A turning point was the TJX breach in 2006, which led to data-breach disclosure legislation and increased scrutiny of corporate data-handling practices, says Larry Wilson, information security lead in the University of Massachusetts President’s Office. From then on, demand for security pros “really started to accelerate."
Data from Boston-based labor analytics firm Burning Glass highlights the spike in demand: cybersecurity job postings grew 74% from 2007 to 2013, which is more than twice the growth rate of all IT jobs. The labor pool has yet to catch up. U.S. employers posted 50,000 jobs requesting CISSP credentials in 2013, a year in which the population of CISSP holders numbered 60,000, Burning Glass said in its 2014 report.
“The size and scope of the problem has grown dramatically as the threat has increased and as we've seen more high-profile breaches,” says Charlie Benway, executive director of the Advanced Cyber Security Center (ACSC), a nonprofit consortium of industry, university, and government organizations. “Executive management and boards of directors are now recognizing that cybersecurity is not just a tech problem, it’s a business problem. We're starting to see more executive-level emphasis on cybersecurity, more resources coming into cybersecurity, across all industry sectors.
That has definitely increased the demand for cybersecurity folks.”
“It’s probably 10- to 12-times harder to find cybersecurity professionals than it is to find general IT professionals," says Rashesh Jethi, a director in the services group at Cisco – which last year pegged the number of unfilled cybersecurity jobs around the world at 1 million.
Enterprises are definitely feeling the pain. Eighty-six percent of organizations polled by ISACA believe there’s a shortage of skilled cybersecurity professionals. Not only that, most companies feel they’re at risk. Just 38% of ISACA members believe their organization is prepared for a sophisticated cyberattack.
When you've got everybody in the world realizing they need to do something and going to the market, it leads to a skills shortage, especially when we haven't been training people with these skill sets necessarily, says Stroud.
Just as security tactics have changed, so too has security leadership.
In the past, security was typically IT’s domain, “part of something you did in infrastructure or in networking," Jethi says. Today, more companies have a chief security officer (CSO) or a chief information security officer (CISO) who’s explicitly responsible for security.
These changes require more manpower at all levels, industry watchers say. On the technical side, system complexity has created a need for security admins. Years of accumulating security products have left companies with dozens of products to support, oftentimes from vendors that have gone out of business or been acquired. Companies need people to maintain those systems and secure the infrastructure, Jethi says.
On the strategic side, "you need people who can do more than configure rules and policies and 'keep the bad guys out.' You need data scientists. You need people with different backgrounds. You need people who can look at large quantities of data and can analyze trends and are good at spotting anomalous behaviors in those data patterns,” Jethi says. “That's a very different skill set than somebody who can configure equipment."
If there’s a silver lining, it’s for qualified job hunters. Their options abound. According to tech careers site Dice, job postings for security professionals are up year-over-year, with cybersecurity up 91% and information security up 48%.
"At the moment, if you're a cybersecurity professional, and you have the skills, it's a very good market. You can do very, very well,” Stroud says.
High salaries reflect the demand. The average IT starting salary is expected to climb 5.7% in 2015, according to Robert Half Technology (RHT). Five out of six security titles in RHT’s annual salary guide are getting larger-than-average bumps in pay for new hires:
- Chief security officer: starting pay ranges from $134,250 to $204,750, a gain of 7.1% compared to 2014;
- Data security analyst: $106,250 - $149,000, up 7.4%;
- Systems security administrator: $100,000 - $140,250, up 6%;
- Network security administrator: $99,250 - $138,500, up 5.3%;
- Network security engineer: $105,000 - $141,500, up 6.7%; and
- Information systems security manager: $122,250 - $171,250, up 6.6%
Certifications drive starting salaries even higher, RHT notes. In the security category, having a Certified Information Systems Security Professional (CISSP) certification adds 6%, on average, to IT salaries, while Check Point Firewall administration skills are worth a 7% bump, Cisco network administration skills add 9%, and Linux/Unix administration skills add 9% to starting pay.
The allure of compensation contributes to another staffing challenge for enterprises: turnover. It’s particularly tricky to keep top security talent. CISOs and other senior security executives leave after 2.5 years, on average, according to research from Ponemon Institute.
Just How Hard Is It To Find People?
Benway tells the story of one global technology company whose stringent hiring standards have made it a target for poaching security talent – even before that talent shows up for work. "One of their competitors has a policy now that if this particular company makes an offer to any individual, the competitor company will offer that individual 10% more. Sight unseen, no interview necessary, because they know they've made it past that particular bar," Benway says. "That's the kind of thing some of these companies are facing."
One reason it's hard to find people is the maturity of the profession. Roles such as SAP architect or Java developer are mature, well defined jobs with established skill sets and training protocols. By comparison, cybersecurity is relatively new, Jethi says.
Experts agree more education and training is critical to increase the candidate ranks. "One of industry biggest concerns, or criticisms, relative to security talent that’s coming out of colleges and universities is that ... the academic learning is terrific, but you really need hands-on experience in cyber security environment," Benway says.
To help address this issue, Cisco is running a pilot program with Duke University and Purdue University. "We're looking for people with engineering, analytical, and data backgrounds and abilities and interest, and we're offering them internships with our security business," Jethi says. The interns work on site at Cisco’s security operations centers. "Even while they're in school, the internship allows them to get specialized exposure to the cybersecurity program."
For its part, ACSC is working to launch a fellowship program that will connect students with industry players to improve talent development. Harvard, MIT, Boston University, Northeastern University, UMass, and Worcester Polytechnic Institute are all ACSC members.
ISACA administers four certifications -- Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC). Last year, the organization launched the Cybersecurity Nexus (CSX) program, which specifically targets cybersecurity skills development with research, education, certificates and certifications, and industry mentoring programs.
Is There a Shortage?
Akamai’s Ellis views the staffing challenges differently than many of his peers. "There are areas of the country where finding people with a specific seniority level is really challenging,” he says, but “that doesn’t mean that there's a shortage overall.”
It depends on your hiring criteria – and where you’re looking for talent, Ellis says. “If you say, 'I'm looking for a CISSP,’ recruiters will find you someone. If you say, 'I want somebody who deeply understands safety analysis,’ it's a hard problem especially because there aren't a lot of them in the security community yet.”
Akamai’s solution is to venture outside the security community for many of its hires. The company recruits people who have done release management, or software engineering, or safety and hazard analysis, for instance. Or people who come from a different technical background entirely, such as biochemists.
While Akamai casts a wide net for security talent, one quality that’s highly valued is passion. “We look for people who are really bright, who are passionate about something,” Ellis says. It would be nice if that something was security, but it doesn’t have to be.
Admittedly, not every company has the resources to turn bright people into cybersecurity professionals. An out-of-the-box hiring approach takes extra work on the part of recruiters, hiring managers, and the people who train newcomers.
No one hire will fill all the gaps, and continuing education and training is imperative to build a strong security team. "There's no magic potion here," Stroud says. "It has to be a sustained and continuous program.”