Academic Versus Professional Qualifications

Professionalism represents a monopoly of expertise over an area of deep, abstract knowledge.

Many well-established professions are strongly associated with advanced academic learning;

indeed the establishment of a degree programme is a key stage in the process described by Wilensky (1964). Whilst many comments discussed the role of “qualifications” as a general case, thereby creating a counter-argument for distinguishing between academic and professional qualifications at a coding level, this section looks mainly at academic education and where this is distinguished from qualifications in general. This is due partly to sensitisation from the literature review itself (suggesting that pre-career education is a success marker for a professionalisation campaign) and because the interviewee group included academic and professional certification providers allowing a contrast to be made.

Whilst the literature insists a professional claim must be to theory-based expertise, a strong case

was made – by all interviewee types but particularly practitioners – for distinguishing between learned theory, and practical experience and judgement, stressing the pre-eminence of the latter.

The data suggested not just that additional soft skills are needed in the workplace, but that theory and practice may even conflict.

“When you're doing your ISACA exams ... you get questions which you've got to demonstrate a textbook response for, but actually in reality the question and the answer aren't what would happen in the real world.”

[FIN31E-AN72]

Although less common, there was even some scepticism shown towards those with qualifications.

“Theoretical qualifications ... aren't all that great because they've got very little to do with real life. I've seen a lot of people come through here with computer science degrees who haven't got a clue how to send an email.”

[TEC11S-ID48]

Whilst obviously feeling that their courses did prepare students for an entry-level position in the workforce, even the educators noted the importance of going on to gain experience.

“[Our students] all think they can walk out of this door and become a consultant. Now I worked for years before I went out as a consultant, and I still feel in every job that I've learned from the last one.”

[EDU24E-CL05]

The text in this section strongly questions whether possessing certificates is a guarantee of competence, deterring the enrolment of the practitioners and employers in the network described in Fig. 11. All of the professional bodies made particular reference to the requirement to have experience, which is significant since it marks a distinction between learned knowledge and taught facts, underlining the claim to professional status rather than simple examination success.

With two exceptions, who were both technical analysts, the clear feeling from the practitioners was that a specialist degree was not a necessary step for employment in the industry (some unaware even that such qualifications existed). Generally although not hostile towards them there was little enthusiasm for vocational security degrees. The educationalists were predictably far more positive about their worth, feeling that although they did not create the finished article they form a useful grounding of knowledge for a later career.

This is seen as highly significant as a negative finding seen against the professionalisation literature; if one were to contrast this with law lecturers and practising solicitors, a more powerful and harmonised statement of the almost essential nature of graduate pre-qualification

would surely be seen. Is this then a failure to professionalise, or a failure of the orthodox concept of professionalism in a modern profession?

The educationalist attitude is in line with the literature with respect to abstract knowledge. The conceptual nature of academic study – upon which the more transient knowledge of contemporary fashions can be overlaid using timeless principles – was strongly emphasised.

“I would prefer seeing a university degree [as] something that gives the ability to a student to adapt to any circumstances ... rather than making a graduate which is highly specialised but if you change something ... is completely useless.”

[EDU54E-CL11]

There is an interesting juxtaposition here with the distinction seen both in this data and in the literature between technical and social security concepts. Information about a particular state or moment in the development of technology was seen as a transient issue; by contrast “depth”, the principles of analysis and the underlying understanding behind the action, was seen as fundamental to the whole span of a career. Professional qualifications were seen as being far closer to tests of current knowledge and providing competent services, but without the intensity of contact time required to instil deep conceptual learning.

“Degree courses demonstrate … an in-depth level of understanding and a demonstrable ability to analyse problems and apply new techniques and synthesise ideas.

Accreditation does not do that. Accreditation demonstrates a broad understanding of a subject area.”

[EDU27E-CL05]

Interestingly there was little dissent from the professional groups, who were not interested in certifying abstract learning, rather attesting to well-maintained knowledge.

“A security master's is about understanding … in reasonable depth security ... [Our credential] doesn't care about that, it just says, ‘Do you know at this level?’”

