Infosec Job Classification Long Overdue
The Office of Personnel Management initiative to define federal government cybersecurity jobs is a needed step toward the creation of occupation categories for government IT security professionals. None exists, and that's a problem.
With proper occupational classifications for IT security, not only does it help simplify recruiting - recruiters would know the specific expertise to seek - but job categories would facilitate proper training by defining what skills need to be developed.
As Jerry Davis, NASA's deputy chief information officer for IT security, lamented in an interview with me in July that government cybersecurity professionals are lumped together in a job series with other IT specialists.
"In my estimation, and I think if you talk to some of my colleagues around the federal government, that it's about time that security has its own job series. It's becoming a very specialized profession, and there's just not enough people in the profession today. You kind of rob and steal from other agencies because the profession is in distress, there's just not enough IT professionals."
It's not just the feds that need to classify IT security professionals in their own occupation categories, but states and municipalities; they also see an advantage of creating cybersecurity job categories. Here's what Minnesota chief information security officer Chris Buse told me in an another interview in July:
"One of the issues that we have right now is that we don't have a good HR infrastructure set up for security professionals, in fact, there is no security job class in our government HR system. ... We want to create an entire series of positions and job classes for security professionals in government. It is a piece of the infrastructure that you need to have there if you are going to be successful."
And, to succeed in cybersecurity is a fact that government can't ignore.
OPM is heading in the right direction. Once the federal government establishes IT security occupational classifications, it's likely local and state governments will follow suit.
The time to create IT security occupation classifications is long overdue.