rx for managing your info/cybersecurityworkforce in the ...€¦ · applications networks security...

1 Foote Partners, LLC

Foote Research Group © 2016 Foote Partners LLC, Vero Beach, FL - USA, (772)234-2787 www.footepartners.com

Rx For Managing Your Info/Cyber

Security Workforce in the New Normal

of Big, More Complex, Faster Moving



Immutable Truths

Without clear business alignment, your company will not prioritize security

A truly business-savvy CISO will have a truly

business-savvy strategy

If you can’t communicate your strategy

simply, you may as well not bother

If you can’t find (and keep) the right people to execute your strategy, you cannot succeed.



Hard Reality

We have to manage,

people under some of the

most difficult conditions in

modern history.

Tech workforce chaos is everywhere.



Foote Partners: Our Professional Roots

Corporate IT, Business

and HR executives

Foote Partners, LLC

Foote Research Group

(Est. 1997)

Our co-founders, senior partners and associates were formerly senior executives, analysts, consultants and practitioners at these companies.



• Benchmark and Trend Research: Research partnerships with 2,985 employers (255,600 IT professionals, 40+ industries)

– High-quality, carefully validated compensation benchmarks, continuously

updated

– Agile data engine aimed at decision support for anyone managing tech

resources and people

– Innovative data collection methodologies

– Large proprietary database

• Analyst Focus: User side IT human factors and labor markets

– Tech/business integration. Global IT workforce and skills evolution.

– IT-business value creation analysis and consulting.

– Organizational modeling and transformation

– Compensation and skills pay demand analysis and forecasting.

– IT-business hybrids

• Research & Advisory Customers: 4,200 employers, 23 countries

– SMB to the Fortune 10/Global 500, governments, not-for-profit orgs

Foote Partners Focus: TECH WORKFORCE



About Me…

• Gartner, META Group analyst and Service Director. Chief Analyst

& Chief Research Officer at Foote Partners.

• 10 years in Silicon Valley with high tech and consumer products companies, management consulting firm. Taught at Stanford B-

School.

• Pioneer: documented and published first U.S. and Canadian

salary and skills/certifications pay surveys for elusive tech jobs:

– 1994 – 1996: Web; Data Warehousing; Business Intelligence; Unix/NT Infrastructure; e-Commerce; Business Technology (hybrid IT-business jobs)

– 1998: SAP – 1999: IT skills/certs pay premiums and supply/demand analysis – 2006: Cloud computing – 2012: Epic Systems (EMR)

• Early career: HR and compensation manager



“40% of the companies in this room won’t

exist in a meaningful way in 10 years unless

they change dramatically.”

John Chambers, Chairman/Former CEO, Cisco

(WSJ conference, February 2015)

Hard Reality



Fact: Change is Really Hard

Only 12% of Fortune 500 companies

from 1955 are still in the F500 today.

Of the companies that fell out, 50%

did so between 1999 to 2009.



The speed of technological change

right now is the slowest it will be in

your lifetime.



‘s

Disruptive Tech and Influencers

Applications Networks

Security

Systems

Database

Marketing

Finance/Acct

Distribution/

Logistics

Sales

HR

Operations

Help Desk/CC



These Disruptors Are Changing Everything We Know About Running a Business

• Internet of Things ($4-$11 trillion

economic impact by 2025)

• Machine language/auto-

mation of knowledge work ($5-$7 trillion impact)

• Mobility ($3-$6 trillion impact)

• Digital engagement

• Big Data, Information

Integration, Analytics

• Cloud computing esp. virtual

computing embedded in

cloud

• Cyberthreats, APTs

• Real-time DevOps and

Micro Service Architectures

• Carbon-reducing

technology/exponential

energy

• Telemedicine

• Emerging: − Cognitive computing

− AI

− Driverless vehicles

− Immersive interfaces − 3D/4D printing



Business Value Ranking of These Disruptors



Disruption: Internet of Things

Source: McKinsey Global Institute

IoT demystified…



IoT Security Trends

• There will be 25 billion connected things by

2020 and as many as 1 trillion by 2025 by some

estimates.

• Gartner predicts that by 2020, more than 25

percent of identified cyber attacks in

enterprises will involve IoT

• IoT security market: $7 billion in 2015. But IoT

accounts for less than 10 percent of IT security

budgets on average (Gartner)

IoT is a key enabling technology for digital businesses.



