NSF “Bridging the Cybersecurity Leadership Gap: Assessment, Competencies and Capacity Building” Project

The goal of the 2013 – 2016 NSF “Bridging the Cybersecurity Leadership Gap: Assessment, Competencies and Capacity Building” project is to help address the cybersecurity leadership gap developing Chief Information Security Officer (CISO) core competencies.  The core competencies then serve as a basis to:

•    Develop learning objectives and curricula guidelines for multidisciplinary cybersecurity leadership education programs; and
•    Standardize the process of identifying, evaluating and promoting the skills and responsibilities of a CISO.

Considering questions of:

Q1 – What is the strategic imperative for CISO leadership?
Q2 – How strategic is the CISO role?
Q3 – What are the CISO’s responsibilities?
Q4 – Who should the CISO report to?
Q5 - What competencies should a CISO possess?
Q6 - What prior experience will contribute to CISO success?
Q7 - What learning objectives should be included in a CISO training program?

During the project, we interviewed close to 100 CISOs and cybersecurity leaders, from both government and private sectors (including from financial services, healthcare, electricity industry, water industry, education, consulting) around the nation. These interviews were supplemented by the workshops and conferences with speakers from the U.S., Europe, and Asia and attracting over 500 cybersecurity professionals to share and evaluate strategies and best practices.

The project resulted in conference reports:   
•    Second conference report (2015)
•    First conference report (2014)

And development of seven cybersecurity leadership workshops, conference presentations and papers.  Most important were the CISO Core Competencies and corresponding learning objectives.  To organize the competencies, we adopted a perspectives approach similar to that utilized last year by the International Academy of CIO for CIO Core Competencies.  With five perspectives, the CISO Core Competencies are grouped by “Individual/Personal” focusing on skills exercised on an individual basis; “Department/Team” on capabilities utilized when leading a cybersecurity team or department; “Organization” on competencies demonstrated on an organizational wide level; “Industry” on knowledge and expertise outside one’s own organization; and lastly “Technology” on skills and capabilities necessary to manage the technical aspect of a CISO’s job.  Figure 1 (at right) shows the core competencies.

Ongoing Governance
George Mason will be reconvening cybersecurity leadership stakeholders in the Fall of 2017 to update and revise the CISO Core Competencies in line with evolution of cybersecurity leadership.

Investigators:
Angelos Stavrous (PI)  
Director, Center for Assurance Research and Engineering
Email: astavrou@gmu.edu
(703) 993-3772

J.P. Auffret (Co-PI)
Associate Director, Center for Assurance Research and Engineering
Email: jauffret@gmu.edu
(703) 993-5641