As an "Old Security Guy," there are times when I feel that we are speaking into a huge echo chamber, providing results and commentary which amplify our already entrenched beliefs
Recently I read a report by a respected industry organization that typifies some of the echo-chamber habits that I’ve seen of late. While a huge fan (and long time member) of this organization, the report disappointed me for several reasons:
1. Potential demographics bias is not adequately addressed within the document. The report makes no attempt to obscure the demographics breakdown of their sample (kudos for this!); that said, there are places where the demographics may directly explain certain responses and “insights.” One example of this might be the area of compensation. 39% of respondents indicated that a lack of “competitive or industry-leading financial compensation” was a major reason for their lack of job satisfaction; this was the second-highest scoring factor, just four points behind “business management commitment to strong cybersecurity.” This seems quite compelling on the surface…until you look at the demographics. A full 38% of the respondents work in small companies (<1000 employees), which traditionally pay less than market rate. Further, 17% of all respondents work in the government sector – a vertical which tends to lag behind industry in terms of compensation. Given that the report concludes that compensation is a major concern for the professions (“For goodness’ sake, pay your people!”) it would be helpful to click-down on this data to see if the results are truly universal across all demographies.
2. The report treats CISOs as “they/other.” This organization’s membership in the past has tended to be more rank-and-file versus executive. Indeed, only 17% of survey respondents identified themselves as CISOs. Regardless, this report seemed to go out of its way to point out concerns/trends to CISO-level readers as if they were unaware of the situation. While empirical data is always helpful when making a case to senior leadership, telling the CISOs that they need to (a) take payroll issues “right to the executives and corporate boards;” (b) “move their people, processes, and technologies closer to the business;” and (c) “develop a long-term plan” to address the cyber talent shortage” borders on being insulting to the profession’s most senior leaders - and perpetuates the myth that cyber leaders are detached from their teams and the needs of the professions (note: if the research organization believes that this detachment exists, it would have been helpful to see questions framed in a manner which provide a level of empirical data to this clearly visible - yet unsupported - opinion).
3. The report does not address internal contrarianism. As both a practitioner and an educator, there is a no-experience-no-job-no-relief-no-time cycle exposed by this report that is very telling. Consider:
Training is important and it needs to be offered, but when it is offered many of us do not feel we can take advantage of it because we’re overworked
We are overworked because we can’t find talent…and would love to have an intern program of some sort…but…
As an educator, the primary stated reason my college students can’t find internships is because cybersecurity teams do not want interns because they “don’t have time” to train (usually they say “babysit”) interns.
To recap: We’re overworked because we can’t find talent…but aren’t willing to make the creation of talent a priority.
While empirical data is helpful in formulating arguments, we need to focus on the collection and data that leads us to solutions versus that which reaffirms known problems and reinforces existing status-quo approaches. We need to stop collecting data which merely justifies our frustrations and instead use our collective voice to agree upon sustainable solutions which benefit all in our profession.
My two cents…