MCSI #032 - Who decides who is a cyber professional and why trust them?
Professionalisation is both the mechanism that enforces an economic model and the ideology that justifies it. In this essay, I set out to analyse the Grant Opportunity Guidelines published by the Australian Government and ask dangerous questions.
1) Who called for professionalisation? Who was left out of the discussions?
The grant program claims its legitimacy in five words: “In response to industry calls” (p. 5). But who called? No sources are named - only an assertion that assumes its own truth. If these calls exist, the absence of details about them grants power. Confidentiality can be important in a government document, but it might also be a façade that power hides behind.
Cybersecurity isn’t one profession but many, with multiple voices. Each has different priorities and ideas about expertise. Yet, the text smooths over these differences, presenting a unified demand for professionalisation. Whose calls are amplified, and whose are ignored?
Shouldn’t we get the chance to ask: if this is going to determine our industry, which voices should be represented, and heard? How many is enough? Not everyone can be heard, but why do only a few get to shape the outcome?
We, as the industry, need to voice our perspectives now, and continue to voice them. It doesn’t matter who controls the scheme. What matters is to critically examine the processes and forces in place and the real-world impact they will have on an ever-evolving industry.
2) Where’s the proof?
By writing “In response to industry calls” (p. 5), the industry is framed as unstructured, in need of an urgent response, with professionalisation as the only way to fix it. However, no evidence of the problem and no proof of that professionalisation works is cited. Were other options ever considered? Are there better alternatives?
Professionalism promises that accredited cyber professionals will be properly trained. It promises confidence in skills. However, no evidence is cited that professionalism achieves this.
3) Does professionalisation provide clarity, or just power over definitions?
The scheme’s purpose is clear: “Provide employers and businesses with assurance that the cyber security professionals they hire have the necessary skills and training” (p. 5).
Yet, the term cyber is unstable. It evolves with technology and threats, always shifting in context. To define it is to distil it in a moment, to impose limits where none naturally exist. Unsurprisingly then, the grant program never defines what a cyber professional is - despite its promise to produce and regulate them.
Who benefits from not defining the very thing professionalisation is all about?
4) Will professionalisation remove barriers or create new ones?
The program claims to remove barriers. But to professionalize is to decide who can call themselves a cyber professional and who cannot.
How does it do that? By leveraging definitions, “skills frameworks” and “professional accreditation streams”. And how are these used? As barriers of entry into the profession and barriers within the profession to create a hierarchy.
If barriers did not exist, then professionalisation could not claim to “provide employers and businesses with assurance that the cyber security professionals they hire have the necessary skills and training” (p. 5).
Professionalisation therefore relies on barriers so that it can claim to provide assurances about skills and training. It also uses barriers to enact a hierarchy between cyber professionals that is based certifications, skills, experience and titles. Once established, this hierarchy can only be challenged by changing the rules. And isn’t that the biggest of all barriers?
5) Is the pilot testing a system or training you to accept it?
The word pilot appears 14 times in the grant. It suggests something temporary, a test before a final decision. But is this really a test to gather feedback? Which feedback, and from whom, will inform change and which will not?
A pilot promises flexibility but it also locks in precedent. Once the pilot begins, the conversation shifts from should we do this? to how will it be done?
The most concerning part of this pilot is that the winner gets to define the rules of how their performance will be measured and they self-report on their performance: “at the end of the project you will provide: an assessment of how your project has addressed the gap of a national professionalisation scheme and standard for cyber security professionals” (p. 10).
The government commits to performing its own review of the pilot based on “information you provide to us and that we collect from various sources.” (p. 4) The “various sources” are not listed. Do cyber professionals and employers benefit from this evaluation mechanism?
6) If expertise can exist without authority, why do we crave its approval?
The grant program gives cyber professionals little more than “clear career, skills, and education pathways”, while focusing on benefits for employers and businesses. Still, many will support it - not because it guarantees better cybersecurity, but because it offers incentives to do so by those who implement and oversee it. These incentives are belonging, money, status and power.
Professionalisation provides inadequate answers to questions that matter most in an industry but also in a career: Do I have skills that are progressing my industry? Is my knowledge up-to-date and cutting-edge? Am I following a checklist or truly understanding a complex problem?
Professionalisation does not just shape careers - it shapes minds. Will it make the minds of cyber professionals stronger or more complacent to rules?