[Life of Cybersecurity Professionals] This second part of the Summary of the Information Systems Security Association (ISSA) annual report focuses on careers, motivations for becoming cybersecurity professionals and the situation of CISOs in terms of organisational influence, effectiveness and leadership.
The situation of CISOs is also discussed in terms of influence in the organisation, effectiveness and leadership. CISOs who responded to the survey also specify what would make them leave one organisation for another.
I invite you to continue reading the summary below.
To download the full study, which I strongly encourage you to do, click on this link. :
Life of Cybersecurity Professionals 2021
Objectives and Findings
In order to assess the experiences, careers, and opinions of cybersecurity professionals, ESG and ISSA surveyed 389 ISSA members, comprising cybersecurity professionals representing organizations of all sizes, across a variety of industries and geographic locations. Eighty-two percent of survey respondents resided in North America, 8% came from Europe, 5% from Asia, 3% from Africa, and 2% from Central/South America (note: total exceeds 100% due to rounding).
The survey and overall research project were designed to answer the following questions:
- Why did they become cybersecurity professionals?
- How are they developing and advancing their careers?
- Are they happy at their jobs and with their career choices?
- What are the primary pieces of advice cybersecurity professionals would give to those seeking jobs in the cybersecurity field?
- What is necessary for cybersecurity job satisfaction? Alternatively, what alienates cybersecurity professionals and causes them to look for other jobs?
- How important is continuous skills development in the minds of cybersecurity professionals?
- How do cybersecurity professionals develop their skills? What works, and what doesn’t work?
- Do the responsibilities and workload associated with cybersecurity jobs get in the way of skills development?
- Do the organizations cybersecurity professionals work at provide adequate training, skills development programs, or services for career advancement?
- Do organizations have CISOs or similar positions in place?
- Are CISOs active participants with executive management teams and the board of directors (or similar oversight group)? Is this level of engagement considered to be sufficient?
- How do cybersecurity professionals rate the performance of their CISO?
- Do cybersecurity professionals believe that their organization has been impacted by the global cybersecurity skills shortage? If so, in what way?
- In which areas do their organizations have the biggest cybersecurity skills deficits?
- Is the cybersecurity skills shortage improving, and are organizations doing enough to address it?
Survey participants represented a wide range of industries including information technology, financial services, government, business services, and manufacturing. For more details, please see the Research Methodology and Respondent Demographics sections of this report.
The Basic Facts
As in past years, ESG and ISSA got some baseline information regarding cybersecurity professionals’ careers. For example:
- 79% of cybersecurity professionals started their careers working in IT.
- When asked which skills were most helpful in the move from IT to cybersecurity, the top responses were IT operations knowledge and skills (61%), analytics skills (53%), hands-on technology knowledge and skills (48%), and business skills (as they relate to IT technologies and processes) (42%).
- When asked the reasons for becoming a cybersecurity professional, the top responses were the chance to use skills and curiosity to address technical challenges (43%), the opportunity to develop technical skills and knowledge (40%), it being a natural career move from IT (34%), and attraction to the morality of the profession (29%).
- 28% of survey respondents say that either they or other cybersecurity professionals they know have experienced significant personal issues because of stress associated with the cybersecurity profession (i.e., drug abuse, alcohol abuse, depression, etc.).
- 50% of cybersecurity professionals surveyed say that job stress levels increased this past year as a result of remote worker support due to the COVID-19 pandemic. To help alleviate stresses caused by the pandemic, 36% of organizations instituted more CISO “check-ins” with staff, 32% created online social meetings for the cybersecurity team, and 24% added formal stress management programs driven by HR.
Survey respondents were also asked whether their organization employed a CISO. Those that did were asked several other related questions. On this topic, the research revealed:
- 73% of survey respondents say that their organization employs a CISO while 5% say their organization employs a virtual CISO (vCISO).
- Of those organizations that employ a CISO, 43% say that the CISO reports to the CIO, 29% say the CISO reports to the CEO, 9% say COO, 9% say “other,” and 10% don’t know.
- 61% of respondents say their CISO is an active participant with executive management and the board of directors (or similar oversight group), 14% say their CISO is not an active participant with executive management and the board of directors (or similar oversight group), and 24% don’t know. 51% think their organization’s CISO’s level of participation with executive management and the board of directors is adequate, 23% do not think their organization’s CISO’s level of participation with executive management and the board of directors is adequate, and 26% don’t know.
- 43% believe their CISO has been very effective, 49% believe their CISO has been somewhat effective, 6% say their CISO hasn’t been very effective, and 2% claim their CISO has not been effective at all.
- When asked to identify the most important qualities of a successful CISO, 39% said leadership skills while 30% said operational skills. The remaining 31% included business skills, technical skills, management skills, communications skills, and other.
- Survey respondents were asked which factors are likeliest to cause CISOs to leave one organization for another. The most popular answers were: CISOs are offered a higher compensation package at another organization (33%), the organization doesn’t have a culture that emphasizes cybersecurity (31%), and cybersecurity budgets are not commensurate with the organization’s size and industry (29%).