maxoidos - Fotolia

(ISC)2 CEO on cybersecurity workforce expansion and 2017 Congress

Recently, SearchSecurity editorial director Robert Richardson checked in with (ISC)2's CEO David Shearer as the organization prepares for its fall Security Congress.

As (ISC)² Chief Executive Officer, Mr. Shearer is responsible for the overall direction and management of the organization and its Center for Cyber Safety and Education. SearchSecurity spoke with him recently as the organization was preparing its program for its 2017 Security Congress in Austin, Texas, in mid-September.

The cybersecurity workforce survey Shearer discussed includes feedback from over 19,000 information security professionals worldwide. The survey's findings, released as several focused reports over the course of the year, indicate that employers must look to millennials to fill the projected 1.8 million information security workforce jobs that are estimated to be unfilled by 2022. As noted in this interview, that's not the only way to think about filling the gap.

Obviously, (ISC)² is one of the key professional organizations in the security industry. It's an industry that's challenged on a lot of fronts. How besieged is the industry right now?

David Shearer: I try not to go into fear, uncertainty and doubt. We take a positive look, and we continue to try to make a positive difference in the world, but we do have some dynamics that are exacerbating the situation.

Globally, it's an aging workforce. Our 2015 global workforce study showed that, out of almost 15,000 respondents, less than 6% were below the age of 30. And that reflects another challenge: We are not attracting millennials in that next wave of the profession.

(ISC)² CEO David ShearerCEO David Shearer

We've got to do better outreach and provide avenues for people that maybe have the backgrounds that wouldn't traditionally be seen as cybersecurity. But once we start to look at the discussion of STEM [science, technology, engineering and mathematics], and we start to look at that from the concept of STEAM, adding arts into it -- because bad actors are highly creative in their attacks and how they take our common convenience and kind of turned [it] against us -- I think there's a whole left brain, right brain convergence discussion that we can have. It's not just an analytical profession.

The attack levels and the degree of sophistication of the attacks are escalating, and the volume of attacks continues to rise. We're stretching that workforce. And then [the security profession] becomes highly competitive, where people can really jump from one organization to the next. They may be leaving capability holes for the organizations they leave.

Your research shows the one thing that is not happening is millennials entering the cybersecurity workforce. Do you have any sense of why that is?

All of us must be, in some way, missing the messaging.

Shearer: I think that's what's great about doing the research. You could jump to the conclusion that we don't have enough STEM folks to draw from -- people that are coming out of the engineering and mathematical backgrounds -- but when we look at the Asia-Pacific region, the Asia-Pacific region produced more STEM-type graduates starting way back in 1995, and has continued to lead the United States in bringing STEM professionals into the workforce, yet we see the same problem in the APAC region. We're not seeing the numbers of people coming into cybersecurity.

All of us must be, in some way, missing the messaging. We're all scrambling to try and figure out what we have to change.

One thing that (ISC)² has ramped up over the last several years is events. How do you see the upcoming Security Congress in terms of what role it plays in the profession?

Shearer: This will be our seventh Security Congress. For the last six years, we've collocated with ASIS International. ASIS brings a large number of exhibitors, and we're talking [a] total volume of maybe 20,000 attendees, of which are [(ISC)2] members ... we're talking 1,400 or 1,500 people. We did that for a number of years because we saw the need for convergence between the cyber and logical security with the physical security. However, this year will be the first year that we break off on our own.

I think it'll be a much more intimate conference for our members, and keenly focused on the kind of post-event feedback we've gotten. They just said that they want to see something tailored more specifically for what they're looking for.

About the same time as you came into the CEO position at (ISC)², there was something of a shift in who was seated on your board. A number of the people who are interested in making the organization more relevant are seated on the board now. What's changed as a result of this?

Shearer: The board looked at changing bylaws to limit how long you can be on the board -- and the board that actually signed on to that in 2015 was a very diverse board relative to the past. So kudos to that group who said they saw the value in getting some turnover on the board and bringing different experiential aspects to the strategic direction of the organization.

Last year, we started to see a fair amount of churn with people rolling off, and now these term limits have been put in place, so this always makes it interesting. You get more orientation of new board members, we do a lot more work with the management team to orient new board members, and from a CEO's standpoint, it's really fun. Period. I think, inherently, getting some churn and getting some new ideas -- I don't know when that is ever a bad idea.

Next Steps

See David Shearer discussing (ISC)2 certifications

Dive into the cybersecurity skills shortage problem

Learn about the upcoming 2017 (ISC)2 Security Congress

Dig Deeper on Security operations and management