The cyber security jobs market has been a bright spot throughout the global recovery from the Great Recession of 2008-09. A big part of its strength has been its evolution from a field that was once limited to defense contractors, government agencies and other highly technical niches, into one that is now front and center for every industry from health care to retail.
The U.S. Bureau of Labor Statistics has has estimated that career opportunities in information security analysis are currently growing much faster than the average for other professions. Openings could increase 37 percent from 2012 levels by 2022, according to the BLS. This growth would produce more than 27,000 jobs in the sector. Average pay is also well above the U.S. median salary, at $86,170 per year.
The difficult position of dealing with cyber crime in 2015
Together, these numbers paint a picture of enterprises everywhere clamoring for cyber security talent as they attempt to protect their sensitive data from harm. But right now, many of them are struggling with this task. The 2015 U.S. State of Cybercrime Survey from professional services provider PricewaterhouseCoopers was revealing on this subject:
- Half of all boards of directors still treat cyber security as a matter confined just to IT, rather than one that merits attention from the entire enterprise.
- Almost 80 percent of respondents to the PwC survey reported that they had identified at least one cyber security incident in the last year.
- In the wake of incidents such as the data breaches at Target and The Home Depot, 38 percent of retailers and other consumer-oriented businesses increased cyber security spending by at least 20 percent over the previous year; a smaller portion of financial services providers and health care organizations did the same.
- Only 50 percent of survey subjects said that they offered periodic awareness and training programs for existing employees or security briefings for new ones.
- Enterprises still lean heavily on external help for navigating cyber security issues, with a mere 26 percent of respondents affirming that they had capable personnel on their staff.
As we can see, there is plenty of slack that can still be picked up when it comes to the cyber security practices, technologies and personnel that enterprises everywhere rely upon. The rest of this decade could see a scramble to fill critical positions – one that could put a lot of upward pressure on wages – and update network security solutions to properly guard the mix of legacy, virtual and cloud-based infrastructures at the heart of modern IT.
How will enterprises adapt to the changing cyber security jobs market?
While the long-held idea that machines will take jobs is still floating around, it hasn't come to fruition just yet. This is especially true in enterprise security, a field in which highly skilled and experienced human operators are still widely sought after. As we might expect from the BLS's numbers, the number of open positions as well as the level of pay is on the rise.
In November 2015, Peninsula Press, a division of Stanford University's Journalism Program working with BLS statistics, similarly estimated that information security professionals openings had climbed 74 percent in the past five years. That rate represents growth that is 3.5 times faster than other IT positions (with a typical $12,000 advantage in salary) and 12 times more rapid than all jobs. Despite the increase, it is not clear that supply is keeping up with demand.
The same publisher found that more than 200,000 cyber security jobs went unfilled in 2014. There are many possible reasons for this shortfall, from lack of funds to prioritization of other initiatives at the expense of hiring. Indeed, the aforementioned PwC report revealed that only 33 percent of respondents cited "new skills and capabilities" as a spending priority and a mere 15 percent prioritized redesigning their processes. Meanwhile, almost half (47 percent) cited new technologies as something they were investing in.
Another possibility for the shortage, though, is that there are not enough people out there who meet all of the criteria set out by enterprise hiring teams. A good clue that this may be the case comes in the form of bidding wars for new talent as well as extraordinary offers to keep existing personnel on the payrolls.
"The cyber security job market is on fire" Veronica Mollica, founder and executive information security recruiter at Indigo Partners, told CSO Online in 2015. "Our candidates are facing competing offers from multiple companies with salary increases averaging over 30 percent. Current employers are scrambling to retain talent with counter offers including 10 percent and higher salary increases for information security team members to remain on board."
Moreover, demand seems to be increasing, not decreasing – Peninsula Press projected that it would rise 53 percent from 2015 levels through 2018. This seemingly insatiable need for cyber security experts seems to have roots in enterprises' perceived shortages of suitable candidates on the job market. A 2014 Enterprise Strategy Group white paper, "What Corporate Boards Should Know and Do About Targeted Attacks and Advanced Threats," commissioned by Trend Micro found that 25 percent of all organizations experienced a "problematic" shortage of IT skills in 2014.
Dealing with the skills conundrum
Fortunately, the labor-related challenges in cyber security are not problems without practical solutions. While enterprises may struggle to keep pace with demand, there are plenty of steps that they can take to address their difficulties head on:
- Judging from the PwC survey results, there is plenty of money that can be invested in personnel, especially if organizations find a way to contain their technology outlays by taking up cost-effective cloud security solutions like Trend Micro Deep Security. Security budgets have been growing at a faster clip than general IT budgets, meaning that funds may become available for the critical training and awareness initiatives that are currently in such short supply.
- Cross-training is another worthwhile option. The Canadian security firm Herjavec Group has gone down this path with much success by training its technical personnel in cyber security matters. Whenever it acquires another IT services provider, the new people brought aboard can, in time, become consultants, engineers and advisers.
- Automation isn't at a level at which it could replace cyber security en masse. All the same, it can help relieve some pressure in tight staffing situations, while also powering solutions that can deal with problems at both greater scale and with superior accuracy than any manual operator/process could. The evolution of data analytics, machine learning and cloud computing will fuel the development of highly capable security software.
- Educational institutions and initiatives will also play a central role in how tomorrow's cyber security industry emerges. Groups like the National Association of Software and Services Organizations in India have focused intently on training individuals for specific positions. Post-secondary institutions such as New York University and Penn State University also offer bachelor's and/or master's degree programs in the rapidly growing information security field.
Ultimately, enterprises may feel that they have to do a lot with a little – i.e., fend off today's advanced persistent threats and other cyber attacks with a dearth of experienced personnel. Making it through this situation will require smart use of staff, investment in training and technology and knowledge of the most effective defenses against an increasingly complex threat environment.
To these ends, Trend Micro solutions such as Deep Security can help organizations stay on top of risks and free up time for already busy security personnel. Able to secure physical, virtual and cloud servers, Deep Security brings its considerable anti-malware, firewall, intrusion detection and many other capabilities to the table. It can also be deployed as either traditional software or via a cloud-based delivery model. Learn more about Deep Security on our main product page.