Securing IoT: The “Things”

Device Management/MEMS

Embedded systems, software and

design

Wireless sensor network design

Circuit design

Microcontroller programming

Machine learning

Sensor data analysis

Integration & Gateways

MQ Telemetry Transport

TCP/IP

IPV4 & IPV6

Programming

HOT JOBS

• Info/Cyber Security Engineers

• Info/Cyber Security Infrastructure

(cloud, network, SW

development) • Data Scientists

• Network Engineers

• Design Engineers

• Hardware Engineers

• GPS Development Engineers

• Electrical Engineers

• Network Engineer

• AI Engineers



Securing IoT: Connecting “I” and “T”

HOT JOBS and SKILLS

• Cybersecurity – Visability, Analytics, Identity, Risk

• AI Experts

• UX/UI Designers

• Interaction Designers

• Visual Designers

• Product Designers

• Digital Product Designers

• BI Professionals

− JIRA, Confluence, Cognos,

Tableau, SSAS, SSIS, SSRS,

Advanced SQL and SAS

− Predictive Analytics

• NoSQL and NewSQL

• Apache Spark

• Machine Learning

• Data Mining

• Big Data

– Apache Hadoop, HDFS, Hbase,

MapReduce, Flume, Oozie, Hive,

Pig, YARN

• Cross-Skilling

– HW skills for software developers

– SW skills for hardware developers

• Communication interfaces

• Associative thinking

• Collaboration

• Pattern recognition



‘s Real, imagined

and unimagined security threats

Applications Networks

Security

Systems

Database

Marketing

Finance/Acct

Distribution/

Logistics

Sales

HR

Operations

Help Desk/CC



Cyber Security Trends



Cyber Security Growth

• Worldwide cyber security market grew to $75

billion in 2015, forecasted to reach $170 billion by

2020 driven by: aerospace, defense, and

intelligence verticals.

– HOT AREAS: Security analytics / SIEM; threat intelligence;

mobile security; cloud security.

• Prediction: The world will spend $1 trillion

cumulatively on cyber security products and

services to combat cybercrime from 2017 to 2021.



Cyber Security Growth

• Prediction: Global annual cybercrime costs will

grow from $3 trillion in 2015 to $6 trillion annually

by 2021.

• Prediction: Overall security market will grow at a

7.8 percent CAGR through 2019 – The information security market is estimated to have

grown 13.9% in revenue in 2015 (constant currency), with

the IT security outsourcing segment recording the fastest

growth



Cyber Security Workforce Trends

• Demand for cybersecurity professionals is growing

3.5 times faster than the overall IT job market and

12 times faster than the total labor market

• The demand for the cybersecurity workforce is

expected to rise to 6 million (globally) by 2019,

with a projected shortfall of 1.5 million cyber

security professionals

• More than 209,000 cybersecurity jobs in the U.S.

are currently unfilled, and postings are up 74%

over the past five years (analysis of numbers from

the Bureau of Labor Statistics).



Cyber Security Workforce Trends

• Rand Corporation study estimates there are

around 1,000 top-level cybersecurity experts

globally vs. a need for 10,000 to 30,000.

• U.S. News and World Report ranked a career in

information security analysis eighth on its list of the

100 best jobs for 2015. They state the profession is

growing at a CAGR of 36.5 percent through 2022.

– Through 2018: Demand for information security

professionals is expected to grow by 53 percent through 2018.



Spiceworks Study shocker

• Found that even though 80% of organizations

experienced a "security incident" in 2015, only 29%

of companies had a cybersecurity expert working

in their IT department

• Only 7% have a cybersecurity expert on their

executive team.

• 55% said that their business didn't have "regular

access" to any IT security experts at all, internal or

third-party, with the majority of companies also

reporting they had no plans to hire or contract one

within the next year.



ISACA/RSA Study

• 52% of global cyber security and IT managers and

practitioners said that “less than a quarter of

applicants for cybersec positions have the

necessary skills”

• 53% said it can take 3 to 6 months just to find a

“qualified candidate” and another 3 months to on

board them.

• Typical: unstructured security teams that do not

provide professional growth or continued

education opportunities



ISACA/RSA Study, cont’d.

• The few qualified cybersec pros are spread too thin

and tend to burn out quickly. Made worse by:

– Culture of paranoia and antagonism

– Performance measured based on breaches

– Salaries not high enough to compensate for the stress

A Theory

The real cause of the infosec talent shortage

isn’t lack of new people, but retention and

churn at the highest levels.



Here’s Why It’s Hard to Find Cyber Security Talent in the Marketplace

• Consulting firms can offer things you can’t

• Large metropolitan regions monopolize talent pool

(D.C., No. VA, MD, CO)

• Short tenure of CISOs and most highly skilled cyber

staff

• Barriers: Industry, reporting structure, salary,

technology, learning potential, management

support



Here’s Why It’s Hard to Find Cyber Security Talent

• Large institutions handicapped by specialization...

It can prevent career progression

• Looking in the wrong places

• Higher education is not producing enough cyber

security pros

• Companies internally develop skills but forget to

align with market pay levels



Compensation for Info/Cyber

Security Jobs and Skills



Definitions: Info vs. Cyber Security

• Information Risk Management

• Valuing Asset Inventory

• Risk Management

• Threat Intelligence and Analysis

• Identity

• Visibility

• Process Optimization and Agile Controls

• Data Management

Key functions of modern Cyber Security departments



Cyber Security Jobs

• Cyber Security Analyst

• Cyber Security Engineer

• Cyber Security Specialist

• Cyber Security Architect

• Cryptography experts

• Cyber forensics experts

• Security Administrator

• Forensics Examiner,

Auditor, Systems Engineer

or Integrator

• Incident Handler

• Intrusion Analyst

• Malware Analyst

• Penetration Tester

• IT Security Risk Analyst

• Infosec Director or Mgr.



