Shortage of security pros worsens

Cisco estimates a million unfilled security jobs worldwide.

1 2 3 Page 2
Page 2 of 3

Benway also notes a more recent organizational trend: the convergence of what were once separate and independent enterprise risk management and security departments. “That again is a reflection of the recognition that cyber security is a business problem and not just a technology problem,” Benway says.

These changes require more manpower at all levels, industry watchers say. On the technical side, system complexity has created a need for security admins. Years of accumulating security products have left companies with dozens of products to support, oftentimes from vendors that have gone out of business or been acquired. Companies need people to maintain those systems and secure the infrastructure, Jethi says.

On the strategic side, "you need people who can do more than configure rules and policies and 'keep the bad guys out.' You need data scientists. You need people with different backgrounds. You need people who can look at large quantities of data and can analyze trends and are good at spotting anomalous behaviors in those data patterns,” Jethi says. “That's a very different skill set than somebody who can configure equipment."

If there’s a silver lining, it’s for qualified job hunters. Their options abound. According to tech careers site Dice, job postings for security professionals are up year-over-year, with cybersecurity up 91% and information security up 48%.

"At the moment, if you're a cybersecurity professional, and you have the skills, it's a very good market. You can do very, very well,” Stroud says.

High salaries reflect the demand. The average IT starting salary is expected to climb 5.7% in 2015, according to Robert Half Technology (RHT). Five out of six security titles in RHT’s annual salary guide are getting larger-than-average bumps in pay for new hires:

  • Chief security officer: starting pay ranges from $134,250 to $204,750, a gain of 7.1% compared to 2014;
  • Data security analyst: $106,250 - $149,000, up 7.4%;
  • Systems security administrator: $100,000 - $140,250, up 6%;
  • Network security administrator: $99,250 - $138,500, up 5.3%;
  • Network security engineer: $105,000 - $141,500, up 6.7%; and
  • Information systems security manager: $122,250 - $171,250, up 6.6%

Certifications drive starting salaries even higher, RHT notes. In the security category, having a Certified Information Systems Security Professional (CISSP) certification adds 6%, on average, to IT salaries, while Check Point Firewall administration skills are worth a 7% bump, Cisco network administration skills add 9%, and Linux/Unix administration skills add 9% to starting pay.

The allure of compensation contributes to another staffing challenge for enterprises: turnover. It’s particularly tricky to keep top security talent. CISOs and other senior security executives leave after 2.5 years, on average, according to research from Ponemon Institute.

Qualified people at the c-level and just below – titles such as director of information security, chief security architect, chief security officer -- generally come from two different tracks, says Andy Ellis, chief security officer at Akamai. There’s the mostly homegrown security pro with deep technical experience who worked his or her way up in an organization, knows everything about how that organization works, and can make that business transition.

The second type is the experienced security pro who hops from company to company. “Some of these are really astounding CISOs, they'll work a three-to-four-year stint at a company, turn it around, and that's what they love doing,” Ellis says. “They're not big fans of the maintenance, they'd rather just do that and turn it around.”

Both types are in danger of being lured to the start-up world, Ellis notes. “What I find a lot of companies are competing with is the experienced c-level folks saying, 'I could go do this job again, or I could go be the CTO of a security company.’ There are more and more of these really good technical senior staff that are going to either be a CTO or a chief strategist or CEO of a small security startup because the payoff is so much better if they can make it work.”

Desperate measures

Just how hard is it to find people?

Benway tells the story of one global technology company whose stringent hiring standards have made it a target for poaching security talent – even before that talent shows up for work. "One of their competitors has a policy now that if this particular company makes an offer to any individual, the competitor company will offer that individual 10% more. Sight unseen, no interview necessary, because they know they've made it past that particular bar," Benway says. "That's the kind of thing some of these companies are facing."

One reason it's hard to find people is the maturity of the profession. Roles such as SAP architect or Java developer are mature, well defined jobs with established skill sets and training protocols. By comparison, cybersecurity is relatively new, Jethi says.

Experts agree more education and training is critical to increase the candidate ranks. "One of industry biggest concerns, or criticisms, relative to security talent that’s coming out of colleges and universities is that ... the academic learning is terrific, but you really need hands-on experience in cyber security environment," Benway says.

Jethi agrees. While many colleges and universities are trying to bolster their cybersecurity curriculum, in the meantime, "there is no ready pool of talent that you can groom and train," he says. To help address this issue, Cisco is running a pilot program with Duke University and Purdue University. "We're looking for people with engineering, analytical, and data backgrounds and abilities and interest, and we're offering them internships with our security business," Jethi says. The interns work on site at Cisco’s security operations centers. "Even while they're in school, the internship allows them to get specialized exposure to the cybersecurity program."

If the pilot goes well, Cisco plans to expand the program to other universities. "They're not experts, obviously, on day one, but they start out with a much better view of what the cybersecurity world looks like and how to prepare to work in an environment,” Jethi says.

Within schools, getting students exposed to real-world conditions is a growing priority for cybersecurity educators. UMass’s Wilson notes how other fields prioritize hands-on work: "My son is a first year medical student, but already he's doing surgeries a couple of times a week. He has lab courses and he has academic learning. He's getting hands-on experience right from day one,” Wilson says. “I think that's an area that we need to do a lot better job of, as far as cyber security is concerned."

The Burning Glass report turned out to be a catalyst for UMass to bolster its cybersecurity academic programs – an initiative that’s being driven from the school's top leaders. The university also is boosting its research focus. Participation in ACSC is one way that UMass is partnering with industry to develop the criteria for its academic programs. “We recognize that we can't develop curriculum in a vacuum outside of industry,” Wilson says. “Collaboration is really critical to anything we do in this area."

For its part, ACSC is working to launch a fellowship program that will connect students with industry players to improve talent development. Harvard, MIT, Boston University, Northeastern University, UMass, and Worcester Polytechnic Institute are all ACSC members.

"The idea is to identify the talent within these universities, and connect them with industry members in form of fellowships that are related to the areas of research these students are pursuing -- which are also areas of interest for the industry folks,” Benway says. Once launched, the fellowship program will then feed into boarder collaboration on R&D projects and solutions, he says.

More training and education also are needed for IT pros who’ve already begun their careers. There are opportunities for people skilled in incident response, for example, or risk professionals, to transition into cybersecurity roles. "People who understand the business world, and processes, and have an aptitude for technology, whether they're actually in the technology organization or not. They can be potential candidates today as well,” Stroud says.

1 2 3 Page 2
Page 2 of 3
The 10 most powerful cybersecurity companies