Podcast Summary: CyberWire Daily – Are We a Trade or a Profession? [CISO Perspectives]
Episode Details:
- Title: Are We a Trade or a Profession? [CISO Perspectives]
- Host/Author: N2K Networks
- Release Date: April 24, 2025
Introduction to CISO Perspectives
Kim Jones kicks off the episode by introducing the inaugural season of CISO Perspectives, a deep dive into the multifaceted challenges Chief Information Security Officers (CISOs) face. The season's central theme revolves around the ongoing debate within the cybersecurity community: Is cybersecurity a trade or a profession?
“True professions have certain characteristics that cybersecurity does not fully meet.”
— Kim Jones [00:02]
Jones references a 2013 National Academy of Sciences (NAS) report, highlighting the argument that cybersecurity, being a relatively young field, should be considered an occupation rather than a profession due to its rapid evolution and the potential barriers professionalization could impose on entering the field.
The Professional vs. Trade Debate
Arguments for Cybersecurity as a Profession
-
Unique Body of Knowledge:
- Professions are characterized by a unique, codifiable body of knowledge that can be systematically taught and learned. Jones emphasizes that while degrees aren't mandatory, they provide a foundational understanding essential for professional practice.
“While degrees aren't necessary for an individual to practice in the profession, degrees tend to ensure that individuals understand the basic principles of the profession.”
— Kim Jones [04:30] -
Service Orientation:
- Professions are committed to the betterment of the field and society, extending their service beyond employers. This includes contributing to the profession’s body of knowledge and administration.
“Professions and the professionals within are committed to the betterment of the profession itself.”
— Kim Jones [05:10]
Challenges to Professionalization
-
Lack of a Uniform Code of Ethics:
- Unlike established professions, cybersecurity lacks a universal ethical framework that mandates professionals to uphold specific standards, potentially allowing unethical behavior without collective repercussions.
“There is no overarching Uniform Code of Ethics for the cybersecurity profession.”
— Kim Jones [06:15] -
Absence of Sanctioning Bodies:
- Professional bodies not only promote research and knowledge exchange but also enforce ethical standards, sanctioning those who violate them. Cybersecurity currently lacks such oversight mechanisms.
“The sanctioning organization provides oversight and guardianship. No such organization exists in cybersecurity today.”
— Kim Jones [07:00]
Arguments for Cybersecurity as a Trade
-
Hands-On Nature and Skill Focus:
- The field is heavily skills-based, akin to trades, where practical expertise is paramount. This perspective is supported by a segment of the community who believe that real-world experience should outweigh formal education.
“At the entry level, we are more skills and abilities focused than certification, college degree.”
— Larry Whiteside [12:44] -
Structured Apprenticeships in Trades:
- Trades typically have clear pathways for entry and advancement, including apprenticeships and mandatory certifications. Cybersecurity currently lacks this structured approach.
“Trades have clearly defined standards of entry, clear documented knowledge, requirements for both entry and advancement.”
— Kim Jones [08:45]
Guest Insight: Larry Whiteside's Perspective
Larry Whiteside, a veteran cybersecurity leader and co-founder of Cybersity, joins Kim Jones to explore the duality of cybersecurity as both a trade and a profession.
Cybersecurity as Both Trade and Profession
Whiteside posits that cybersecurity embodies elements of both a trade and a profession due to its hybrid nature:
-
Trade-Adjacent Entry:
- Entry-level roles focus on practical skills rather than formal education, making the field accessible to those with self-taught expertise or vocational training.
“At the entry level, we are more skills and abilities focused than certification, college degree.”
— Larry Whiteside [12:44] -
Professional Growth and Ethical Standards:
- While the foundational entry resembles a trade, the aspirations for professionalization in cybersecurity push for higher ethical standards and structured advancement pathways.
“We need to professionalize so that we can level the role up, so that we can then get the authority that we need in order to execute the way we should.”
— Larry Whiteside [38:14]
Challenges in Hiring and Training
Whiteside highlights the disconnect between HR practices and the unique needs of cybersecurity roles:
-
Misalignment in Job Descriptions:
- HR often imposes rigid educational requirements that don't align with the skills-based nature of cybersecurity, leading to mismatches in job postings and candidate expectations.
“The reality is if you can't build the team properly, you're not going to get any of that stuff done anyways.”
— Larry Whiteside [17:23] -
Short Tenure of CISOs:
- The average tenure of a CISO is under two years, attributed to both the high-stress nature of the role and the lack of authority to implement necessary changes.
“The tenure of a CISO is under two years. And with that, you know, as a ciso, when you go in, you've got a limited amount of Runway to get things done.”
— Larry Whiteside [18:02]
Path to Professionalization
Whiteside advocates for establishing formal certifications and ethical standards akin to those in established professions:
-
Certification Models:
- Proposes creating certification bodies similar to legal or medical professions, ensuring practitioners meet standardized knowledge and ethical criteria.
“There's finally been some uproar and some movement towards trying to create something similar or akin to what lawyers have.”
— Larry Whiteside [32:23] -
Overcoming Victim Mentality:
- Emphasizes the need to shift from viewing CISOs as scapegoats to recognizing their strategic importance, thereby advocating for greater authority and support.
“It's time that cybersecurity is a combination of requirements that shift based upon role and scope.”