Cyber Security Jobs are Different than

Infosec Jobs

• Cybersecurity positions are more likely to

require certifications than other IT jobs. 35% of

cybersecurity jobs call for an industry

certification, compared to 23% of IT jobs

overall.

• Difficulty finding specialized multidimensional

security professionals with seemingly endless

variations of tech, business, and ‘soft’ skills,

knowledge, and experience.



Expanding Definition of ‘Tech Professional’



FP Research Partner Demographic (2,985 employers)

• 18% of participating organizations have $5 billion+ in sales/$15+

billion in total assets

• 28% of participating organizations earn more than $1 billion in

annual revenues or more than $5 billion in total assets

• 46% of participating organizations have $500+ million in sales/$1+

billion in total assets/$500+ million in premiums/$500+ million

operating budget (government, educational, not-for-profit)

• 54% of participating organizations fall in the SMB (small-to-

medium sized business) segment, generally defined as

organization under $500 million in sales.

• 5% of participating organizations are: Public Sector with

operating budgets of $500 million or more; 4% are Not-For-Profit

and Educational sectors with operating budgets $100 million to

less than $500million



Foote Partners IT Skills and Certifications Pay Benchmark Surveys

• IT Skills and Certifications Pay IndexTM

• IT Skills Demand and Pay Trends ReportTM

• IT Skills and Certifications HOT LIST Forecast

• IT Skills & Certifications Volatility IndexTM



Foote Partners 2016

IT Compensation

Survey and

Job/Role Definition

Product Map

Foote Partners Overview: IT Compensation Benchmark Research

IT Professional

Salary Survey

(202 Jobs, 36

IT job families)

IT Skills & Certification

Pay IndexTM

(885 skills/certs)

IT Salary+Skills Pay

Survey Reports

Survey Demographics• 65 US/18 Canadian cities• 255,600 IT workers

• 2,985 employers• 45+ industries

• Updated continuously.

Salary Reports

• by job family

• by job family clusters

• for individual jobs in

selected cities

SALARY+SKILLS REPORTS AVAILABLE:

• Applications Development

• Big Data

• Business Analysts/Business Technology

• Database • Data Warehousing/Business Intelligence

• E-Commerce

• IT Architecture

• Microsoft Windows

• Networking Operations & Engineering • Project Management

• SAP

• IT Security

• Systems Engineering and Administration

• Web/I-net

Long-form

Job Descriptions• updated continuously

• comprehensive, includes

internal/external relationships key

to job success; skills and

certification; detailed experience factors.

Short-form Job Profiles (JD excerpts)

JOB FAMILIES AVAILABLE: - Big Data - Business Technology

- Business Applications Delivery- Cloud Computing - Data Analytics- Data Management- Data Warehousing/BI- Database Administration- Database Developers - DevOps- Digital Product Development- e-Commerce/e-Business- Enterprise Applications- Enterprise Infrastructure- Epic Systems - Help Desk- IT Architecture - IT Security- Internets/intranets/extranets- Java Developers- Lotus Notes/Domino- Messaging- Mobile Computing- .NET Developers- Network Eng. & Operations- Project Management- SAP- Six Sigma- Software Quality Assurance- Storage/SAN/NAS- Systems Eng. & Operations - Unix/NT/Linux- Voice Engineering- Web/I-net

IT Infrastructure Survey IT Base Positions

Survey

IT Skills Volatility Index

IT Skills HOT LISTS Forecast

IT Skills Demand and Pay Trends

Report



• First(1999) and only comprehensive continuous IT

skills pay and demand survey

• Verified skills pay premiums data: 69,900

IT professionals in US and Canada

• Current market pay premiums for 880 certified and

noncertified tech skills (10th/50th/90th percentiles

reported)

• IT skills and certs market trends: historical, current,

forecasts

IT Skills and Certifications Pay IndexTM 3Q 2016 data edition (through 10/1/16)



What Are Individual IT Skills/Certs Earning? Certified vs. Noncertified, 2000 to 2016

10.2

9.23%

7.95

7.68%

3.0%

4.0%

5.0%

6.0%

7.0%

8.0%

9.0%

10.0%

11.0%

What is an Individual IT Skill or Certification Worth? Quarterly Average Median Pay for 880 Skills/Certs Since 2000

(expressed as equivalent percent of base salary)

Source: Foote Partners' IT Skills and Certifications Pay IndexTM,2000 - 2016 editions

NOTE: Values are expressed as % of base salary but may or may not be paid as part of salary.

