David Shearer, CEO of (ISC)2, is so excited about how well their annual American Congress is going that when I sit down with him over breakfast on day two in Austin, Texas, neither he nor I have a second to actually eat. David is talking at 100 miles an hour without a break, and in return, I’m typing so fast that my fingers feel like they’re doing the River Dance.
Normally, if I’m invited to interview someone who doesn’t let me ask the questions, I’m a little miffed. My interview with David is an exception however. Firstly, because I have a lot of time for David Shearer and can see that it’s because he’s just bursting with energy and passion for his ‘mission’, and secondly because it’s 8am, I’m jet-lagged and I’m happy to play a supporting role only.
“Sorry for just talking at you and jumping around from topic to topic”, he says smiling half way through, a sudden moment of self-awareness. “Don’t worry, you just talk and I’ll find a way to make it all coherent”, I tell him.
I’ll break down the main talking points into consumable bite-sized chunks for those of you wanting the lowdown on what David Shearer has planned for (ISC)2 and its members.
(ISC)2 are establishing a director of cybersecurity advocacy in every region
What does this actually mean? Well, it’s a continuation of the organization’s movement to decentralize. It means that the regional MDs – who have traditionally been tasked with COO tasks as well as the management and outreach – can focus purely on the operational side of their role. “The new advocates are more like a CEO for the region, concentrating on outreach and advocating both internally for members and externally too,” explains Shearer. “Things like writing to Congress, testifying on Capitol Hill, displaying effective thought leadership”, he continues.
(ISC)2 are committed to doing more for its membership to help them “sharpen the saw”
Investment is being put into looking at rich CPE opportunities for members, but also to make some CPEs mandatory to ensure that members are armed with the most up-to-date knowledge. “With CPE opportunities, we’ve originally focused on events, but when we measure how many members we reach, it’s 5% or less – which is not good enough. So we need to evolve CPE offerings to reach more of our members. We’re a technology organization and need to be leveraging modern management tools to let our members train around the clock.” Shearer is committed to making (ISC)2 evolve from being “an average leader to the leader in CPE. We want our members to be as current as they can be.”
"We’re a technology organization and need to be leveraging modern management tools to let our members train around the clock"
Radically changing the certifications is not an option
(ISC)2 will continue to tweak certifications to keep them relevant. Changing them radically is not an option. “The integrity of the process has to be maintained to keep the value of the paper it is on,” says Shearer. “We have to have a mechanism by which we can train people on the most recent topics, and over time, it will make it into our certifications.” Shearer acknowledges the discontent and criticism that is sometimes aimed at the CISSP and retorts that it’s vital that the organization is able to accept constructive feedback. “You have to look at what the underlying thing that upsets them is and always be receptive to that feedback and be transparent.”
(ISC)2 Congress is bigger and better than ever…but it’s preaching to the choir
Shearer lists the Congress’ successes: Fantastic turn-out (1900 attendees), the successful CSA Sunday conference and sold out training programs, but what does he want to improve on? Diversity of audience, he says. “We have to build better bridges with the CIO/CTO communities who don’t consider themselves cyber-folks. We have to advance their vision and mission by learning about how the work gets done. So we need to be talking at their conferences.”
“We have to build better bridges with the CIO/CTO communities who don’t consider themselves cyber-folks"
(ISC)2’s mission says nothing about preserving the role of the CISO
Shearer considers how shadow cybersecurity is being practiced in-house as part of ICT at organizations around the world. “If they are doing it well, we should be applauding it. We have to follow where the work actually gets done, and that’s not always in the pure play cyber positions”. Reflecting further, he says, “I can see a day when this conference attracts more people from the ICT audience.” Would the evolution of shadow cybersecurity put the role of the CISO at risk, I ask? “Our mission and our vision says nothing about preserving the role of the CISO. Instead, we strive to improve enterprise security.” The role of the CIO, considers Shearer, was established in the 90s and “some have still not got a seat at the table. It would be irresponsible to not shine a light on shadow cybersecurity at the expense of the CISO role. Should there be dotted lines? We have to uncover where things are working and where they’re not. Whether it diminishes or elevates the CISO role doesn’t matter. Our job isn’t about title roles – our job is to operationalize security.”
Shearer would – perhaps unsurprisingly – like to see IT/ICT people trained as CISSP to give them a common lexicon with the CISO, “a common body of knowledge that will give them a succinct way to talk about complexity.”
CISSP is mile-wide and inch-deep…but that is its strength
According to Shearer, the common ‘mile-wide inch-deep’ criticism of CISSP is actually its selling point. “A CISSP isn’t about being able to configure a network. I couldn’t even configure my new home network, I’d get the manual out,” admits Shearer. “That’s not what a CISSP is about. It’s about understanding the holistic nature of enterprise security. A company knows that if they hire a CISSP, that they have demonstrated the ability to measure the broad nature of cybersecurity.”
I ask Shearer about the trend whereby industry experts are saying employees should forget about demanding certs and instead look for raw talent, experience and passion. “Talent, aptitude and skill are the very nature of a certification body. So if that’s what employers are looking for, that’s what we do”, he says. He counters that hiring officials do need to stop asking for CISSP for entry-level positions. “As an industry, we need to reach out to HR departments and tell them that they are creating barriers. We haven’t been good at showing a career roadmap and getting people on the right career paths.”
“Security is often viewed as the industry that takes things away. That’s not cool or attractive to millennials because they are highly innovative"
We have to find a way to attract the new generation of cyber
Whether or not millennials get certified or not, “we have to learn to talk to them in their own language, because they are the next generation across all disciplines. We need to find out what they want.” Shearer suspects that the profession is struggling to attract millennials because of perception. “Security is often viewed as the industry that takes things away. That’s not cool or attractive to millennials because they are highly innovative. They’ve had innovation at their hands since they were born and don’t like the concept of constraint or being pigeon-holed.”
The average age of an information security professional, says Shearer, is 43. “Less than 6% of the industry is under the age of 30. You can’t fix that quickly – it’s a sustained influx. The workforce is small and it’s getting stretched thinner”, Shearer continues. “People are leaving [the industry] because they are burnt out.”
So there you have it. The state of the industry in the words of (ISC)2 CEO, David Shearer. It’s always a pleasure to meet with David…and it always takes me a long time to work through the transcript after!