[PRO29E-PO42]

For those in mid-career, the prospect of undertaking a degree with its associated years of study is potentially impractical, with professional certification far more palatable. Thus from the standpoints of entry demographics, function and content, academic and professional qualification providers did not see themselves as in competition with each other, rather providing complementary products. Universities however did not see their role merely to teach the esoteric concepts of security theory but also to prepare students for employment and thus value industry speakers and even offer basic professional qualifications alongside their own courses. They are preparing a generation of students who have undertaken vocational courses with a view to employment who will gradually replace those who “migrated” from other disciplines.

In order for a course to be offered at a university (which educators reported must at least cover its own costs and should ideally generate income), sufficient student numbers must be enrolled.

Students are attracted by the reputation of the university, which in turn translates to a more prestigious academic record. As competition increases, the fees chargeable by the more academically respected institutions can rise, particularly in the less regulated postgraduate market. Students in turn must justify the financial investment demanded, thus universities looking to enrol students must provide apparent guarantees of access to a career following the degree, thus employability statistics are highly relevant alongside the device of the degree certificate itself.

In turn, university departments (who reluctantly noted they must successfully market themselves to fee-payers) are approaching industry to assist in the design of degree courses to ensure employability and thus (through employment statistics) maintain an attractive credential. This is important, since a concern from the practitioners was how academic institutions divorced from day-to-day security work could maintain a relevant curriculum given the high rate of change in the subject matter. One answer given was for academics to undertake professional consultancy work in industry, providing an interesting blurring of the actors' identities in the network.

One educator reported a gap between their students’ expectations – or perhaps their original impressions of security practice – and their experiences during the course.

“In the first year they have this concept of security as something fascinating, something joyful, but then they gradually start realising the seriousness of the situation.”

[EDU54E-CL11]

In terms of the network, although difficult without input from the students, it is necessary to attempt to see or predict the effect of this. Obviously it is important for the student and could even affect their choice of career afterwards, however university training is a socialisation process, therefore at the same time (according to orthodox models) they are being conditioned to align with the norms of the profession. Given this and the degree of investment into what is a relatively vocational qualification, it is predicted that the impression given pre-enrolment is the important one and subsequent change would be a less significant path to reversibility. The university is therefore initially an apparent passage point not simply to a career but an exciting role. Even if this impression changes during the course, the network’s “potential student” actant has done its work; individuals transform into different actants over time as they become more experienced.

Within the course design elements, there is evidence of “security in its technical context”

persisting. Whilst there was mention of the social aspects, on balance course content is

influenced by the technical background of the course lecturers amongst other factors. Given pressures of time and resourcing, each potential module must compete to win or keep its place in the curriculum. Each module can offer a passing grade to the student, thus there might be pragmatic or game-based reasons for their choices, however where choice was made available it appears that socially-informed courses are chosen at a reasonable rate and this will have an effect on the graduates produced.

It is possible to represent the network fragment described above diagrammatically, as in Fig. 12:

University (Focal Actant)

Degree Employer

Student

Government

Device of Interessement

Discharge obligation to certify quality OPP for establishing

Competence when Hiring

OPP for Employment and Training

University Access to sufficient or

higher student Fees Translation achieves...

Fig. 12: Network fragment observed with respect to academic qualifications.

Whilst security courses are increasingly popular, universities have not yet established themselves as the sole passage point to a security career. The translation in Fig. 12 is therefore unstable and incomplete, since not only can the provider be displaced by other institutions (and subjects with greater potential reward and/or status), but the degree itself is not indispensable.

This said, other factors are not represented: the student will have contemporaries, cultural inclination and predictable workplace competition which might make graduate status appealing, for which the class “University” is an OPP and for which they have finite financial and academic capital to buy from the market.

The data showed clear potential for change. Government action in answering industry’s call for more practitioners will surely increase the supply of graduates, potentially squeezing out those non-graduates who cannot compete on some other basis for entry; the degree device could therefore still be a powerful one. Universities certainly appeared to regard security careers as almost necessarily proceeding from graduate study, whereas neither government nor the practitioners are currently convinced. This may further undermine the unity of the role;

government for example saw security as having too many constituent roles and too many levels

of practice to be an exclusively graduate profession, but acknowledged the positives of graduate study at master's level.