412 IT Certifications(Median average for a single cert)

468 Noncertified Skills(Median average for a single skill)

© 2016 Foote Partners LLC

U.S. Unemployment Rate(at end of each quarter)



Change in Average Premium Pay

by Category

IT CERTIFICATIONS CATEGORIES

# of certs

surveyed 3Q 2014 3Q 2015 3Q 2016

% Change

3 mos

% Change

6 mos

% Change

ANNUAL

% Change

2 yrs

Foundation level and Training 8 3.0% 4.3% 4.0% 0.0% -3.0% -5.9% 27.0%

Apps Development/Prog. Languages 46 6.5% 6.7% 7.0% 2.7% 4.1% 4.9% 7.9%

Database 38 7.8% 7.7% 7.7% 0.1% -0.9% -0.1% -1.4%

Web Development 11 2.9% 2.8% 2.8% 0.0% 0.0% 0.0% -3.1%

Networking & Communications 86 5.9% 5.8% 5.6% -2.2% -2.6% -2.7% -5.3%

System Administration/Engineering 97 6.8% 7.0% 6.9% -1.9% -1.9% -2.2% 0.9%

Information Security 80 9.0% 9.3% 10.3% 3.8% 7.5% 10.7% 15.0%

Architecture/Project Management/Process 46 11.0% 10.9% 10.9% 0.2% 1.2% 0.2% -0.6%

ALL CERTIFICATIONS REPORTED 412 7.2% 7.5% 7.7% 0.66% 1.93% 2.94% 7.25%

(expressed as a % of

base salary)

Average Pay - Single Cert

Certified IT Certs Pay: 3/6/12/24 mo. Trends (through 10/1/16)

Certification Pay Premiums by Category (median)

(through 10/1/16)

Source:

Foote Partners LLC, 2016 IT Skills & Certifications Pay Index – Q3 2016 edition

https://www.issa.org/conf/?p=105



2%

4%

6%

8%

10%

12%

IT Certifications Premium Pay - by Category, Last 13Years

Information Security

Database

Architecture/Project Management/Process

Web Development

Foundation level & Training

<--ALL CERTS

Apps Dev/Program

Languages

Systems Admin/Eng.

(Values expressed as equivalent of % of base salary)

13%

Networking/Comm.

Right now…… IT Certification Market Pay Vectors (412 certifications reported)

Source:

Foote Partners LLC, “IT Skills & Certifications Pay

Index” (data through 4/1/2016)



APO

ISACA Certifications P10 Median P90 3 mos. 6 mos. 1 year

Certified in Risk and Information Systems Control (CRISC) 10% 13% 15% 18.2% 18.2% 8.3%

Certified Information Security Manager (CISM) 11% 13% 15% 8.3% 8.3% 8.3%

Certified Information Systems Auditor (CISA) 9% 12% 14% 0.0% 0.0% 0.0%

CSX CyberSecurity Practitioner (CSXP) 9% 12% 14% na na na

Certified in the Governance of Enterprise IT (CGEIT) 9% 12% 14% 20.0% 20.0% -7.7%

AVERAGE 9.6% 12.4% 14.4%

QUARTER Delta 3Q2016 vs. 2Q2016 10.2%

6 Mos. DELTA: 3Q2016 vs 1Q 2016 15.3%

ANNUAL 3Q2016 vs. 3Q2015 5.5%

2-YEAR 3Q2016 vs. 3Q2014 1.2%

Growth/Decline in market

value

Pay Premium as Equivalent

% of Base Salary - 3Q 2016

ISACA, Cybersecurity Certifications Pay: 3/6/12/24 mo. Trends (through 10/1/16)

Source: Foote Partners LLC, 2016IT Skills & Certifications Pay Index – Q3 2016 edition

APO

Other Cyber Security Skills/Certifications P10 Median P90 3 mos. 6 mos. 1 year

Certified Cyber Forensics Professional 15% 18% 20% 0.0% 12.5% na

Certified Forensic Computer Examiner (CFCE) 13% 16% 18% 6.7% 23.1% 23.1%

Cryptography (encryption, VPN, SSL/TLS, Hybrids) 11% 14% 16% -6.7% 0.0% 16.7%

Cybersecurity 14% 17% 19% 0.0% 0.0% 6.3%

CyberSecurity Forensic Analyst (CSFA) 13% 16% 18% 0.0% 0.0% 0.0%

EC-Council Certified Ethical Hacker (CEH) 9% 12% 14% 9.1% 9.1% 9.1%

EC-Council Computer Hacking Forensic Investigator (CHFI) 12% 15% 17% 0.0% 25.0% 25.0%

