Demand for IT security experts outstrips supply

Employers will pay more for certified -- and experienced -- IT security pros, studies find

Demand for information security experts in the United States is outstripping the available supply by a widening margin, according to a pair of recently-released reports.

A report from Burning Glass Technologies, which develops technologies designed to match people with jobs, shows that demand for cybersecurity professionals over the past five years grew 3.5 times faster than demand for other IT jobs and about 12 times faster than for all other jobs.

Burning Glass said its report is based on a study of job postings for cybersecurity professionals placed by U.S. businesses and government agencies over the past five years.

In 2012, there were more than 67,400 separate postings for cybersecurity-related jobs in a range of industries, including defense, financial services, retail, healthcare and professional services. The 2012 total is 73% higher than the number of security jobs posted in 2007, Burning Glass said.

By comparison, the number of job postings for all computer jobs grew by about 20% between 2007 and 2012. Posting for all jobs grew by only 6% during the period.

The two most sought-after jobs by employers were information security engineers and security analysts. Close to one in three of all computer security jobs advertised last year were for information security engineers. Nearly 25% of the job postings were for security analysts.

Demand for cybersecurity professionals was especially strong in Baltimore, Dallas, Atlanta, Denver, San Diego, and Richmond, Burning Glass noted.

The number of cyber security jobs in each of those cities increased by more than 100% between 2007 and 2012. Large defense contractors and IT firms appear to have driven the demand increases in all of the cities except Atlanta.

Matt Sigelman, CEO of Burning Glass Technologies, said the soaring demand for information security professionals suggests that enterprises and government agencies are putting a lot more money and effort into protecting their data against attacks and compromise.

"The other thing that jumps out at me is the question of whether there is sufficient supply in the market to meet this demand," Sigelman said.

For instance, over the past two years the number of jobs requiring a Certified Information Systems Security Professional (CISSP) certification has jumped from 19,000 to more than 29,000. "When you see 10,000 new job postings in a two-year period in a field that has just over 50,000 CISSPs, there is a question of availability," he said.

Another indication of the increasing difficulty U.S. employers face in finding qualified information security professionals comes from their job posting behavior. Employers typically have to repost or duplicate security job posts almost 35% more often than other IT job to find someone qualified, according to Burning Glass.

"Posting behavior suggests the possibility of a particular shortage of managers and analysts with cyber security expertise," Burning Glass noted in its report.

Julie Peeler, director of ISC2 Foundation, the developer of the CISSP program, said there is no doubt that soaring demand is exacerbating an already difficult demand and supply situation for security experts.

Ove the next year, Peeler estimated that there will be a need for 330,000 more IT security professionals worldwide. It's not clear that close to that many new professionals are graduating each year, she said.

A recent ISC2 Foundation survey of some 12,000 information security professionals worldwide found that a shortage of talent has had a dramatic impact on the ability of organizations to defend against or recover from a cyberattack.

"[The shortage] is causing a strain on the existing workforce," Peeler said. "They are having to work harder and longer hours."

More than half of the respondents to the ISC2 survey said the shortage is the ability of their organizations to defend against cyberthreats, she said.

The growing shortage has meant better salaries for information security professionals compared to many other IT jobs.

According to Burning Glass, cybersecurity jobs on average offer a premium of about $12,000 over the the average for all computer jobs -- the advertised salary for cybersecurity jobs in 2012 was $100,733 versus $89,205 for all computer jobs.

People with security certifications appeared to be getting a modestly higher salary, the Burning Glass report found. In many cases, companies appear to require security certification as a way to filter experienced candidates from the non-experienced ones, Sigelman noted.

"Demand is high, but demand in and of itself does not create opportunity" for everyone, cautioned Roger Cressey senior vice president at Booz Allen Hamilton.

While it is true that employers are looking for more information security professionals than ever, they only want workers with long experience in areas like network security governance, policies and procedures. "You got to have the right skills set" Cressey said.

He noted that U.S. universities today are not training enough people to deal with the explosive growth in demand for IT security specialists.

Pete Lindstrom, an analyst with Spire Security cautioned against "irrational exuberance" on the IT security job market. "The need for security professionals should not be a cause for celebration. I worry that it is more emotional reaction than warranted pragmatism," he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is

Read more about it careers in Computerworld's IT Careers Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Configuration / maintenancesecurityhardware systemsIT careersData Center

More about BaltimoreISC2SpireSpireStrategy&Topic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts