Are cybersecurity jobs a profession or a vocation? When we consider the current workforce shortage in cybersecurity, our existing assumptions about the nature of cybersecurity jobs may be exacerbating the shortfall. For this reason, we may need to consider new ways of thinking about jobs within the cybersecurity field and the appropriate institutional structures that need to be in place to rapidly increase the available workforce.

When we look at the broader job market, there is a clear distinction between certain classes of jobs. Whether in the military (enlisted vs. officer), healthcare (medical technicians vs. doctors/nurses), or manufacturing (blue collar vs. white collar), this distinction enables these various industries to scale their training and hiring to address a broad range of workforce needs within their respective domain. A common factor that distinguishes between these classes of jobs is a college degree: a college degree is not required for a vocational job, but it is often required for professional jobs.

Within the cybersecurity industry, the prevailing mindset is that security practitioners are professionals. Thus, a direct consequence of this mindset is that a college degree is required for many cybersecurity jobs. A recent (ISC2) report indicates that 86% of the current cybersecurity workforce has a bachelor's degree or higher. Furthermore, a quick search on Indeed.com shows about 46,000 cybersecurity jobs, of which 33,000 (>70%) require a degree. However, many cybersecurity practitioners I know would rightfully argue that a college degree isn't needed to do most jobs in cybersecurity, and strict adherence to this requirement disqualifies many deserving candidates. But removing the requirement for a college degree raises the question: Are these actually professional jobs, or should they be recast as vocational jobs?

I would argue that these jobs may need to be seen as vocations instead of professions. Although many cybersecurity workers take pride in their professional status, many of their jobs (and thousands of unfilled cybersecurity jobs) are really vocational in nature and could be filled by those with the appropriate level of vocational training. In vocational schools, students focus almost entirely on learning the skills of their trade. By immersing themselves in a particular field, students practice tangible skills they will need and can apply to the workplace. Furthermore, this period of training can happen at an accelerated pace that produces qualified candidates in one or two years, if not sooner.

Regarding job duties, one general difference between vocational and professional roles is the expectation that someone in a professional role is empowered/burdened with the responsibility to make weightier risk management decisions. But what is it about a college education that qualifies someone for the professional ranks to make such decisions? In college, students are required to learn other disciplines outside of their majors. College students are encouraged to think laterally and connect the dots across multiple, disparate fields by studying diverse subjects simultaneously. However, this approach takes an average of four years or more before these candidates enter the workforce.

In many other job markets, there is roughly a 4:1 ratio of vocational jobs to professional jobs. Contrast that to the 1:2 ratio that we see in the cybersecurity job market. After four years, we could have as many as four times the number of vocational cybersecurity workers for every professional cybersecurity worker. But since the cybersecurity job market only offers one vocational job for every two professional jobs, we will have an imbalance that potentially takes away job opportunities for those that take a faster vocational path and leave critical positions unfilled.

As we head into 2022, the severe workforce shortage in cybersecurity will continue to threaten our ability to properly defend our digital ecosystem and way of life. Leveraging successful scaling patterns seen in other job markets, we should examine which of our unfilled jobs can be addressed through vocational training and adapt our hiring practices to enable a similar scale to address the shortfalls in the job market. At the same time, we should partner with cybersecurity-focused vocational training and education programs that equip a wider range of job seekers to qualify for these opportunities. By reexamining some of our traditional cybersecurity roles through the lens of vocational opportunities, we can build a more robust and adaptive workforce that can better defend against the complex cybersecurity threats of the 21st century.