GIAC Certified Forensics Analyst (GCFA) 12% 15% 17% 7.1% 25.0% 36.4%

GIAC Certified Forensics Examiner 13% 15% 17% 9.0% 9.0% 20.0%

Growth/Decline in market

value



Data available

by request

Data available

by request



Highest Paying Security Certifications


Certifications - Info/Cyber Security P10 Median P90

Certified Cyber Forensics Professional 15% 18% 20%

GIAC Security Leadership(GSLC) 14% 16% 18%

Certified Forensic Computer Examiner (CFCE) 13% 16% 18%

CyberSecurity Forensic Analyst (CSFA) 13% 16% 18%

GIAC Reverse Engineering Malware (GREM) 12% 16% 18%

GIAC Certified Forensics Examiner 13% 15% 17%

GIAC Exploit Researcher and Advanced Penetration Tester (GWAPT) 13% 15% 17%

GIAC Web Application Penetration Tester (GWAPT) 13% 15% 17%

EC-Council Certified Incident Handler 12% 15% 17%

EC-Council Computer Hacking Forensic Investigator (CHFI) 12% 15% 17%

GIAC Certified Forensics Analyst (GCFA) 12% 15% 17%

InfoSys Security Architecture Professional (ISSAP/CISSP) 12% 14% 16%

GIAC Enterprise Defender (GCED) 11% 14% 16%

GIAC Secure Software Programmer--Java 11% 14% 16%

Certified Information Security Manager (CISM) 11% 13% 15%

Certified Information Systems Security Professional (CISSP) 11% 13% 15%

InfoSys Security Engineering Professional (ISSEP/CISSP) 10% 13% 16%

Certified in Risk and Information Systems Control (CRISC) 10% 13% 15%

EC-Council Licensed Penetration Tester (LPT) 10% 13% 15%



Data available

by request



Highest Paying Security Certifications



Certifications - Info/Cyber Security P10 Median P90

Certified Cloud Security Professional 10% 12% 14%

Certified Fraud Examiner 10% 12% 14%

Check Point Certified Security Master (CCMA) 10% 12% 14%

GIAC Certified Penetration Tester (GPEN) 10% 12% 14%

EC-Council Certified Security Analyst (ECSA) 10% 12% 13%

Certified Computer Examiner (CCE) 9% 12% 14%

Certified Information Systems Auditor (CISA) 9% 12% 14%

CSX CyberSecurity Practitioner (CSXP) 9% 12% 14%

EC-Council Certified Ethical Hacker (CEH) 9% 12% 14%

GIAC Assessing Wireless Networks 9% 12% 14%

GIAC Certified Intrusion Analyst (GCIA) 9% 12% 14%

GIAC Secure Software Programmer-- .NET **retired** 9% 12% 14%

InfoSys Security Management Professional (ISSMP/CISSP) 9% 12% 14%

Certified Healthcare Information Security and Privacy Practitioner (ISC2) 9% 11% 13%

GIAC Certified Perimeter Protection Analyst (GPPA) 9% 11% 13%

GIAC Systems and Network Auditor (GSNA) 9% 11% 13%

EC Council Certified Network Defense Architect Certification 8% 11% 13%

GIAC Certified Incident Handler (GCIH) 8% 10% 13%

Check Point Certified Security Expert (CCSE) 8% 10% 12%

CompTIA Security+ 8% 10% 12%

Professional Certified Investigator 8% 10% 12%

Check Point Certified Security Administrator (CCSA) 7% 10% 12%

Security Certified Network Architect (SCNA) 7% 10% 12%



Data available

by request



Highest Paying Noncertified Security

Skills


APO

Security noncertified skills P10 Median P90

Cybersecurity 14% 17% 19%

Security architecture and models 14% 17% 19%

Security skills (DW/BI, ERP, Web, project assigments) 12% 15% 17%

Mobile security 11% 13% 15%

Cloud security 9% 12% 14%

Secure software development 9% 12% 14%

Data security 9% 11% 13%

Virtual security 8% 10% 12%

Wireless security 7% 9% 11%

SAP Security 7% 9% 11%

Network security management 6% 8% 10%



Data available

by request



3Q 2016 Salaries: Info/Cyber Security

Sr. Cyber Security Specialist

10th 25th 50th Average 75th 90th

U.S. National Average (65 cities) $99,467 $107,435 $117,119 $118,554 $129,534 $139,893

National: Highest $148,950

National: Lowest $101,035

Bonus (Actual) - National $13,041

Total Cash - National $131,595

Cyber Security Specialist







Source: Foote Partners LLC, 2016 IT Professional Salary survey – Q3 2016 edition




Sr. Information Security Analyst







Information Security Analyst








Security Architect










Sr. Security Administrator







Security Administrator











Data Warehouse/Business Intelligence Security Manager







Web Security Manager











Manager, Information Security







Vice President, Information Security







Director, Information Security










Is It Time to Change Your

Security Management Model?



Source: US State of

Cybercrime Survey (PwC,

CSO Magazine, Carnegie

Mellon, US Secret Service)

Demographic:

500 executives of US

businesses, law

enforcement services,

and government

agencies.



Is It Time to Change Your Security Model?

Source: CIO, CSO, Computerworld (n=287)

56% said 3 years or more



Lack of Dedicated Security Pros


*Only 37% have dedicated security staff



Workforce Trends

Source: EY’s Global Information Security Survey 2015



Security Spending Accountability

How are you tracking security spending?

Source: SANS Institute



Is It Time to Change Your Security Model?




Source: US State of

Cybercrime Survey (PwC,

CSO Magazine, Carnegie

Mellon, US Secret Service)

Demographic:

500 executives of US

businesses, law

enforcement services,

and government

agencies.



Where Should Info/Cyber Security Be on the Corporate Org Chart?

IT Department/ Telecomm

Purchasing Department

Accounting Department

Operations Group

Risk Management Department

Product Development

Marketing Department

Office of the General Counsel

Info/Cyber Security

Each of these constituents have a big vested interest



Workforce Trend: CISO Attributes

• Source: Ernst &

Young

Source: IDG



CIO Archetypes as CISO Archetypes?

Key competencies



CIO Archetypes as CISO Archetypes?