— Larry Whiteside [08:50]
Organizational Challenges and Solutions
HR and Organizational Structures
-
Role Misalignment:
- HR departments often misclassify cybersecurity roles, imposing irrelevant educational prerequisites that hinder the hiring of skilled professionals without formal degrees.
“There are still tons of jobs out there that say entry level with three years experience.”
— Larry Whiteside [16:35] -
Salary Band Constraints:
- Salary bands tied to educational qualifications prevent the hiring of competent individuals who may lack formal degrees but possess the necessary skills.
“No, we can't have someone who doesn't have a degree in the salary band across the organization, globally.”
— Larry Whiteside [18:02]
Building High-Performing Teams
-
Comprehensive Job Ownership:
- CISOs should take ownership of all cybersecurity-related job descriptions to ensure they align with strategic goals and do not impose unnecessary barriers.
“You need to understand them and you need to make sure that they align with your strategy that you're trying to build.”
— Larry Whiteside [39:24] -
Fostering Relationships:
- Building deep, personal relationships with business leaders is crucial for gaining support and understanding the broader business metrics that influence cybersecurity initiatives.
“You need the support to get this done is you need to understand and build very deep personal relationships with every business leader in your business.”
— Larry Whiteside [39:24]
The Path Forward: Embracing Professionalism
Jones and Whiteside agree that moving towards formalizing cybersecurity as a profession is essential for gaining the necessary authority and structure to combat evolving threats effectively.
Educational and Certification Reforms
-
Curriculum Development:
- Developing comprehensive educational programs that blend technical skills with business acumen to prepare CISOs for executive roles.
“I built a degree program to do just that. And I couldn't get the support of CISOs in the community.”
— Kim Jones [23:35] -
Peer-Reviewed Certifications:
- Establishing certification processes where peers assess and validate the qualifications of cybersecurity professionals to ensure standardized competence.
“...trying to create something similar or akin to what lawyers have.”
— Larry Whiteside [32:23]
Cultural Shift within Organizations
-
Redefining the CISO Role:
- Elevating the CISO role from a technical position to a strategic partnership within the executive team, ensuring alignment with business objectives and risk management strategies.
“The value is, is in elevating us because we haven't had the authority to get the things accomplished that we needed to.”
— Larry Whiteside [37:52] -
Addressing Victim Mentality:
- Moving away from viewing CISOs as scapegoats and instead recognizing their critical role in safeguarding organizational assets and reputations.
“We deserve a seat at the table. This is a mechanism to demonstrate that there are many of us who have the skills to have the seat at the table.”
— Larry Whiteside [35:36]
Conclusion and Recommendations
As the episode wraps up, Jones and Whiteside emphasize the urgency of professionalizing cybersecurity to enhance its effectiveness and integration within organizational structures.
Advice for Aspiring CISOs
Larry Whiteside offers two critical recommendations for young or aspiring CISOs:
-
Ownership of Job Descriptions:
- “You need to own it and take ownership of it. ... You need to understand them and you need to make sure that they align with your strategy.”
— Larry Whiteside [39:24]
- “You need to own it and take ownership of it. ... You need to understand them and you need to make sure that they align with your strategy.”
-
Building Relationships with Business Leaders:
- “Build very deep personal relationships with every business leader in your business. ... understand how the executive gets bonused because them making money is important.”
— Larry Whiteside [39:24]
- “Build very deep personal relationships with every business leader in your business. ... understand how the executive gets bonused because them making money is important.”
Final Thoughts
The discussion underscores that cybersecurity is at a crossroads, needing to embrace the attributes of a profession to address lingering talent issues and effectively mitigate evolving threats. The transformation towards professionalization is not just beneficial but imperative for the sustainability and authority of the cybersecurity field.
“Until we do, we will remain nothing more than a glorified occupation that will continue to lose agency.”
— Kim Jones [08:50]
Key Takeaways:
- The cybersecurity field exhibits characteristics of both a trade and a profession, but lacks full professionalization.
- Formalizing ethical standards and certification bodies is crucial for elevating the role of CISOs.
- Organizational structures and HR practices must adapt to recognize and support the unique needs of cybersecurity roles.
- Building strategic relationships and owning job descriptions are essential for CISOs to align cybersecurity initiatives with business objectives.
Notable Quotes:
-
“Are we a trade or a profession? Neither. Both, folks, as much as it pains me to say this, the truth is the best adjective to describe us today is stagnant.”
— Kim Jones [08:50] -
“We deserve a seat at the table. This is a mechanism to demonstrate that there are many of us who have the skills to have the seat at the table.”
— Larry Whiteside [35:36] -
“The tenure of a CISO is under two years. And with that, you know, as a CISO, when you go in, you've got a limited amount of Runway to get things done.”
— Larry Whiteside [18:02]
This episode of CISO Perspectives offers a profound examination of the identity crisis within the cybersecurity field, urging leaders to embrace professionalization to foster growth, authority, and effectiveness in combating cyber threats.
![Are we a trade or a profession? [CISO Perspectives] - CyberWire Daily cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2Feedd6bb0-1f92-11f0-be78-836ff2ca2321%2Fimage%2F4576c79a6260b29daaff0ea0480913c0.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1200&q=75)