cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
DMEdwards
Newcomer II

2021 Cybersecurity Workforce Study

I saw on Twitter that the 2021 Cybersecurity Workforce Study has been released:

https://www.isc2.org/Research/Workforce-Study

 

I'm curious about the methodology used for some parts of the study. In particular, I would like to understand the numbers behind the pie chart on page 10 that suggests that 70% of the entire cybersecurity workforce is some level of manager or executive. Does anyone know if the methodology is published anywhere?

9 Replies
Steve-Wilme
Advocate II

It's self reported, so I'd expect either some level of job title inflation and some spurious responses.  

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
jbuitron
Contributor I

Hi DME,

We who have gone through a Ph.D. or Doctoral program know that an important part of the dissertation is introducing the 'how' for the process of gathering and evaluating the data for good results. Ever since ISC2 published the "Women In the Cybersecurity Workforce" study of 2017, I have wondered the same thing. What is the methodology (they usually reveal how many folks were surveyed), What was the survey (in a dissertation, you have to reveal what the survey questions are). I always think, please provide details as if you are operating as solid researchers, ISC2, please.

 

thanks for the query,

 

Dr. J. S. Buitron, DCS, MSIA, CISSP

Doctor of Computer Science\Cybersecurity

Masters in Information Assurance\Cybersecurity

Certified Information Systems Security Professional

 

Lead Cyber Engineer at L3Harris

AppDefects
Community Champion

Page 34 gives a hint as to the methodology "online survey" of 4,763 people, "sample size controlled" within each country.....hmmm, that is interesting.....

Jarred_LeFebvre
Community Manager

@DMEdwards 

 

Thank you for the question. The chart you cited is meant to represent study participants and not a projection for the entire field. Looking at that again, I understand how that’s not clear, and we will address the header on that graphic to clarify. The question to participants was “Which of the following most closely represents your position within your organization?” so respondents were able to self-identify their level within their organization. As you can imagine, we receive a diverse array of job titles among participants as many security functions are broadly dispersed throughout organizations of all sizes around the world, so we have used that question for high-level participant profiling. Team composition, position level and pathways into the profession are areas we will explore more in the 2022 study. Survey methodologies are available on pages 38-42.

 

@AppDefects 

 

Quick note on the “sample size controlled” statement. To ensure the survey isn’t dominated by responses from a single country or region, and that we can make informed projection for the workforce gap and workforce estimate, our sampling methodology includes minimum targets across 12+ countries.

 

Thank you again for the question and for everyone’s thoughts. Cybersecurity continues to be a very dynamic profession that is constantly maturing and evolving. This year, we are evaluating new approaches to help reveal new insights and refine our approach. If there are any areas of the field you feel need deeper dives, please share. Member input is always appreciated!

 

DMEdwards
Newcomer II

Hi Jarred,

Thank you for the explanation. Still, I don't see information on how the survey recipients were chosen. Those statistics make a lot more sense if, for example, the survey were sent only to current (ISC)² members, people who follow (ISC)² on Twitter, etc.. If that were the case, I could see how there would be a bias toward respondents being managers.

jbuitron
Contributor I

Hi there,

I too feel dicey about the note "sample size controlled." It makes no sense. In getting trained to take my DCS (Doctorate in Computer Science), the lead Ph.D.s drilled it into us that the larger the sample size, more Validity can be achieved. Limiting the sample size can skew the results.  

 

I still lean more on the 2017 Frost & Sullivan Report on Women in Cybersecurity. The sample size was over 19,000 cyber professionals. 

 

That's my story and I am sticking to it.

 

thanks,

 

Dr. Jan S. Buitron, DCS, MSIA, CISSP

Doctor of Computer Science\Cybersecurity

Masters in Information Assurance\Cybersecurity

Certified Information Systems Security Professional

 

Lead Cyber Engineer at L3Harris

jbuitron
Contributor I

Hi DMEdwards,

 

I agree with your point that the study should have details about the survey respondents. A Ph.D. paper or Doctoral dissertation requires information about the interviewees\respondents. I put in information about MY interviewees in my dissertation!!

 

thank you and best regards,

 

Dr. Jan

jbuitron
Contributor I

Hi Jarred,

I am looking forward to the 'evolution' of the 'business' of cyber toward having 50% females in its constituency. According to the research that I have done, and the studies that I have catalogued, the overall success of companies to protect, enhance, and defend their organizations will be enhanced positively.

 

thank you,

 

Dr. Jan Buitron, DCS

Lead Cyber Engineer\SME

L3Harris

jbuitron
Contributor I

Hello Jarred,

 

First, Thank you for the detailed response.

 
Second, based on just over 10 years' study of the issue of smaller groups of individuals that are 'different' from the larger group of individuals in a work setting (i.e. females in a male-dominated workplace in Small Workgroups), I have a research suggestion. 
 
Allow me to cite the Abstract of a paper that I found:
 
"Abstract
Proportions, that is, relative numbers of socially and culturally different people in a group, are seen as critical in shaping interaction dynamics, and four group types are identified in the basis of varying proportional compositions. "Skewed" groups contain a large preponderance of one type (the numerical "dominants") over another (the rare "tokens"). A framework is developed for conceptualizing the processes that occur between dominants and tokens. Three perceptual phenomena are associated with tokens: visibility (tokens capture a disproportionate awareness share), polarization (differences between tokens and dominants are exaggerated), and assimilation (tokens' attributes are distorted to fit preexisting generalizations about their social type). Visibility generates performance pressures; polarization leads dominants to heighten their group boundaries; and assimilation leads to the tokens' role entrapment."
 
ALL of the research I have seen about women in cybersecurity point to the OVERALL percentage of females in cyber (11% or 24% overall).
My own findings show that studies should look at the smaller working groups, and not the percentage of females in the 'industry' as a whole.
 
Here's why, in my personal experience, I have either been the ONLY female or only One of TWO in a group of males (from six to twelve males in the group). 
And I have heard the SAME THING from every other female in InfoSec that I know.
 
From the above, the 'visibility' leads to heightened inspection of the female's work, and exaggeration of mistakes (Frost & Sullivan, 2017). 'polarization' leads to isolation, another factor that affects females in cybersecurity, no support, being alone, no interaction. Gosh, I have been in only this type of situation in 20 out of the last 20 job roles that I have had.
 
Can you see my point? Can you see why it is vitally important?
 
thank you,
 
Doctor Jan S. Buitron, DCS
Doctor of Computer Science\Cybersecurity
Lead Cybersecurity Engineer\Manager\SME
L3Harris