Do you know what your career path as a cybersecurity professional is? Have you ever really thought about it? Most don’t, as was reported in a recent study jointly published by the Enterprise Strategy Group (ESG) and the ISSA (Information Systems Security Association) in November 2016. The study reported that over 65% of the 437 professionals surveyed stated that they do not have a clear career path.
When you talk to those who have been in the field for any length of time, you quickly discover the progression in their career has been what some describe as “dumb luck.” Most have fallen into the role of information security — or cyber security, as most have come to know it — as a result of “something happening” in the environment, whether it was a breach, release of new regulations, or just being the only one in the office at the time something suspicious happens.
Our profession has been based on a reaction to what is going on in the environment. Think about how it was started, something broke into the computer network and fingers were pointed at members of the IT staff to go figure out what happened and address the issue immediately. Then the directive was to figure out how it happened (thereby computer forensics was born) and make sure it doesn’t happen again (system hardening, policies, and governance are born). It wasn’t until this scenario played out time and time again, that the State of California passed S.B. 1386 calling for data privacy of its residents. That was the catalyst for getting businesses to pay attention and move to a pro-active stance.
Why do I tell this story? Because like students of history, it is important we learn from our mistakes; being a reactive profession has been painful at times. One could argue that because our profession is reactive, there is a lot of confusion as to what exactly our job is. We see it as reducing risk to the organization, IT sees it as making sure the organization is compliant, and the business isn’t quite sure at all what we are supposed to do, aside from the fact they need to have security in order to meet regulations. Sure, we can keep going back to our job descriptions, but then many are written so they are open to interpretation. As such, is it is any wonder why we don’t meet expectations? Without an internationally-accepted career map, job titles, descriptions, and definitions, we will continue to feel that pain.
The challenge has been moving from a profession of reaction to one that is proactive is very complex and requires coordination from leadership. I have been an information security/cybersecurity professional for close to 30 years and have yet to see or know of a globally-accepted career map for cybersecurity professionals. There have been several organizations attempting to resolve the issue of standardization of career maps, including the ISSA with the Cyber Security Career Lifecycle. But there needs to be more done to ensure international collaboration with these efforts.
Why is this important? Without a clearly-defined career map, how do we explain/educate as to what our jobs are; how are we to know what is it we need for skills and knowledge to be successful in our current jobs? What knowledge, skills and abilities (KSAs) do I need to strengthen to move forward to the next level? What is the next level? Where do I go to obtain the KSAs?
These questions, along with many others, have been asked in the previously mentioned ESG/ISSA research survey, “The State of Cyber Security Professional Careers.” Two big “red flags” uncovered in the survey: the majority of cyber security professionals aren’t receiving the right level of skills development to address the rapidly evolving threat landscape. And the skills shortage has created a job market that represents an existential threat, adding job-related stress to cyber security personnel while making it harder for organizations to protect critical IT assets.
When it comes to the CISO, the research found that he or she succeeds or fails based upon leadership skills and face time with executive management and the board of directors. Also of concern is that cyber security relationships with business and IT groups need work.
The research comes at a time when there are more data breaches, net new malicious IP addresses created per day, zero-day vulnerabilities, credential thefts and phishing attempts than ever before. Many organizations are willingly bolstering their cyber security defenses and making cyber security a top business and IT priority, yet 46% of organizations claim to have a problematic shortage of cyber security skills according to previously published ESG research.
“This research paints an escalating and dangerous game of cyber security ‘cat and mouse’ and today’s cyber security professionals reside on the front line of this perpetual battle, often knowing they are undermanned, underskilled and undersupported for the fight,” said Jon Oltsik, Senior Principal Analyst, Enterprise Strategy Group (ESG).
Based upon the data collected, conclusions include:
- Nearly two-thirds (65%) of respondents do not have a clearly-defined career path or plan to take their careers to the next level. This is likely due to the diversity of cyber security focus areas, the lack of a well-defined professional career development standard and map, and the rapid changes in the cyber security field itself.
- Continuous cyber security training is lacking. When asked if their current employer provides the cyber security team with the right level of training to keep up with business and IT risk, more than half (56%) of survey respondents answered “no,” suggesting their organizations need to provide more or significantly more training for the cyber security staff.
- Cyber security certifications are a mixed bag. Over half (56%) of survey respondents had received a CISSP and felt it was a valuable certification for getting a job and gaining useful cyber security knowledge. Other than the CISSP certification however, cyber security professionals appear lukewarm on other types of industry certifications. Based on this data, it appears security certifications should be encouraged for specific roles and responsibilities, but downplayed as part of a cyber security professional’s overall career and skills development.
- Cyber security professionals are in extremely high demand. Forty-six percent (46%) of cyber security professionals are solicited to consider other cyber security jobs (i.e. at other organizations) at least once per week. In other words, cyber security skills are a “sellers’ market” where experienced professionals can easily find lucrative offers to leave one employer for another. This risk is especially high in lower paying industries like academia, health care, public sector, and retail.
- Many CISOs are not getting enough face time in the boardroom, a significant contributing factor to CISO turnover. While industry rhetoric claims that “cyber security is a boardroom issue,” 44% of respondents believe CISO participation with executive management is not at the right level today and should increase somewhat or significantly in the future. Alarmingly, this perspective is more common with more experienced cyber security managers (who should be working with the business) than cyber security staff members. When asked why CISOs tend to seek new jobs after a few short years, cyber security professionals responded that CISOs tend to move on when their organizations lack a serious cyber security culture (31%), when CISOs are not active participants with executives (30%), and when CISOs are offered higher compensation elsewhere (27%).
- Internal relationships need work. While many organizations consider the relationship between cyber security, business and IT teams to be good, it is concerning that 20% of cyber security professionals say the relationship between cyber security and IT is fair or poor (surprising given 78% of cyber security professionals got their start in IT) and 27% of survey respondents claim the relationship between cyber security and the business is fair or poor. The biggest cyber security/IT relationship issue selected relates to prioritizing tasks between the two groups while the biggest cyber security/business relationship challenge is aligning goals.
These conclusions point to the need for business, IT, and cyber security managers, academics, and public policy leaders to take note of today’s cyber security career morass and develop and promote more formal cyber security guidelines and frameworks that can guide cyber security professionals in their career development.