Conversations about cyber security professionalisation tend to be dominated by a familiar cast of stakeholders: government departments and agencies, large employers, certification bodies, academic institutions, and a smattering of non-governmental organisations. These all have important roles to play, particularly in enacting some of the proposals suggested herein, but they do not represent the complete cyber security community.
Any discussion about the community ought to have appropriate representation from a range of voices to ensure a diversity of views and experiences are taken into account when developing the cyber security profession. Two stakeholders can be particularly identified as requiring more effort to integrate into the conversation. First, there is a potentially untapped pool of talent in what might be called uncertified excellence: individuals with relevant cyber security knowledge, skills, and possibly experience, that have not been recognised through certification or other accreditation (for example university degrees). These people can be aspiring or existing cyber security professionals, but their voice is underrepresented in discussions shaping their own profession.
Second, small and medium enterprises (SMEs) – both cyber security SMEs and SMEs in other sectors. Cyber security SMEs need cyber security professionals to deliver their core business services or products. Other SMEs have a more complicated need for cyber security skills, often lacking resources for dedicated personnel and instead needing people who can perform cyber security roles as add-ons to other roles. The cyber security profession should cater to these needs, and therefore have these voices adequately represented in the development of the profession.
To ensure the voices of uncertified excellence and SMEs have opportunities to be involved in professionalisation discussions, it is possible to extend efforts towards interoperability. By emphasising a skills-first approach in interoperability, rather than an accreditations-first or experience-first approach, those people who have skills but not accreditations or experience can be foregrounded. Similarly, a skills-first approach would aid SMEs, particularly non-cyber security SMEs, in accessing the skills they need for their specific requirements. A skills-first approach would provide a focal point for making frameworks and standards interoperable.