour market research, the UK knows that cyber sector businesses there have large gaps in digital forensics and cryptography and communications security skills1. Other countries are likely to have gaps in other skillsets and would therefore look to target policies differently.
Alleviating the tension between harmonisation and localisation requires an approach that affords flexibility, and this can be achieved through modularity. By structuring professionalisation in modules, countries can select modules that suit their needs to build a locally-targeted professional cyber security framework while still adhering to internationally agreed standards. The work and coordination required to build and agree modules (and keep them up to date) is non-trivial, especially across a diverse international community, but would realise the benefits of both harmonisation and localisation.
To create this modularity, three cornerstones are required. First, a glossary of shared terms as previously outlined. Second, an agreed baseline for the minimum quality standard for a cyber security professional. Such a standard would ensure that any cyber security professional meets a threshold of competence; if countries want to set their local standard higher that is fine, but an agreed baseline acts as a backstop to enable harmonisation. Third, interoperability between professional frameworks that are currently extant or being developed.
As described, some countries are already far into the professionalisation journey and unable to begin again from scratch. For modularity to function, existing frameworks need to be made interoperable through actions like mapping frameworks to each other and recognising frameworks at bilateral or, ideally, multilateral levels. Publicising the results of such mapping exercises and recognition agreements is crucial, so that countries developing frameworks can align with existing frameworks in an agile way. It should also be acknowledged that accreditation organisations can be inundated with mapping requests and consideration should be made to involve others who can undertake such activities, for example academia.