Tuesday, February 21, 2017

Getting to know CISOs: Challenging assumptions about closing the cybersecurity skills gap

Importance of 12 attributes to being a successful information security professional (5 point scale)
What CISOs said was most important attribute for success

The cybersecurity skills gap is a serious problem for many countries, a problem that I have been studying for some time. As different public and private entities involved in workforce development wrestle with this problem they may find my research to be of some assistance. It might also be helpful for individuals considering a career in cybersecurity. For example, I took a hard look at what it takes for a person to be successful in cybersecurity roles, particularly the role of Chief Information Security Officer or CISO. 

Another survey ranking of attributes needed 
to be a successful security professional
My research and findings are published in this 68-page document: Getting to know CISOs: Challenging assumptions about closing the cybersecurity skills gap (PDF). This was the dissertation for my master's in security and risk management. The university examiners described it as "a meaningful and accessible, critically analysed report" and "a very pleasing piece of work".

I decided to make this pleasing piece of work available to the public via the Internet so that any value it may provide – to the efforts to close the cybersecurity skills gap and advance the security profession – can be realized sooner, rather than later.

Although the examiners said "elements of this dissertation are potentially publishable as journal articles and/or white papers" I wanted to get the document out there in its entirety, and quickly. Of course, I may pull from, or build on, this work in peer-reviewed articles and white papers down the road, and it has already informed several conference presentations that I have delivered.

(Update, 2020: one article that draws on this study is: Advancing Accurate and Objecitve Cybercrime Metrics, in the Journal of National Security Law and Policy.)

Note that the Getting to Know CISOs document is quite long: almost 25,000 words, with 171 references, and filling 68 pages including screenshots of the survey instrument that I used. The following abstract may help you decide if you want to download the whole thing.