*Disclaimer: Steve Morgan is founder and CEO of Cybersecurity Ventures.
Last summer the Cybersecurity Business Report pointed out a severe cybersecurity workforce shortage. The numbers haven't changed much since then. There's still roughly 1 million job openings in 2016 -- which is expected to reach 1.5 million by 2019. The Palo Alto Research Center reports that, by 2019, the demand for cybersecurity professionals will increase to approximately 6 million globally.
Cybersecurity Ventures announced last week that the cybersecurity unemployment rate has dropped to zero-percent. What does this mean for cybersecurity employers, recruiters, workers, and job hunters? A few industry experts put the cyber labor crisis in perspective, and offer suggestions for filling the open positions.
Two job openings for every candidate
Cyber luminary John McAfee, founder of Future Tense Central and CEO at MGT Capital Investments (NYSE MKT: MGT) says, “The field of cyber security is the least populated of any field of technology. There are two job openings for every qualified candidate."
Small pipeline of security talent
Robert Herjavec, founder and CEO at Herjavec Group, a Managed Security Services Provider with offices globally, says, ”Unfortunately the pipeline of security talent isn’t where it needs to be to help curb the cybercrime epidemic. Until we can rectify the quality of education and training that our new cyber experts receive, we will continue to be outpaced by the Black Hats.”
Candidates don't match job specs
Gary Hayslip, deputy director, CISO for the City of San Diego, Calif., and author of the book 'CISO Desk Reference Guide, A practical guide for CISOs', says, “Organizations at times are trying to hire a unicorn – i.e. they need three people but can only hire one so they write the job specs with a huge list of disparate skill sets that most security professionals don’t have."
Candidate, know thyself
Frank Zinghini, founder and CEO at Applied Visions, Inc. (AVI), a software developer providing cybersecurity solutions to government and commercial enterprises globally, says, "The kind of person who is comfortable sitting in a Security Operations Center (SOC) monitoring sensors and looking for attacks in real time is different from a forensic analyst who enjoys poring through log files in search of signs of an adversarial presence in the network. Similarly, those who enjoy attacking web apps to help the developers see if they left anything unsecured are not likely to be interested in (or capable of) analyzing the source code itself for patterns of weakness. These and many other disciplines are all within the realm of cyber security; anyone interested in a career in this area needs to understand the differences and choose a path that suits them."
Salary inflation and sub-par candidates
Cyber Security Executive Recuriter Veronica Mollica, who has 14 years of experience in the field and is currently vice president of business development at CyberSN, says, "Non-existent unemployment may be good for candidates, but not for employers. “While zero-percent unemployment rates sounds optimal, it creates a lot of challenges for organizations including retention issues, salary inflation, and sub-par candidates getting jobs they are not qualified for. Companies are going to have to invest heavily in training young cybersecurity professionals who have a combination of technical, business, and soft skills as the talent gap widens."
Cyber grads entering the workforce
"I believe there’s a number of people coming out of school with cyber degrees and they can’t get jobs because of minimal experience" says Hayslip. "Whether they like it or not they need to take those entry-level positions and mature as a security professional. Just because you have a degree doesn’t equate to a high-paying position – you have to work for it and many times that means you take the junior positions and get experience."
U.S. News and World Report ranked a career in information security analysis eighth on its list of the 100 best jobs last year. These (entry-level) positions offer a median annual salary of approximately $90,000, and pay more than six-figures in New York, California, and Virginia, according to the U.S. Bureau of Labor Statistics. BLS states employment of information security analysts is projected to grow 18 percent from 2014 to 2024.
Recruiting cyber experts at hacking conferences
“The U.S. currently possesses the largest and most talented pool of cyber security specialists in the world” states McAfee, referring to the higher end of the market which includes senior candidates possessing many years of deep domain cyber experience. "These specialists congregate multiple times each year in various locations, culminating in the annual DEF CON Conference, comprised of upwards of 50,000 specialists. These specialists compose our Hacker Community." McAfee's point? Employers should skip the job boards and send their recruiters and hiring managers to the major cyber events including the RSA Conference, Black Hat, and others.
More cybercrime creates more job challenges
While hiring practices, candidate expectations, and recruiting strategies all play into the cybersecurity unemployment rate, the biggest contributor is cybercrime. CSO recently reported a prediction that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion last year. Another CSO blog shares a forecast that the world will spend more than $1 trillion cumulatively over the next five years - from 2017 to 2021 - on cybersecurity products and services to combat cybercrime. These figures will surely lead to more unfilled jobs, and even more pressure on employers to fill them.