At the (ISC)2 Congress in Orlando, I had the pleasure of sitting down with David Shearer, CEO, (ISC)2. With big shoes to fill succeeding former executive director, Hord Tipton, Shearer tells me about his plans for the industry association, and the challenges he needs to overcome to modernize the organization
Tell me your (ISC)2 story…
I moved to Florida from Colorado when I joined (ISC)2 as COO in October 2012. Two years as COO gave me a good basis of how the company runs. I was Hord Tipton’s succession plan for his retirement, but ultimately my appointment was the Board’s decision.
I wasn’t actually a member of (ISC)2 before I joined - the Board said there was something missing from my qualifications! So when I was hired, I aggressively pursued the CISSP.
What was your experience of getting your CISSP?
I did it within 90 days of being hired. I’d been in the field for a long time and had CISSPs working for me. I also had the advantage of being technically educated.
I went through a boot-camp to refresh and train for the exam, and it was a lot of pressure on me to pass. It was difficult – many decisional based questions, where you have to find the best answer. It took me 5 hours 15min of the six-hour time limit.
These days, it’s automated computer-based testing, so you get an instant pass or fail.
There is often criticism that the CISSP is too broad –are there plans to adapt it?
By design, it has to be broad. Some people say it’s not technical enough or doesn’t go deep enough, others say it’s too high-level. Opinion of the CISSP within industry is all over the board. The power of the CISSP doesn’t prove you as the best pen-tester or network security engineer, but it teaches you the broader aspects of technology. It gives a common lexicon to look at security pragmatically. It’s about giving people insight, knowledge and best practice.
Deeply-specialised professionals are sometimes not capable of seeing how they fit into the big picture or working with a team.
Having a CISSP gives a good idea of a professional’s broad range of understanding. Having a tech specialism without a broader knowledge is a blindspot.
Does the CISSP hold the same value now as it once did?
Statistically it does. People that hold it command 25-30% more salary than those without. There are 112,000 CISSPs in 160 countries and it’s still growing. Organizations and governments are continuing to see the value of the CISSP, but we can’t become complacent. We need to do more for our members after certification.
We’re currently putting a lot of emphasis on our members’ development and working to provide better CPE opportunities. Our members can’t get to events all the time, so we need to give them 365 24/7 options for earning CPEs. To do so, we need to modernize our systems.
We’d like to be able to offer micro-certificates to our members, which are easier and faster to bring to market in deeper technical areas. We need to get better at bringing things to market quicker. We could make them free to members and at a cost to non-members. We need to enable members to be in command of their careers.
Having a tech specialism without a broader knowledge is a blind-spot.
What other objectives do you have in your new role as CEO?
I want to look at our members as employees of (ISC)2 and empower them with learning development plans. We could mandate training to them, make training more hands on, and take a more active role with their career development. We’ve been silent on that until now, but it’s a mandate the board want corrected.
I have also gone to the Board with a huge proposal for updating all of our technical infrastructure: everything from back-office systems, CRM, to finance, etc. We’re going to modernize the architecture platform we need to be on to make the learning experience better for members. We will drive in automation to enable us to run HQ as efficiently as possible.
Our web presence is running on dated platforms. We need to be faster to market and consume content better and faster, and in order to do that, you need modern architecture and systems. We’ve got best talent pool in the company that we’ve ever had – so now is the time to do it.
Beyond your systems, what else needs to be modernized at (ISC)2?
We’re going through a decentralization effort and giving more power to the geographical regions and regional managers. We want our members to know we’re really looking out for them.
We’re also continuing to strengthen the talent bench in (ISC)2 as we continue to attract amazing talent. Ultimately, the people drive it all. Tech is a force motivator, but the people, innovation and passion is what drives any organization.
My proudest moment in this role is going to our awards ceremonies and seeing what our members do and what they achieve. They’re really making a difference.
Are you seeing an increase in female members at (ISC)2?
Actually, no. The latest workforce study showed that 12% of the industry workforce is female, but only 10% of (ISC)2 members are women. I was actually surprised the gap wasn’t bigger. It’s not good.
What’s putting women off? Possibly the ‘boys club’ factor? The culture isn’t always supportive of women coming into the industry.
12% of the industry workforce is female, but only 10% of (ISC)2 members are women
Many speakers at the (ISC)2 Congress have mentioned the lack of young professionals in the industry. Why doesn’t cybersecurity attract young talent?
Only 6% of the industry is under the age of 30, and in the latest workforce study, the average age of respondent was 42. I don’t think cybersecurity is viewed by young folks as cool. The industry has a reputation of saying no, not the function that makes the company go. So we need to change the conversation. We’re trying to reach young hearts and minds through Safe and Secure Online and Garfield, but we’re also trying to use the awareness programs to show young children that cybersecurity is an exciting field. The retirement bubble is going to hit, and it’s going to take years to fill the talent pipeline.
What’s keeping your members awake at night?
The seemingly ever-increasing threat surface. The fact that they’re overworked based on limited qualified people, and frankly most are falling behind in their duties. This is compounded by the lack of new people coming into the profession. They’re also increasingly heavily involved in a range of audits that consume increasing amounts of time at the expense of operational cybersecurity requirements and responsibilities.
What’s the toughest decision you’ve made in the last 3-6 months?
After six years of co-locating the (ISC)2 Security Congress with ASIS International, the decision to branch out on our own in 2017 based on feedback from our members. This was a hard decision because ASIS International has been fantastic to work with, and convergence in the industry continues. However, I feel we need to pay closer attention to our membership’s voice and the type of programming they want at the Security Congress event.
When was the last time your board disagreed with you, what was it about, and how was it resolved?
It’s clearly inevitable that this type of situation will arise, but it hasn’t thus far in my time as the CEO of (ISC)2. We’re all members of (ISC)2 so I think there’s strong alignment regarding what we’re trying to accomplish as an organization. That said, when the situation arises where the board disagrees with me and I’ve been unsuccessful convincing them, I work at the leisure of the board of directors as their only employee.