In today's increasingly digitized workplace, individual and organizational computer and digital security literacy has become as important as computer application software literacy. Current research indicates that an organization's staff tend to expect consequences for poor IT habits in the workplace to be mitigated by the IT department, rather than staff taking proactive responsibility for poor IT habits. This lack of workplace IT literacy has contributed to "record years" of security challenges and security breaches, with each succeeding year surpassing the last. Organizations, no less than individuals, need familiarity and compliance with digital security best practices. While the unemployment rate for potential employees with IT skills as of May 2018 is under 2% in the U.S., the unemployment rate for potential employees with cybersecurity skills is 0% as of February 2019. In addition to the competition for qualified employees, government organizations have various hiring filters that may screen-out otherwise qualified persons, further complicating their hiring efforts. With the increasing demand for workplace cybersecurity skills, cyber "units" focus on prevention, maintenance, and deterrence of cyber security breaches of infrastructure, proprietary information, and political discord. These units are becoming an increasingly integral component in business and nation-state governments. Rather than developing separate, distinct, and potentially confusing additional certifications, the U.S. Department of Defense (DoD) established staff position requirements based on existing vendor and vendor-neutral information assurance (IA) and cybersecurity professional certifications. DoD Policy Directive 8570 (2004) and Policy Directive 8140 (2015) address mandatory requirements for relevant DoD staff, contracted civilian employees, and liaison personnel. Given the size of the DoD, this has created a de facto "ripple effect" throughout the U.S. cybersecurity employment market. Organizations (contractor, state, and local) that do not have a similar policy find themselves in compliance with it - just in case they find they need to interface with the DoD at some point. Other human resources departments could easily use a similar technique, gauge new applicants' qualifications using a checklist of required vendor and vendor-neutral security certifications as a minimum baseline for relevant positions. The purpose of this paper is to suggest that understanding an IA policy, such as the U.S. DoD's, with established structure and requirements for all IA personnel may be of value for individuals, establishing exactly what credentials the organization is seeking, and for organizations and governments seeking to find qualified job candidates for those positions.
