Cybersecurity job market to suffer severe workforce shortage

The shortage of experienced cybersecurity talent may explain why a cybersecurity software engineer earns more than a CSO.

An analysis of the cybersecurity job market looking back at 2014, the first half of 2015, and projecting out to 2019, reveals some interesting figures. For instance, the top paying cybersecurity job is a security software engineer with an average annual salary of $233,333, according to a recent report from the job board Dice. That tops the salary for a CSO which is $225,000.

But the big story in the cybersecurity labor market is a severe workforce shortage.

“The demand for the (cybersecurity) workforce is expected to rise to 6 million (globally) by 2019, with a projected shortfall of 1.5 million,” stated Michael Brown, CEO at Symantec, the world’s largest security software vendor. Not long before Brown's statement, the Cisco 2014 Annual Security Report warned that the worldwide shortage of information security professionals is at 1 million openings, even as cyberattacks and data breaches increase each year.

[ ALSO ON CSO: Shortage of security pros worsens ]

The shortage of experienced cybersecurity talent may explain why a cybersecurity software engineer earns more than a CSO.

According to a 451 Research recent study, based on responses from more than 1,000 IT professionals, primarily in North America and EMEA, security managers reported significant obstacles in implementing desired security projects due to lack of staff expertise (34.5%) and inadequate staffing (26.4%). Given this challenge, only 24% of enterprises have 24×7 monitoring in place using internal resources.

The need for more cyber-workers also explains why infosecurity is considered one of the best jobs out there - for the next seven years. U.S. News and World Report ranked a career in information security analysis eighth on its list of the 100 best jobs for 2015. They state the profession is growing at a rate of 36.5 percent through 2022.

Don't feel bad for the CSOs who might have engineers underneath them earning more than they do. IDC predicts that “by 2018, fully 75% of chief security officers (CSO) and chief information security officers (CISOs) will report directly to the CEO, not the CIO”. This will arguably push those positions higher up in to the salary stratosphere.

Checking in with an experienced executive recruiter in the cybersecurity field aligns the market analysis and forecasts with what search firms, employers, and candidates are seeing. “The cybersecurity job market is on fire” says Veronica Mollica, founder and executive information security recruiter at Indigo Partners. “Our candidates are facing competing offers from multiple companies with salary increases averaging over 30%. Current employers are scrambling to retain talent with counter offers including 10% and higher salary increases for information security team members to remain on board."

The U.S. government numbers line up to the IT analyst and research firm statistics. More than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74% over the past five years, according to a Peninsula Press (a project of the Stanford University Journalism Program) analysis of numbers from the Bureau of Labor Statistics. The demand for information security professionals is expected to grow by 53 percent through 2018.

A workforce shortage means healthy salaries for experienced cyber people. The Dice report states that the top five IT security salaries are: No. 1 – lead software security engineer at $233,333; No. 2 – chief security officer at $225,000; No. 3 – global information security director at $200,000; No. 4 – chief information security officer at $192,500; and No. 5 – director of security at $178,333.

Sometimes a declining market will balance the job figures when there's a labor shortage. But that won't happen anytime soon in the fast-growing cybersecurity space. The worldwide cybersecurity market is defined by market sizing estimates that range from $77 billion in 2015 to $170 billion by 2020.

One answer may lie in cross-training IT workers and converting them to security specialists. Herjavec Group, a leading information security consulting firm headquartered in Toronto, Canada, has successfully employed the strategy. Herjavec Group acquired a few IT services companies and dabbled in storage before locking down on cybersecurity as its sole focus. They cross-trained the technical people from those acquisitions into cybersecurity. The company employs expert cybersecurity advisers, consultants, incident responders, engineers and security operations center staff - difficult positions to recruit for.

Automated security solutions from the vendor community shows promise for helping to reduce the cyber staffing dilemma. “Traditional manual approaches to cybersecurity are proving to be unsustainable.” said Brett Helm, Chairman and CEO of DB Networks. “Intelligent IT security automation through machine learning and behavioral analysis is faster, more accurate, and frees up skilled professionals to focus on more critical issues.”

A potential strategic response in the U.S. is to send more kids to cybersecurity school. U.S. colleges and universities offer excellent cybersecurity education and Masters Degree programs - and there is clearly a burgeoning job market for graduates. But parents will need to get involved and nudge their high-schoolers to think about a career in the field.

[ ALSO ON CSO: So, you want a Masters Degree in cybersecurity? ]

The U.S. will have to fill its hundreds-of-thousands of cybersecurity positions over the next decade. The options are cross-training our IT workforce and getting more young people in to cybersecurity school - or outsourcing those jobs to other countries.

Symantec is pursuing another option, which may spur a trend if it works. The National Association of Software and Service Companies (Nasscom), a non-profit trade association in the Indian information technology and business process outsourcing industry, and Symantec recently signed a pact to develop world class skilled and certified cyber-security professionals. The partnership will focus on developing five prioritized job roles in cyber-security along with a master training program which also has scope to fund scholarship for 1,000 women undertaking the cyber-security certification by Nasscom, according to a Nasscom statement.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.