Source: State of the CIO 2008, CXO Media Inc; CIO Role and Success Factors, Foote Partners, LLC, March 2008

Business StrategistTransformational LeaderFunctional HeadCIO Role

Primary

Activities

Key

Characteristics

Description

Key FocusEnterprise strategy and

competitive differentiation

Alignment with business

process transformationOperational excellence

Driving business strategy for competitive advantage, activities extend across the enterprise and beyond.

Creating change through business partnerships; activities centered on IT process re-engineering and automation.

Activities intended to achieve IT operational excellence.

Developing/refining business strategy

Understanding market trends

Developing external customer insight

Developing business innovations

Identifying opportunities for competitive differentiation

Reengineering or developing new sales and distribution channels

Redesigning business processes

Aligning IT initiatives & strategy with business goals/strategy

Cultivating the IT/business partnership

Leading change efforts

Implementing new systems and architecture

Mapping IT strategy to overall enterprise strategy

Managing IT crises

Developing IT talent

Improving IT operations

Improving system performance

Security management

Budget management

Focuses on the entire enterprise

Locates opportunities for competitive advantage and differentiation

Develops business innovations

Acts as “trusted advisor” to C-suite leaders

Builds IT/business/customer linkages

Excels at architecture and planning

Concentrates on IT efficiency and operational competence

Drives standardization

Measures and monitors continuously

Business StrategistTransformational LeaderFunctional HeadCIO Role

Primary

Activities

Key

Characteristics

Description

Key FocusEnterprise strategy and

competitive differentiation

Alignment with business

process transformationOperational excellence

Driving business strategy for competitive advantage, activities extend across the enterprise and beyond.

Creating change through business partnerships; activities centered on IT process re-engineering and automation.

Activities intended to achieve IT operational excellence.

Developing/refining business strategy

Understanding market trends

Developing external customer insight

Developing business innovations

Identifying opportunities for competitive differentiation

Reengineering or developing new sales and distribution channels

Redesigning business processes

Aligning IT initiatives & strategy with business goals/strategy

Cultivating the IT/business partnership

Leading change efforts

Implementing new systems and architecture

Mapping IT strategy to overall enterprise strategy

Managing IT crises

Developing IT talent

Improving IT operations

Improving system performance

Security management

Budget management

Focuses on the entire enterprise

Locates opportunities for competitive advantage and differentiation

Develops business innovations

Acts as “trusted advisor” to C-suite leaders

Builds IT/business/customer linkages

Excels at architecture and planning

Concentrates on IT efficiency and operational competence

Drives standardization

Measures and monitors continuously



Workforce Trends

• IDC predicts that by 2018, fully 75 percent of chief

security officers (CSO) and chief information security

officers (CISOs) will report directly to the CEO, not the

CIO.

• Prediction: The chief risk officer will be in heavy

demand position within the next five years – a single

leader who can create a culture of security, map

organizational structures, and set budgets.

– Role will oversee all areas of risk exposure: IT risk, physical

security, personnel security and protection of assets

including intellectual and reputational capital.



Things you need to be thinking

about now*

(*if you want to keep your job)



Two things that are working for

reducing Cyber Security

human capital chaos:

People Architecture

Agile Compensation



Managing People Can Be Architected?

Yes! People Architecture is about marrying old and new

processes, programs, practices and technology into an agile, forward-focused enterprise operational HCM model

precisely tuned to:

Aggressive, constantly shifting business strategies

Fluid organizational and skill requirements

Volatile labor markets

Corporate cultures that

resist change

Performance philosophies that

need to work to get the best

out of your people



Advantages of Any Type of Architecture

• Improved decision making

• Minimization of unwanted circumstances

• Improved adaptability to changing

demands or market conditions

• Elimination of inefficient or redundant

processes

• Optimizing the use of your assets



Info/Cyber Security People Architecture Domains

• Job design, definition, and documentation

• Compensation design, structure and

benchmarking

• Incentive design and recognition practices

• Skills demand analysis, acquisition and pay

• Job/career paths and professional development

• Hiring, retention and motivation

• Work/life balance

• Governance



PArch inserts a new HR foundation under what’s already there

Option 1: You can keep much of what

you already have but strengthen and

rebuild foundational systems to reduce

severity of workforce problems (e.g.

staff retention, skills acquisition, talent

recruiting)

‘Clean sheeting’ your HR systems and practices isn’t realistic no matter how

broken they are. But incrementally strengthening the human capital mgt

foundation over time---and in a big way---is what People Architecture enables.

Option 2: You can replace HCM systems,

programs and practices with more

effective ones (in phases), while also

building a stronger foundation and

adding new critical capabilities for

future requirements.

Post Hurricane Sandy renovation

Post Hurricane Sandy new construction



Tips for Building a Great Security Team

• Rethink everything

– Continually assess where you are and where

you need to be

• Formalize underserved functions

– EX: form a crisis management team assigned

to handle the unexpected

• Demand proven business skills

• Create a communications czar for security

– Your PR representative in the enterprise,

focusing on teachable topics



Tips for Building a Great Security Team

• Nurture dissent

– Get everything out in the open so it can be

discussed and decided

• Search globally, promote internally, leverage

mobility

– Be what your talent wants



Tips for Retaining a Great Security Team

Know who you want to keep around, train them, and pay

them what they’re worth if you expect to keep them

Ensure employees have access to coaching

Change up project assignments

Give them somewhere to vent

Provide opportunities for career development

Encourage continued education

Give them metrics to measure success

Train your talent on how to approach stressful situations

Promote work-life balance

Keep the job interesting

Don’t enforce ranks when it comes to ideas



Questions CISOs Should Be Probing

• How well do you understand what surviving in the

digital world means for you and your

organization?

