Certification Survey Extra is a series of periodic dispatches that give added insight into the findings of our most recent Certification Survey. These posts contain previously unpublished Certification Survey data.
Last week in this space we took our first look at data from our recent Security Certification Survey regarding the role of government in cybersecurity. If you think about cybersecurity as being, to some extent, part of the essential infrastructure of a modern society, then it's logical to expect that government should have a role in maintaining that infrastructure.
One problem that affects nearly all infrastructure projects is the issue of personnel. Once a network of roads, or a water treatment plant, or whatever it is, has been put in place, people are required to maintain and expand the original undertaking. That, in turn, requires that specialized knowledge be transferred to a constantly changing pool of experts.
What happens if there aren't enough people who pursue that branch of specialized knowledge to preserve and expand critical infrastructure? We're finding out right now, as corporations and other prospective employers compete with government to retain the services of an ever-dwindling supply of skilled information security professionals.
There already aren't enough skilled personnel to satisfy everyone's demand. So here's another point where the presence of government in cybersecurity policy is in question. Will the problem eventually work itself out? Or do we need a few judicious nudges from the legal system to help create a solution?
There's a strong sentiment among many that cybersecurity training should be an element of public education. Kids who learn the basics of cybersecurity at a young age are both more likely to reinforce needed overall awareness of sound cybersecurity practices, and more likely to eventually take an interest in cybersecurity careers. Should government help to push that agenda along?
Here's what learned by asking survey respondents to rate their level of agreement with two key statements:
Statement 1: Government should aggressively promote cybersecurity curriculum in public education.
Strongly Agree: 42.2 percent
Agree: 35.7 percent
Neither Agree nor Disagree: 16.9 percent
Disagree: 4.5 percent
Strongly Disagree: 0.6 percent
Statement 2: Government should mandate cybersecurity curriculum in public education.
Strongly Agree: 22.2 percent
Agree: 31.4 percent
Neither Agree nor Disagree: 33.3 percent
Disagree: 10.5 percent
Strongly Disagree: 2.6 percent
Perhaps the first thing to note here is that, among the certified information security professionals who responded to the survey — people on the front lines of an increasingly chaotic struggle to maintain order — almost no one disagrees that government should either strongly encourage or directly mandate the inclusion of cybersecurity curriculum in public education. For most of these men and women, getting cybersecurity into the schools is clearly an idea whose time has come.
There is, it would appear, a degree of hesitation about having direct input from government in cybersecurity and public education matchmaking. As indicated by comparing the numbers of those choosing to neither agree nor disagree, a notable chunk of certified IT professionals are much more comfortable with government leading the charge but not necessarily laying down the law. "Aggressively promote" is clearly more acceptable to some than "mandate."
In essence, however, there's a deomstrably strong belief that teaching children cybersecurity is an important element of addressing shared cybersecurity concerns. And since government already has a leading role in determining the course of public education, it would seem that many are looking to established channels to bring about the needed increase in security focus.
Note: Click here to read Part 1 in this series.