Back in 1923, Katherine Cook Briggs wanted to understand the tendencies of her daughter's unusual fiancé, so she turned to the works of Swiss psychiatrist Carl Jung. While this would seem to win the award for most over-the-top behavior by a mother-in-law, I'll grant that as an aspiring novelist, Mrs. Briggs was justified in wanting to explore human personality types. And thus was born a lifetime interest in a process she would come to call people-sorting.
Two decades later, Mrs. Briggs' daughter Isabel, a chip off the old block, wanted to improve on the flawed model being used to place people into jobs during the War. So, she developed a questionnaire that would categorize human traits based on the original theory of Jung. By the mid-1950's, the questionnaire became a best-seller for the Educational Testing Service. Today, you'd call this the Myers-Briggs Type Indicator. (Myers, of course, was the son-in-law's name!)
If you are like me, then you've taken the MBTI questionnaire, perhaps as part of a corporate HR program. Most people report a positive experience with the process, perhaps because the personality types are described in a glass-is-half-full manner. That is, you might discover that you are a Giver, or a Provider, or a Mastermind (my own trait). But the model won't call you a Loser, or a Laggard, or a Dummy - which seems a pretty good marketing decision by Isabel.
Upon founding TAG Cyber in 2016, I began to work with several CISO clients who wanted my day-to-day coaching, advice, and consultation. My approach from Day One was seat-of-the-pants, but it immediately started bothered me that I didn't have a more formal means for understanding my clients. I considered using MBTI, but that tool didn't feel right to me. Knowing that a CISO was a Supervisor, or Commander, or Giver seemed irrelevant.
So, I decided to build my own model. I began by writing down the many different personality traits that characterized the thousands of cyber security professionals I'd observed for decades. The list started as a messy scatter-plot, but soon converged into three distinct categories. I engaged a couple of partners to help, including Frank Ableson, CEO of navitend, a New Jersey IT firm that helps me with various projects. We started writing scenarios and running tests.
The model that resulted from our work is based on the presumption that three personality tendencies are relevant to the cyber security profession. The categories matched up nicely with our personal experiences, scenario analyses, and early live testing results. What we found is that people in our industry typically display some unique mix of the three tendencies, but that one usually emerges as the predominant contributor. Here there are:
Technical - This is a personality tendency where the individual enthusiastically dives into technical challenges, confident that they can come up with a solution without having to engage outside help. This person is usually detail-oriented, perhaps having spent time coding or doing system administrative work, but this is not always the case. Many managers are trapped in a day-to-day role that prevents them from expressing their deep technical interests and passions.
Managing - This is a personality tendency where the individual believes that the optimal approach to any challenge involves organizing the best available talent into highly functioning groups. This person is usually more people-oriented, perhaps having spent some time supervising projects - but again, this is not always the case. Many people in highly technical jobs are natural managers without a good means for taking advantage of this innate tendency.
Assessing - This is a personality tendency where the individual has a high sense of justice, order, and rigor. This person often obsesses on the best possible way to accomplish a given task. This person is usually process-oriented, perhaps having worked as an IT auditor or security compliance expert, but not always. Many managers and technical people find themselves living inside bad processes that they would give anything to be allowed to fix.
To bring out these tendencies in our subjects (which sounds so lab coat), we developed our own on-line questionnaire and underlying rubric. It was not an easy task, and we quickly discovered what Isabel and her mother discovered many years earlier: Considerable subjectivity inevitably comes to play quickly when assigning proper weights to answers on questionnaires. This is flat-out unavoidable, even if you do a million different tests.
Here's an example: We developed a question that tests one's judgment in the case where you happen to discover a small error in a security audit assessment that has just been signed off by the CEO. We believe that compliance-oriented assessors will demand that the error be corrected; management-oriented people will gather members of the team together to discuss; and technically-oriented people will be super-tempted to just let the dumb thing go.
Now, is this determination perfect? . . . obviously not. But the tendencies that emerge for a subject across thirty comparable questions allow us to help self-assess that person's innate tendencies. It is important to note, by the way, that this is not a good predictor of the actual job a given subject is in today. It is, however, a useful guide to help ponder the type of job a given subject might want to consider in the future. This is especially exciting for younger people.
The tool is called CyberEXP, and you can read more about how it works at https://www.tag-cyber.com/CyberEXP/. For businesses, we are asking a modest license fee for use across the company - and we are happy to negotiate based on your size and scope. For non-profits and educational institutions, contact us and we can discuss some special programs we're setting up. The fees we collect for use of the tool allow us to reinvest in more research.
I hope you'll have a look at the CyberEXP self-assessment tool and let us all know what you think. We are hopeful that this resource can help drive cyber security to a more legitimately recognized business profession. Oh, and one more thing: You can be certain that once a prospective future son or daughter-in-law shows up at my door, I promise to give them this test, just like Mrs. Briggs did for young Myers, a century ago.