“Doesn't have to be [a graduate profession]. I mean, we run an apprenticeship scheme ...

for people coming through. I think you have to have a certain aptitude and it depends what the particular job is as well, what the particular work is. Because there's different roles, different skill sets needed and some of those skill sets are very attuned to people who have come through more vocational education and training. So no.”

[GOV01E-GV01]

Government actions will act to modify the market, introducing through CESG approval processes for master’s degrees in security (at the time of interview). Since security became a popular subject for study, alongside those with strong genuinely security-centred courses, others apparently relabelled existing programme modules as “security” to make them more marketable.

Although surprising, this was confirmed by several sources, for example:

“I know of higher education institutions that will call something an IT Security degree when in fact it is the computer science degree with maybe one module of IT Security attached to it, which is not entirely desirable.”

[EDU45E-CL31]

Within the network, therefore, the status of any given degree programme as a pathway to a quality security graduate becomes suspect. Universities must assess whether the likely commercial benefit to taking the steps needed to obtain the “quality marker” badge can be justified against the cost of doing so. Internally the academics may wish to have confirmation of the quality of their course for prestige or professional pride, however in the financial reality of higher education, it is seen simply as a business opportunity.

“And so if it turned out that the cost of getting GCHQ certification was not justified by the perceived extra income that would result from it, then I think the department would not be interested in getting the certification.”

[EDU66E-CL71]

The network acted to push for a test of quality when government found itself being requested to recommend or certify the high-quality degrees from amongst the eighty-five then-available programmes. It therefore found itself with a role which it felt unable to discharge.

“As a government department I can't say, ‘Go to that university rather than that university,’ because I have to be fair. And at the end of the day, I don't actually know whether that course is any good. So what we did was we set out doing that certification with the aim that it will help people to navigate through the complicated world of the education that’s out there.”

[GOV1E-GV01, emphasis added]

Seen against the professionalisation theses of authors such as Wilensky (1964), this is an opportunity to press for a professional body. The case for regulation of an area of knowledge has been made and accepted in this specific regard by government. Government needs to delegate

its by-default responsibility for national coordination, candidate bodies exist and yet the delegation of authority is to a panel; GCHQ retains the visible ownership of the badge which is awarded even though it does not directly assess the programmes.

The driving focal actor here is therefore seen to be the government (shown in Fig. 13), which according to historical models is unusual in the UK. This suggests a weak or ineffective campaign for control of knowledge by the relevant nascent profession.

Government

Fig. 13: Network fragment observed with relation to GCHQ accreditation of master’s degrees.

The practitioners were cautious in their approach to university education, stressing the paramount importance of experience. Such people were however not themselves recruited from an academic background thus they are possibly suspicious of any mandatory graduate education for “competent” status (F. Piper, pers. comm.). This would either leave them unqualified for their own role or facing the considerable task of undertaking a degree alongside full-time employment to learn knowledge they would already claim mostly to have. Conversely they were themselves required to be pathfinders in a new field of practice, learning their trade from a variety of sources, thus naturally they would be expected to favour field experience over theoretical knowledge.

“I didn't have any qualifications when I came into the role, no specific security qualifications, you just had to have an aptitude, a willingness, an interest, and that seemed to be enough to inspire people to give me a chance for the role.”

[CHA31E-SM07]

This is a serious threat to the irreversibility of the current network, but the increased supply of

security graduates will necessarily change the make-up of those entering security. Since it was already seen that the current generation of managers and CISOs in large part were unable to follow this entry path, it is surely reasonable to expect these new vocational graduate entrants to go on to occupy senior roles to a greater degree than at present, where they will in turn appoint future entrants. These people will surely consider graduate training to be more useful and hence increase the effectiveness of the universities’ degree device. In addition, it was acknowledged that graduates might have an advantage ceteris paribus over non-graduates as the wave of additional security graduates may address the current shortfall of talent; this may change the balance between hiring manager and entrant, thus generating more competition amongst entrants and favouring graduates.