• What are the threats and vulnerabilities you

should fear?

– Do you really have confidence in your understanding of the

threats/vulnerabilities in the digital world?

– Have you done the work and thinking required to determine

how that threat landscape applies to your organization and

strategy and prioritized cybersecurity measures around this?

– Do you know how to set your risk appetite to determine the

acceptable and unacceptable loss and harm from potential

incidents as part of developing your cyber breach response

management program?




• Can you stop the attacks?

– How can you protect your organization against a cyber incident if you do not know what it is the attackers are

targeting?

– How will they be able to gain access and how would this

damage you and your critical assets?

– Do you fully understand your organization’s ability to

respond, contain and recover from an attack?

• What are the worst case scenarios?

• How are you detecting the small, subtle signs?

• Is “high alert” your constant state?




• What needs to be improved?

– What information about my organization/business is available to

any attacker? How could they use it?

– What sort of attackers are my more likely adversaries :

Hacktivists? Criminal networks looking for things to sell?

Fraudsters? Nation-state attackers?

– What are their capabilities (e.g., likely resources, timeline,

technical capabilities, ability to recruit insiders)?

– For each of the more likely adversaries, what are they likely to be

interested in? (Match this to your list of what really matters to

your organization/business — your “crown jewels.”)

– How vulnerable are these desired targets/assets, and how could

they be exploited?




• What needs to be improved, cont’d?

– What specific paths might the adversaries take to their

desired target (e.g., through an air-conditioning system,

through a payment system, by recruiting an insider, by

spear-phishing board members or targeted employees

who have access)?

– What are the most effective counter-measures?

– What more can I learn from previous encounters with

adversaries?



Keep Your Cybersecurity Strategy

Simple

• Identify your digital assets

• Conduct a holistic risk assessment

– Combining low level technology with business driven aspects

of security.

• Assure continuous monitoring

• Visibility + Analytics

– They’re already in the front door. How do you respond

effectively: how do they attack quickly, how do you reduce

their time in your networks, how to you do with incident

response. When did they get in, how bad was the

compromise, what was taken, what’s the root cause?

– Visibility is about collecting data. Analysis is how you glean

insight from the data and take meaningful action based on

visibility




Simple, cont’d.

• Identity

– Only the right people can access the right things at the right

time.

• Risk: the language of the board and senior execs

– How to translate technical details in ways they can

understand, e.g. Business Continuity, IP violations, brand

reputation

• Business context around threats



• Technologies and processes you must have now

– Security analytics

– Full packet capture

– Provide visibility across the enterprise

– Handle identities comprehensively, e.g. lifecycle, governance

• Biggest shifts in priorities and capabilities

– From prevention, AV, IPS to detection/response, visibility,

machine learning, AI to security as a business risk issue, period.

Getting past tools and technology

– Insider threats, identity assurance(letting the good guys in)

visibility + analytics (keeping the bad guys out), biometrics,

image recognition, continuous monitoring,

• Make vendors compete in a result-oriented RFP


Simple, cont’d.



Six Steps to a Better Security Strategy

1. Become A Credible Stakeholder Understand your organization.

Know the personalities

2. Connect With The Business Understand current business strategies

Get to know business projects. Pick up on pet projects

Align with goals and metrics.

3. Find The Gaps: Clear view of security risks that are

most threatening to your company Record control gaps and vulnerabilities.

Identify and quantify risks.

Identify potential controls.



Six Steps to a Better Security Strategy

4. Identify Security Challenges Monitor regulatory activity.

Track relevant news stories

Watch the activity of your peers and competitors.

Anticipate new technology projects

5. Brainstorm New Opportunities New technology offers new possibilities

Hidden process improvements can appear.

6. Bring It All Together Generate the big list. Collate the identified security tasks, removing

duplicates, into one comprehensive list of security activities associated

with known business plans — a potentially big list

Create security initiatives.

