I saw on Twitter that the 2021 Cybersecurity Workforce Study has been released:
https://www.isc2.org/Research/Workforce-Study
I'm curious about the methodology used for some parts of the study. In particular, I would like to understand the numbers behind the pie chart on page 10 that suggests that 70% of the entire cybersecurity workforce is some level of manager or executive. Does anyone know if the methodology is published anywhere?
It's self reported, so I'd expect either some level of job title inflation and some spurious responses.
Hi DME,
We who have gone through a Ph.D. or Doctoral program know that an important part of the dissertation is introducing the 'how' for the process of gathering and evaluating the data for good results. Ever since ISC2 published the "Women In the Cybersecurity Workforce" study of 2017, I have wondered the same thing. What is the methodology (they usually reveal how many folks were surveyed), What was the survey (in a dissertation, you have to reveal what the survey questions are). I always think, please provide details as if you are operating as solid researchers, ISC2, please.
thanks for the query,
Dr. J. S. Buitron, DCS, MSIA, CISSP
Doctor of Computer Science\Cybersecurity
Masters in Information Assurance\Cybersecurity
Certified Information Systems Security Professional
Lead Cyber Engineer at L3Harris
Page 34 gives a hint as to the methodology "online survey" of 4,763 people, "sample size controlled" within each country.....hmmm, that is interesting.....
Thank you for the question. The chart you cited is meant to represent study participants and not a projection for the entire field. Looking at that again, I understand how that’s not clear, and we will address the header on that graphic to clarify. The question to participants was “Which of the following most closely represents your position within your organization?” so respondents were able to self-identify their level within their organization. As you can imagine, we receive a diverse array of job titles among participants as many security functions are broadly dispersed throughout organizations of all sizes around the world, so we have used that question for high-level participant profiling. Team composition, position level and pathways into the profession are areas we will explore more in the 2022 study. Survey methodologies are available on pages 38-42.
Quick note on the “sample size controlled” statement. To ensure the survey isn’t dominated by responses from a single country or region, and that we can make informed projection for the workforce gap and workforce estimate, our sampling methodology includes minimum targets across 12+ countries.
Thank you again for the question and for everyone’s thoughts. Cybersecurity continues to be a very dynamic profession that is constantly maturing and evolving. This year, we are evaluating new approaches to help reveal new insights and refine our approach. If there are any areas of the field you feel need deeper dives, please share. Member input is always appreciated!
Hi Jarred,
Thank you for the explanation. Still, I don't see information on how the survey recipients were chosen. Those statistics make a lot more sense if, for example, the survey were sent only to current (ISC)² members, people who follow (ISC)² on Twitter, etc.. If that were the case, I could see how there would be a bias toward respondents being managers.
Hi there,
I too feel dicey about the note "sample size controlled." It makes no sense. In getting trained to take my DCS (Doctorate in Computer Science), the lead Ph.D.s drilled it into us that the larger the sample size, more Validity can be achieved. Limiting the sample size can skew the results.
I still lean more on the 2017 Frost & Sullivan Report on Women in Cybersecurity. The sample size was over 19,000 cyber professionals.
That's my story and I am sticking to it.
thanks,
Dr. Jan S. Buitron, DCS, MSIA, CISSP
Doctor of Computer Science\Cybersecurity
Masters in Information Assurance\Cybersecurity
Certified Information Systems Security Professional
Lead Cyber Engineer at L3Harris
Hi DMEdwards,
I agree with your point that the study should have details about the survey respondents. A Ph.D. paper or Doctoral dissertation requires information about the interviewees\respondents. I put in information about MY interviewees in my dissertation!!
thank you and best regards,
Dr. Jan
Hi Jarred,
I am looking forward to the 'evolution' of the 'business' of cyber toward having 50% females in its constituency. According to the research that I have done, and the studies that I have catalogued, the overall success of companies to protect, enhance, and defend their organizations will be enhanced positively.
thank you,
Dr. Jan Buitron, DCS
Lead Cyber Engineer\SME
L3Harris
Hello Jarred,
First, Thank you for the detailed response.