Cybersecurity salary inflation—A red flag

If you follow my blog at all, you know that I am quite passionate about the cybersecurity skills shortage and its ramifications. Just to put this issue in perspective, ESG research indicates that 46 percent of organizations claim they have a “problematic shortage” of cybersecurity skills in 2016 as compared to 28 percent in 2015 (note: I am an ESG employee). 

Yup, the ESG research seems to indicate that things are getting worse on an annual basis, and ESG isn’t alone in this belief. For example:

• According to Peninsula Press (a project of the Stanford University Journalism Program), more than 209,000 U.S.-based cybersecurity jobs remained unfilled, and postings are up 74 percent over the past five years.
• Analysis of the U.S. Bureau of Labor Statistics indicates that the demand for cybersecurity professionals is expected to grow 53 percent by 2018.

Adding to this trend, Computerworld research indicates that more than half of security managers expect their organizations to increase cybersecurity headcount this year, adding more pressure to the pot. 

It’s clear that we face a classic economic conundrum where demand far exceeds supply. Consequently, the skills shortage has led to an inevitable consequence—rapid salary inflation for cybersecurity professionals. A recent article in CSO online (author’s note: Well worth reading) illustrates this trend, claiming that information security managers’ compensation went up by 6.4 percent from 2015 to 2016—more than any other IT job. 

Organizations are also actively boosting infosec salaries to retain the current staff. In fact, just over three-fourths of security professionals surveyed by Computerworld said their base salary increased over the past year. 

In spite of these increases, however, 68 percent of infosec professionals say “higher compensation” is still the top reason for changing jobs. Salary inflation is even more pronounced when it comes to CISOs. One CISO I spoke with recently claimed compensation for his skill set seems to be increasing at about 40 percent per year.

In my humble opinion, this is an untenable situation that continues to degrade. If lots of the best cybersecurity professionals go to work on Wall Street or in Silicon Valley, overall systemic risk will skyrocket, well beyond an acceptable level. 

There is no quick fix to this problem, but I do have a few suggestions:

1. Large organizations should get much more involved with local universities and cybersecurity professional organizations. The goal? Cooperative investment, training, mentoring programs, internships, etc. Think of this as a community investment.
2. CISOs should build their own training programs to recruit, grow and train junior cybersecurity employees and even non-IT professionals. Smart CISOs will do this in cooperation with other local organizations in the same boat.
3. Washington has offered a lot of talk and little action on this national security issue. Yes, programs such as NICE, the National Cybersecurity Workforce Framework, CyberCorps, NSF grants and NSA Information Assurance scholarships are helpful, but we need a coordinated national strategy here. This should be a high priority for the 45^th president, whomever that is.
4. Security leaders such as Cisco, Fortinet, HP, IBM, Intel Security and Symantec should be commended for their individual programs for cybersecurity education and training. Nevertheless, I’d like to see these leaders work collectively as an industry, pool some resources and try to make a bigger dent in this problem.

We’ve misclassified the cybersecurity skills shortage as an industry problem when it’s actually a national security issue. We need to address this with a strategic plan that cuts across academia, governments, the industry and cybersecurity professional organizations. Throwing more compensation at cybersecurity professionals is simply counterproductive and unsustainable.