Connect security initiatives to business interests

Agree on priorities



For additional information contact: FOOTE PARTNERS LLC 4445 North A1A, Suite 200 Vero Beach, Florida 32963 USA Tel: 772-234-2787 Fax: 775-262-6619 www.footepartners.com

Foote Partners, LLC Foote Research Group

www.footepartners.com



Foote Partners Information



Canadian Cities Surveyed

Tier 1 U.S. Cities Surveyed Atlanta, GA

Boston, MA

Chicago, IL

Dallas, TX Detroit, MI

Houston, TX Los Angeles/Orange Cty

Miami, FL

Minneapolis, MN New Jersey/Northern

New York, NY Philadelphia/So. NJ

Phoenix, AZ

San Diego, CA San Francisco, CA

San Jose, CA Seattle, WA

St. Louis, MO

Washington, DC Westchester County, NY/Lower

Fairfield Cty, CT

Tier 2 U.S.Cities Surveyed

Greenville/Spartanburg/

Oakland/Walnut Creek/

Calgary, ALTA

Edmonton, ALTA

Halifax, NS

Hamilton, ONT

Kitchner, ONT

London, ONT

Mississauga, ONT

Montreal, QUE

Oshawa, ONT

Ottawa, ONT

Greensboro/Winston Salem, NC

Anderson, SC

Hartford, CT Indianapolis/Ft Wayne Kansas City, MO

Las Vegas, NV Long Island, NY

Louisville, KY Memphis, TN

Madison, WI

Milwaukee, WI

Nashville, TN New Orleans, LA Norfolk/Virginia Beach/

Newport News, VA

Concord CA Oklahoma City, OK

Orlando, FL Peoria, IL

Omaha, NE

Pittsburgh, PA Portland, OR

Princeton/So. NJ Providence, RI

Raleigh/Durham, NC

Sacramento,CA

Salt Lake City, UT San Antonio, TX

Tampa, FL

Upper Fairfield County/ New

Haven, CT

Tulsa, OK

Albuquerque/Santa Fe,NM Austin, TX Baltimore, MD

Birmingham, AL

Charlotte, NC

Cincinnati, OH

Cleveland/Akron,OH

Columbus OH

Colorado Springs, CO

Dayton, OH

Denver, CO

Grand Rapids, MI

Des Moines, IA

Quebec, QUE

Regina, SASK

Saskatoon, SASK

St. Catherines, ONT

Toronto, ONT

Vancouver, BC

Windsor, ONT

Winnipeg, MAN

Memphis, TN

Buffalo, NY

Foote Partners Overview: Data and Analytical Research Geography

Boulder, CO

Boise, ID



• Audit, Control, Governance

• Big Data and analytics

• Business Intelligence; Data Warehousing; Data

Management

• Business Process Improvement

• Business Transformation Capability Planning and

Management

• Business Value Measurement, Analytics and

Management

• Centralization, standards and governance

• CIO/IT executive management

• Cloud computing

• Collaboration, workflow and productivity

• CRM

• Enterprise Architecture

• Enterprise Project Management

• HR Systems

• IT Human Capital Management

• Information Security

• International HR Management, incl. expatriate

and specialty HR program development and

management

• IT Executive/Professional Salary, Bonus, and Skills

Compensation

• Leadership Development

• Managed services

• Mobile platform computing

• Networking and Communications

• Offshore Outsourcing (ITO, BPO, BTO)

• Organizational Change/Transition

Management

• People Architecture

• Process Improvement/MOC

• Quality management (ITIL, CMM, Lean Six

Sigma)

• SaaS/hosted productivity applications,

PaaS (platform as a service)

• SAP/ERP

• Service-oriented architectures (SOA)

• Six Sigma

• Social media value creation

• Staffing augmentation

• Stakeholder planning and management

• Succession Planning

• Total Rewards/Workforce Retention

• Virtualization, VDI, virtual appliances

• Web-oriented architectures (WOA)

Business, IT and HR Advisory Areas

Foote Partners Overview



• Market Intelligence and Analysis

• Competitive Benchmarking

• Market Research and Analysis

• Opportunity Analysis

• Competitive Product/Service Pricing

and Positioning

• Market Planning and Strategies

• Product/Service Assessments

• Organizational Assessments

• End User Requirements

• Strategic Planning

• Business Planning

• Risk Assessment

• Technology Evaluations

• Product Positioning

• Pricing and Cost Analysis

• Customer Satisfaction

• Cost/Benefit Evaluations

• Due Diligence

• Stakeholder Analysis, Planning

and Management)

Market and Competitive Intelligence





Management Consulting / Custom Advisory Services

People Architecture

IT Market and Workforce Intelligence

Business Intelligence/Analytics

IT Executive & Professional Compensation

International HR and Expatriate Administration

Enterprise Capability Planning/Process and Capability

Management (new-gen EA)

IT Management & Organization Services

Professions and Retention Services

Outsourcing/Offshoring/Strategic Resource Management

Organization/Transition Management

Corporate Strategy and Business Development



• IT Professional Salary SurveyTM reports (207 positions)

• IT Skills and Certifications Pay IndexTM (880 skills)

• IT Salary+Skills Pay Survey TM reports

• IT Insider Professional Job DescriptionsTM

• Additive Matrices (job definition/design; career paths)

• IT Skills Demand and Pay Trends ReportTM

• IT Skills and Certifications HOT LIST Forecast

Foote Partners People Architecture Tools

2016 IT Professional

Salary Survey

1st Quarter data edition

U.S. cities

2016 IT Skills &

Certifications Pay

Index

835 Skills and Certifications

January 2016 Update

2016 IT Skills and

Certifications

Volatility Index

January 2016 Update

2016 IT Skills

Demand and Pay

Trends Report

January 2016 Update

rx for managing your info/cybersecurityworkforce in the ...€¦ · applications networks security...

Documents