Security hiring challenges have worsened over the last several years. Threats are more numerous and more sophisticated; security breaches are more publicized; and CEOs, CIOs and CISOs are being held accountable for damaging hacks. It’s no surprise companies are working harder to find, hire and retain experienced security pros.
A turning point was the TJX breach in 2006, which led to data-breach disclosure legislation and increased scrutiny of corporate data-handling practices, says Larry Wilson, information security lead in the University of Massachusetts President’s Office. From then on, demand for security pros “really started to accelerate."
Data from Boston-based labor analytics firm Burning Glass highlights the spike in demand: cybersecurity job postings grew 74% from 2007 to 2013, which is more than twice the growth rate of all IT jobs. The labor pool has yet to catch up. U.S. employers posted 50,000 jobs requesting CISSP credentials in 2013, a year in which the population of CISSP holders numbered 60,000, Burning Glass said in its 2014 report.
“The size and scope of the problem has grown dramatically as the threat has increased and as we've seen more high-profile breaches,” says Charlie Benway, executive director of the Advanced Cyber Security Center (ACSC), a nonprofit consortium of industry, university, and government organizations. “Executive management and boards of directors are now recognizing that cybersecurity is not just a tech problem, it’s a business problem. We're starting to see more executive-level emphasis on cybersecurity, more resources coming into cybersecurity, across all industry sectors. That has definitely increased the demand for cybersecurity folks.”
“It’s probably 10- to 12-times harder to find cybersecurity professionals than it is to find general IT professionals," says Rashesh Jethi, a director in the services group at Cisco – which last year pegged the number of unfilled cybersecurity jobs around the world at 1 million.
Enterprises are definitely feeling the pain. Eighty-six percent of organizations polled by ISACA believe there’s a shortage of skilled cybersecurity professionals. Not only that, most companies feel they’re at risk. Just 38% of ISACA members believe their organization is prepared for a sophisticated cyberattack.
The lack of preparation stems, in part, from an overall shift in security strategies. The ubiquity of technology has driven enterprises away from a perimeter defense model and toward an approach that combines intrusion prevention with functions such as risk assessment, threat mitigation, and incident response, says Robert Stroud, international president of ISACA, a nonprofit association that advocates for information security, risk management and governance professionals.
"We can't protect against every threat, so what happens once we've discovered something, some unusual behavior? How do we react?” Stroud says. "Organizations are now attempting to add to the skills they need to cover this gap. When you've got everybody in the world realizing they need to do something and going to the market, it leads to a skills shortage, especially when we haven't been training people with these skill sets necessarily."
Robert Stroud, international president of ISACA
Just as security tactics have changed, so too has security leadership.
In the past, security was typically IT’s domain, “part of something you did in infrastructure or in networking," Jethi says. Today, more companies have a chief security officer (CSO) or a chief information security officer (CISO) who’s explicitly responsible for security.
“Increasingly they are no longer part of the CIO organization but they are a separate, independent entity that is responsible for cybersecurity and often reporting directly to the COO or the CEO of the company," Jethi says. "It never got relegated to that level of significance or importance” until the nature of threats changed dramatically "and you started seeing a lot more visible impacts to customers, businesses, and executives."
Benway agrees. Today a majority of ACSC’s member organizations – which Benway acknowledges tend to be relatively mature in their security development – have a CISO, and most have established specific security teams. "I have seen a definite trend toward establishing specific security teams vs. IT being dual-hatted with IT operations and security,” he says.
UMass is a good example. "The day-to-day running of the technology is in our IT department,” Wilson says. “But looking at the policies, looking at the risks, looking at the threats, looking at incidents or indicators of a compromise -- that's a dedicated security team. That's how we’ve done it."
Benway also notes a more recent organizational trend: the convergence of what were once separate and independent enterprise risk management and security departments. “That again is a reflection of the recognition that cyber security is a business problem and not just a technology problem,” Benway says.
These changes require more manpower at all levels, industry watchers say. On the technical side, system complexity has created a need for security admins. Years of accumulating security products have left companies with dozens of products to support, oftentimes from vendors that have gone out of business or been acquired. Companies need people to maintain those systems and secure the infrastructure, Jethi says.
On the strategic side, "you need people who can do more than configure rules and policies and 'keep the bad guys out.' You need data scientists. You need people with different backgrounds. You need people who can look at large quantities of data and can analyze trends and are good at spotting anomalous behaviors in those data patterns,” Jethi says. “That's a very different skill set than somebody who can configure equipment."
If there’s a silver lining, it’s for qualified job hunters. Their options abound. According to tech careers site Dice, job postings for security professionals are up year-over-year, with cybersecurity up 91% and information security up 48%.
"At the moment, if you're a cybersecurity professional, and you have the skills, it's a very good market. You can do very, very well,” Stroud says.
High salaries reflect the demand. The average IT starting salary is expected to climb 5.7% in 2015, according to Robert Half Technology (RHT). Five out of six security titles in RHT’s annual salary guide are getting larger-than-average bumps in pay for new hires:
- Chief security officer: starting pay ranges from $134,250 to $204,750, a gain of 7.1% compared to 2014;
- Data security analyst: $106,250 - $149,000, up 7.4%;
- Systems security administrator: $100,000 - $140,250, up 6%;
- Network security administrator: $99,250 - $138,500, up 5.3%;
- Network security engineer: $105,000 - $141,500, up 6.7%; and
- Information systems security manager: $122,250 - $171,250, up 6.6%
Certifications drive starting salaries even higher, RHT notes. In the security category, having a Certified Information Systems Security Professional (CISSP) certification adds 6%, on average, to IT salaries, while Check Point Firewall administration skills are worth a 7% bump, Cisco network administration skills add 9%, and Linux/Unix administration skills add 9% to starting pay.
The allure of compensation contributes to another staffing challenge for enterprises: turnover. It’s particularly tricky to keep top security talent. CISOs and other senior security executives leave after 2.5 years, on average, according to research from Ponemon Institute.
Qualified people at the c-level and just below – titles such as director of information security, chief security architect, chief security officer -- generally come from two different tracks, says Andy Ellis, chief security officer at Akamai. There’s the mostly homegrown security pro with deep technical experience who worked his or her way up in an organization, knows everything about how that organization works, and can make that business transition.
The second type is the experienced security pro who hops from company to company. “Some of these are really astounding CISOs, they'll work a three-to-four-year stint at a company, turn it around, and that's what they love doing,” Ellis says. “They're not big fans of the maintenance, they'd rather just do that and turn it around.”
Both types are in danger of being lured to the start-up world, Ellis notes. “What I find a lot of companies are competing with is the experienced c-level folks saying, 'I could go do this job again, or I could go be the CTO of a security company.’ There are more and more of these really good technical senior staff that are going to either be a CTO or a chief strategist or CEO of a small security startup because the payoff is so much better if they can make it work.”