Monday, February 20, 2017

Getting to know CISOs: Challenging assumptions about closing the cybersecurity skills gap

The cybersecurity skills gap is a serious problem for many countries, and it is a problem that I have been studying for some time. As different public and private entities involved in workforce development wrestle with this problem they may find my research to be of some assistance.

One survey suggests that these are the attributes most
needed to be a successful security professional
The largest opus I have completed is: Getting to know CISOs: Challenging assumptions about closing the cybersecurity skills gap (68-page PDF). This is the dissertation for my master's in security and risk management (kindly described by the university examiners as "a meaningful and accessible, critically analysed report" and "a very pleasing piece of work").

I decided to make this available to the public via the Internet so that any value it may provide – to the efforts to close the cybersecurity skills gap and advance the security profession – can be realized sooner, rather than later.

Although the examiners said "elements of this dissertation are potentially publishable as journal articles and/or white papers" I wanted to get the document out there in its entirety, and quickly. Of course, I may pull from, or build on, this work in peer-reviewed articles and white papers down the road, and it has informed several conference presentations that I have already delivered.

Note that the document is quite long, almost 25,000 words, although that includes the 171 references. It runs to 68 pages including screenshots of the survey instrument that I used. Here is the Abstract to help you decide if you want to download the whole thing.


Pervasive criminal abuse of information and communication technologies has increased the demand for people who can take on the task of securing organizations against the increasing scope and scale of threats. With demand for these cybersecurity professionals growing faster than the supply, a problematic “cybersecurity skills gap” threatens the ability of organizations to adequately protect the information systems upon which they, and society at large, are now heavily reliant. This dissertation focuses on one barrier to closing the cybersecurity skills gap: the current paucity of knowledge about key work roles within the cybersecurity workforce – such as Chief Information Security Officer or CISO – and questionable assumptions about what it takes to perform such roles effectively. Putting resources into closing the cybersecurity skills gap without the benefit of objective research puts those efforts at risk, a possibility that has serious negative implications for society. The dissertation employs a review of the literature to map the dimensions of the cybersecurity skills gap and identify assumptions underlying different efforts to close it. Several hypotheses are formulated regarding current assumptions about the cybersecurity workforce and then tested through a combination of secondary analysis using data from a large cybersecurity workforce survey and primary research using a smaller dataset of people employed in advanced cybersecurity roles. The results tend to confirm that cybersecurity professionals exhibit characteristics and personality traits distinct from those of other workers and other IT professionals. Also confirmed is the high value that CISOs attach to soft skills like communication, relative to technical knowledge, or even information security degrees and professional certifications. The research implies that efforts to close the cybersecurity skills gap may be imperilled by a lack of research into the personalities and characteristics of effective cybersecurity professionals. The dissertation concludes with recommendations for further work in this crucial field of study.

Secondary motive 

A secondary motive for publishing this work is to provide a concrete sample of the type of output that this distance learning master's degree encourages and enables. That is why I included in the publication some of the work elements, like the survey instrument, that often do not make it into journal articles.

Also, I adusted the formatting slightly, converting from A4 to US Letter (because I live in the US and know what a pain it can be to print A4 on a US printer). However, I should warn anyone quoting from this work that I left the UK spelling in place. On the plus side, in preparing the document for publication I was able to fix several typos that I missed earlier.

I've written about the degree programme itself on my personal blog at The short version? I found the whole experience very rewarding, both personally and professionally.

While I realize that there is some irony in doing degree-level research which suggests that degree-level education is not an essential prerequisite for meaningful and well-paid employment in cybersecurity, I see great benefit to individuals and society of an alternative career path that goes from high school > apprenticeship + employment > postgraduate degree > career advancement.

Here again is the download link for the dissertation in PDF format: Getting to know CISOs: Challenging assumptions about closing the cybersecurity skills

No comments: