The document analyzes the global shortage of cybersecurity professionals, highlighting cultural differences in workforce perspectives and the necessity for improved education and training programs. It discusses the importance of effective communication and collaboration between IT and business units to cultivate a strong cybersecurity culture while addressing skill gaps. Additionally, it emphasizes the need for CISOs to bridge cultural divides, align perspectives, and ensure that cybersecurity training is integrated with operational IT service delivery.

2. GLOBAL SHORTAGE ON CYBER SECURITY WORKFORCE
AN ANALYSIS OF A COMPLEX ISSUE
Dr. Shawn P. Murray, C|CISO, CISSP, CRISC
Director, ISSA International

3. AGENDA
• Social behaviors and perspectives
• Information and cyber security culture
• Workforce perspectives
• Governance
• The pace of technology
• Herding cats
• Balancing cyber security and risk
• Questions to ponder

4. SOCIAL BEHAVIORS AND PERSPECTIVES
Cultures and Culture groups have different perspectives.
• Social culture
• Socio-economic culture
• Business culture
• Regional culture
• Internal sub-cultures ‘clicks”
• Culture of executives and managers
“Perception is that there is a serious lack of Cyber Security Professionals globally
and that we need to train more people to fill those gaps”
• Workforce Development Programs
• Education and training
• Does not address skillset gap

5. INFORMATION AND CYBER SECURITY CULTURE
Cultures and Culture groups have different perspectives
• IT Personnel
 Are highly skilled
 Are mostly introverts
 Do not like conflict
 Normally do not socialize outside of their social/professional groups
 Are motivated by technology and collaboration with peers
• Cyber Security is perceived by IT professionals as combative, conflictive and abrasive
 Cyber Security personnel “always say no”
 Cyber Security personnel have to interface with other business units
o Outside of the IT personnel’s comfort zone due to language barriers
 Business
 GRC

6. WORKFORCE PERSPECTIVES
Cultures and Culture groups have different perspectives
• Everyone Else
 Management – various levels can create problems for cyber security culture
o Aligning IT projects with security “baking it in”
o Can cause problem in maintaining cyber security awareness and maintaining buy-in
 Employees – #1 risk to the business
o Anything that affects productivity or convenience is perceived as a nuisance
o Are not motivated by rules that articulate strict standards for GRC
“Sometimes you need to slay a lion to ensure all personnel understand they all
have a part in protecting the business from cyber security threats”

7. GOVERNANCE
Governance
• Complex and Industry driven
 CISOs need to socialize GRC into language that IT and business understands
o 80% of a business is automated by IT
o Provide real world examples
o Explain and articulate risk to IT operations and productivity
 Change the way IT personnel are trained
o Tie GRC into operations planning and IT training
o Cross domain (IT become experts in compliance disciplines)
o IT personnel who lack cyber security awareness are expendable
 Use cyber security training as a method of motivation for personal growth and value to business

8. THE PACE OF TECHNOLOGY
Experienced IT professionals are very valuable
• They understand computing environment and existing technology
 Allows experience with legacy systems to be retained
 This makes it easier to integrate new technology into existing EA
 Automated solutions still have to be configured and monitored by IT

9. HERDING CATS
Establish methods to build teams of IT personnel to fill cyber security gaps
• Create teams with a team lead
• Protect IT personnel from the front line and vise-versa!
• Identify communication gaps and translate
 Technical language
 Business language
 Governance language
Transition IT workforce to a cyber security workforce
• The business does not always need to hire cyber security personnel
 Operational IT service delivery - installs, configures and maintains security stack
 Ensures everyone understands all technical & security requirements for GRC
 Increases skillset and value (personally & professionally for technician & business)

10. BALANCING CYBER SECURITY AND RISK
A CISO has to understand the various cultures and how the security is perceived
• Identify ways to bridge gaps
• Identify ways to align perspectives
• Translate technical language into business language
• Motivate and align cultural groups towards a common “business” goal
RIP Model – Socialize & protect what is most critical
• Resources
• Information
• Personnel
C
PR
I

11. QUESTIONS TO PONDER
All of these questions relate to the cyber security profession
• Do we need to connect everything to the internet?
• When will governments allow for the use of strong “military grade” encryption technologies
to be used in business?
• Why are more businesses entering the Deep Web to secure communications?
• How are you as a CISO going to cultivate a positive relationship between IT, cyber security
and the business?

12. THANK YOU
Shawn P. Murray
Director - ISSA International
shawn.murray@issa.org

13. RESOURCES
image - https://remainsofthedesi.wordpress.com/2007/07/21/indian-geeks-are-prime-husband-material/
Image - https://udemy-images.udemy.com/course/750x422/442696_914e.jpg
Image -
https://www.google.nl/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi7hYbXqIPUAhVPJFAKHTXPC8IQjRwIBw&url=https%3A%2F%2Faws.amazon.com%2Fcompliance%2Fnist%2F&ps
ig=AFQjCNEByUpDdpUEV2r8flvduHQd_fpQqA&ust=1495536205912026
Image - https://www.google.nl/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwi29s_oroPUAhUEUlAKHfSKAEMQjRwIBw&url=http%3A%2F%2Fwww.rcdmh.org%2FDoing-
Business%2FHIPAA&psig=AFQjCNGwJ_aLTOerm6-KoH0HTFThdOZENA&ust=1495536003848907
Image -
https://www.google.nl/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwijxKbyroPUAhWRZFAKHU8jBbgQjRwIBw&url=http%3A%2F%2Fmagnot.blogspot.com%2F2011%2F07%2Feu-data-
protection-directive-and-cloud.html&psig=AFQjCNHsAwwJxSdtE9cqtOx7vuW7jVES5A&ust=1495535919094987
Image - https://www.google.nl/url?sa=i&rct=j&q=&esrc=s&source=imgres&cd=&cad=rja&uact=8&ved=0ahUKEwiRtJSPr4PUAhWJaVAKHdxNA4sQjRwIBw&url=http%3A%2F%2Fwww.ipofferings.com%2FIoT-patents-
Internet-of-Things-Patents-for-sale.html&psig=AFQjCNE7kLjUMjQ4dajUF9Sz0CfSS4zZUw&ust=1495537940916295
Image - https://www.google.nl/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwiMnOOyr4PUAhWBPFAKHbXBB5UQjRwIBw&url=https%3A%2F%2Fwww.cloudnloud.com%2Fwhy-move-
to-the-cloud-10-benefits-of-cloud-computing%2F&psig=AFQjCNGdQf6MU9-p0PbHWgEdeZc1f7Zp3Q&ust=1495538002095707