Monday, February 20, 2017

Getting to know CISOs: Challenging assumptions about closing the cybersecurity skills gap

Last year I wrote a dissertation in partial fulfillment of the requirements for my Master of Science in Security and Risk Management in the Department of Criminology at the University of Leicester in England. The title was: Getting to know CISOs: Challenging assumptions about closing the cybersecurity skills gap. The dissertation was submitted for examination in September of 2016 and in November it was approved by the examiners (who described it as ‘a meaningful and accessible, critically analysed report’ and also ‘a very pleasing piece of work’). I graduated in January, 2017.

That is when I decided to make the dissertation available to the public via the Internet and you can download it from here (PDF file). My primary motive for doing this is to enable any value that my work may provide – to the efforts to close the cybersecurity skills gap and advance the security profession – to be realized sooner, rather than later. After all, cybersecurity is a rapidly evolving field and many experts agree that the need to narrow the skills gap is urgent. Although the examiners said ‘elements of this dissertation are potentially publishable as journal articles and/or white papers’ I wanted to get the document out there in its entirety, and immediately. Of course, I may pull from, or build on, this work in peer-reviewed articles and white papers down the road, and it has informed several conference presentations that I have already delivered.

I should warn you that the dissertation is quite long – almost 25,000 words, although that count includes the 171 references. It runs to 68 pages but that includes screenshots of the survey instrument I used. Here is the Abstract to help you decide if you want to download the whole thing.


Pervasive criminal abuse of information and communication technologies has increased the demand for people who can take on the task of securing organizations against the increasing scope and scale of threats. With demand for these cybersecurity professionals growing faster than the supply, a problematic “cybersecurity skills gap” threatens the ability of organizations to adequately protect the information systems upon which they, and society at large, are now heavily reliant. This dissertation focuses on one barrier to closing the cybersecurity skills gap: the current paucity of knowledge about key work roles within the cybersecurity workforce – such as Chief Information Security Officer or CISO – and questionable assumptions about what it takes to perform such roles effectively. Putting resources into closing the cybersecurity skills gap without the benefit of objective research puts those efforts at risk, a possibility that has serious negative implications for society. The dissertation employs a review of the literature to map the dimensions of the cybersecurity skills gap and identify assumptions underlying different efforts to close it. Several hypotheses are formulated regarding current assumptions about the cybersecurity workforce and then tested through a combination of secondary analysis using data from a large cybersecurity workforce survey and primary research using a smaller dataset of people employed in advanced cybersecurity roles. The results tend to confirm that cybersecurity professionals exhibit characteristics and personality traits distinct from those of other workers and other IT professionals. Also confirmed is the high value that CISOs attach to soft skills like communication, relative to technical knowledge, or even information security degrees and professional certifications. The research implies that efforts to close the cybersecurity skills gap may be imperilled by a lack of research into the personalities and characteristics of effective cybersecurity professionals. The dissertation concludes with recommendations for further work in this crucial field of study.

Secondary motive 

A secondary motive for publication is to provide, for anyone contemplating a programme like the English university MSc that I went through, a concrete sample of the type of work that this encourages and enables. That is why I have included in the publication some of the appended elements, like the survey instrument, that often do not make it into journal articles. I did alter the formatting of the dissertation slightly, converting from A4 to US Letter (because I live in the US and know what a pain it can be to print A4 on a US printer). However, I should warn anyone quoting from this work that I left the UK spelling in place. On the plus side, in preparing the document for publication I was able to fix several typos that I missed earlier.

The degree programme itself, and my opinions about it, are the subject of several articles available online on my personal blog at The short version is that I found this distance learning graduate programme very rewarding, both personally and professionally. I have to say it was challenging to complete the work within the standard two years while keeping up with my full-time employment, but the university is very understanding about extending the time you take if circumstances warrant. For example, one of my peers who serves in the military of a European country, was assigned to the Middle East unexpectedly and took a six months extension to relocate. An international perspective was one of the unexpected benefits of the programme – the 33 graduates in my cohort came from many different countries, from Afghanistan to Zimbabwe.

I will point out that the programme was relatively affordable when I started and became more so over time as the exchange rate of the UK pound shifted in favor of the dollar and some other currencies. I should also note that I have been very fortunate to work for a security software company (ESET) that believes in further education and offers a generous tuition reimbursement plan. Finally, while the push to complete this dissertation and the coursework that preceded it did consume many weekends and all of my paid vacation, I have to say it was worth it.

Here again is the download link for the dissertation in PDF format: Getting to know CISOs: Challenging assumptions about closing the cybersecurity skills

No comments: