Home
Story
Are we a trade or a profession?
Are we a trade or a profession?
N2K logoApr 22, 2025

Like what you read and curious about the conversation? Visit CISO Perspectives to get further insights into this topic. CISO Perspectives is a weekly column and podcast where Kim Jones explores the evolving landscape of cybersecurity leadership, talent, and risk—because success in cybersecurity is about people, not just technology.

Are we a trade or a profession?

Welcome to the CISO Perspectives Weekly Briefing, where we break down this week’s conversation, providing insights into relevant research and information to help you further understand the topics discussed.


At 750 words, this briefing is about a 4-minute read.

Professionalizing cyber.


Cybersecurity has a crisis of identity. Is the field a profession? A vocation? A trade? 


These identity questions have had notable impacts on the field and the way both new workers and organizations have adapted and responded.


The National Academy of Science’s (NAS) report first broke down the state of the cyber industry in 2013. The report considers the impacts of professionalizing the cyber workforce and what criteria would be needed to do so. Additionally, the report highlights the following conclusions:


  1. A need for more attention to the capacity and capability of the cyber workforce.
  2. The difficulty regarding forecasting the needs of the cyber workforce.
  3. How professionalization varies noticeably according to role and context, and cannot be treated as a single occupation or profession.
  4. The wide range of backgrounds and skills needed for an effective cyber workforce.
  5. Professionalization has multiple goals and can occur through multiple mechanisms.
  6. The professionalization path can be slow and difficult, and not all portions can and should be professionalized simultaneously.
  7. Professionalization has costs and benefits that must be weighed before starting the process.


Since this report was published, the cyber industry has remained unable to decide how the industry should classify and oversee itself. Future research and analysis have not only echoed the sentiments originally pointed out by the NAS report but have also expanded on this conversation. 

The state of the cyber industry.


In 2022, Sounil Yu, the CISO and Head of Research at JupiterOne, discussed the state of the cyber industry.


  • Yu emphasizes how the prevailing mindset is that security practitioners are professionals, which results in many requiring collegiate degrees for many cyber jobs.
  • Yu cites an ISC2 Report, which found that over 86% of the current cyber workforce had a bachelor’s degree or higher.
  • Yu also notes that of the over 45,000 cyber jobs at the time, over 70% also required a college degree.
  • Despite the industry overwhelmingly having and requiring degrees, Yu notes how many practitioners would say that a degree is not needed for most cyber jobs and how “strict adherence to this requirement disqualifies many deserving candidates.”
  • Yu argues that cyber jobs need to be seen as vocations instead of professions.
  • Yu contends that in many other job markets, there is a roughly 4:1 vocational jobs to professional jobs ratio, whereas in cyber, there is a 1:2 ratio of vocational jobs to professional jobs. 
  • This stark imbalance could have notable implications, which could potentially reduce job opportunities and leave critical positions unfilled.


ISC2 republished this report for 2024, assessing the current cyber landscape and how various pressures have impacted the field. The report's key findings included:

  • Current cybersecurity teams do not have the necessary skills to meet their goals.
  • There has been an increase in the number of people needed globally to secure organizations, yet employers are cutting back on both hiring efforts and professional development.
  • 60% of the respondents agreed that these skill gaps have already significantly impacted their ability to secure the organization, with fifty-eight percent stating it puts their organizations at significant risk.
  • Pathways to enter the cybersecurity workforce are changing.
  • Cybersecurity is still focused on hiring from higher education institutions.
  • More entrants to the field are trending to older ages (39- to 49-year-olds).
  • Diverse backgrounds help solve talent gaps.
  • While IT is the traditional path into cyber, more entrants come from different backgrounds or verticals.
  • AI advancements will change the ways people address skill shortages.
  • As AI systems likely replace some technical skill needs, participants have speculated on what other skills will be automated and/or streamlined.
  • Due to this uncertainty, hiring managers are pausing efforts to hire specialized workers and instead focusing on nontechnical skills.
  • AI will present both benefits and challenges for cybersecurity.
  • Presently, roughly 45% of cybersecurity teams have implemented AI into their tools to help bridge skill gaps and improve security efforts.
  • However, respondents also noted that the other departments implementing AI tools have created more challenges for professionals regarding data privacy and security concerns.


Given the industry's identity issues, the cybersecurity field is still no closer to solving these challenges. However, despite these large identity challenges remaining unresolved, professionalization is still a viable solution to many of these problems. Through professionalization, industry leaders and prospective talent can get the authority needed to execute in the ways cybersecurity impactors ought to be.