Tuesday, February 21, 2017

Getting to know CISOs: Challenging assumptions about closing the cybersecurity skills gap

Importance of 12 attributes to being a successful information security professional (5 point scale)
What CISOs said was most important attribute for success

The cybersecurity skills gap is a serious problem for many countries, a problem that I have been studying for some time. As different public and private entities involved in workforce development wrestle with this problem they may find my research to be of some assistance. It might also be helpful for individuals considering a career in cybersecurity. For example, I took a hard look at what it takes for a person to be successful in cybersecurity roles, particularly the role of Chief Information Security Officer or CISO. 

Another survey ranking of attributes needed 
to be a successful security professional
My research and findings are published in this 68-page document: Getting to know CISOs: Challenging assumptions about closing the cybersecurity skills gap (PDF). This was the dissertation for my master's in security and risk management. The university examiners described it as "a meaningful and accessible, critically analysed report" and "a very pleasing piece of work".

I decided to make this pleasing piece of work available to the public via the Internet so that any value it may provide – to the efforts to close the cybersecurity skills gap and advance the security profession – can be realized sooner, rather than later.

Although the examiners said "elements of this dissertation are potentially publishable as journal articles and/or white papers" I wanted to get the document out there in its entirety, and quickly. Of course, I may pull from, or build on, this work in peer-reviewed articles and white papers down the road, and it has already informed several conference presentations that I have delivered.

(Update, 2020: one article that draws on this study is: Advancing Accurate and Objecitve Cybercrime Metrics, in the Journal of National Security Law and Policy.)

Note that the Getting to Know CISOs document is quite long: almost 25,000 words, with 171 references, and filling 68 pages including screenshots of the survey instrument that I used. The following abstract may help you decide if you want to download the whole thing.


Pervasive criminal abuse of information and communication technologies has increased the demand for people who can take on the task of securing organizations against the increasing scope and scale of threats. With demand for these cybersecurity professionals growing faster than the supply, a problematic “cybersecurity skills gap” threatens the ability of organizations to adequately protect the information systems upon which they, and society at large, are now heavily reliant. This dissertation focuses on one barrier to closing the cybersecurity skills gap: the current paucity of knowledge about key work roles within the cybersecurity workforce – such as Chief Information Security Officer or CISO – and questionable assumptions about what it takes to perform such roles effectively. Putting resources into closing the cybersecurity skills gap without the benefit of objective research puts those efforts at risk, a possibility that has serious negative implications for society. The dissertation employs a review of the literature to map the dimensions of the cybersecurity skills gap and identify assumptions underlying different efforts to close it. Several hypotheses are formulated regarding current assumptions about the cybersecurity workforce and then tested through a combination of secondary analysis using data from a large cybersecurity workforce survey and primary research using a smaller dataset of people employed in advanced cybersecurity roles. The results tend to confirm that cybersecurity professionals exhibit characteristics and personality traits distinct from those of other workers and other IT professionals. Also confirmed is the high value that CISOs attach to soft skills like communication, relative to technical knowledge, or even information security degrees and professional certifications. The research implies that efforts to close the cybersecurity skills gap may be imperilled by a lack of research into the personalities and characteristics of effective cybersecurity professionals. The dissertation concludes with recommendations for further work in this crucial field of study.

Secondary motive 

A secondary motive for publishing this work is to provide a concrete sample of the type of output that this distance learning master's degree encourages and enables. That is why I included in the publication some of the work elements, like the survey instrument, that often do not make it into journal articles.

Also, I adusted the formatting slightly, converting from A4 to US Letter (because I live in the US and know what a pain it can be to print A4 on a US printer). However, I should warn anyone quoting from this work that I left the UK spelling in place. On the plus side, in preparing the document for publication I was able to fix several typos that I missed earlier.

I've written about the degree programme itself on my personal blog at www.CobbsBlog.com. The short version? I found the whole experience very rewarding, both personally and professionally.

While I realize that there is some irony in doing degree-level research which suggests that degree-level education is not an essential prerequisite for meaningful and well-paid employment in cybersecurity, I see great benefit to individuals and society of an alternative career path that goes from high school > apprenticeship + employment > postgraduate degree > career advancement.

Here again is the download link for the dissertation in PDF format: Getting to know CISOs: Challenging assumptions about closing the cybersecurity skills

No comments: