Cybersecurity job market to suffer severe workforce shortage

An analysis of the cybersecurity job market looking back at 2014, the first half of 2015, and projecting out to 2019, reveals some interesting figures. For instance, the top paying cybersecurity job is a security software engineer with an average annual salary of $233,333, according to a recent report from the job board Dice. That tops the salary for a CSO which is $225,000.

But the big story in the cybersecurity labor market is a severe workforce shortage.

"The demand for the (cybersecurity) workforce is expected to rise to 6 million (globally) by 2019, with a projected shortfall of 1.5 million," stated Michael Brown, CEO at Symantec, the world's largest security software vendor. Not long before Brown's statement, the Cisco 2014 Annual Security Report warned that the worldwide shortage of information security professionals is at 1 million openings, even as cyberattacks and data breaches increase each year.

[ ALSO ON CSO: Shortage of security pros worsens ]

The shortage of experienced cybersecurity talent may explain why a cybersecurity software engineer earns more than a CSO.

According to a 451 Research recent study, based on responses from more than 1,000 IT professionals, primarily in North America and EMEA, security managers reported significant obstacles in implementing desired security projects due to lack of staff expertise (34.5%) and inadequate staffing (26.4%). Given this challenge, only 24% of enterprises have 24×7 monitoring in place using internal resources.

The need for more cyber-workers also explains why infosecurity is considered one of the best jobs out there - for the next seven years. U.S. News and World Report ranked a career in information security analysis eighth on its list of the 100 best jobs for 2015. They state the profession is growing at a rate of 36.5 percent through 2022.

Don't feel bad for the CSOs who might have engineers underneath them earning more than they do. IDC predicts that "by 2018, fully 75% of chief security officers (CSO) and chief information security officers (CISOs) will report directly to the CEO, not the CIO". This will arguably push those positions higher up in to the salary stratosphere.

Checking in with an experienced executive recruiter in the cybersecurity field aligns the market analysis and forecasts with what search firms, employers, and candidates are seeing. "The cybersecurity job market is on fire" says Veronica Mollica, founder and executive information security recruiter at Indigo Partners. "Our candidates are facing competing offers from multiple companies with salary increases averaging over 30%. Current employers are scrambling to retain talent with counter offers including 10% and higher salary increases for information security team members to remain on board."

The U.S. government numbers line up to the IT analyst and research firm statistics. More than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74% over the past five years, according to a Peninsula Press (a project of the Stanford University Journalism Program) analysis of numbers from the Bureau of Labor Statistics. The demand for information security professionals is expected to grow by 53 percent through 2018.

A workforce shortage means healthy salaries for experienced cyber people. The Dice report states that the top five IT security salaries are: No. 1 lead software security engineer at $233,333; No. 2 chief security officer at $225,000; No. 3 global information security director at $200,000; No. 4 chief information security officer at $192,500; and No. 5 director of security at $178,333.

Sometimes a declining market will balance the job figures when there's a labor shortage. But that won't happen anytime soon in the fast-growing cybersecurity space. The worldwide cybersecurity market is defined by market sizing estimates that range from $77 billion in 2015 to $170 billion by 2020.

One answer may lie in cross-training IT workers and converting them to security specialists. Herjavec Group, a leading information security consulting firm headquartered in Toronto, Canada, has successfully employed the strategy. Herjavec Group acquired a few IT services companies and dabbled in storage before locking down on cybersecurity as its sole focus. They cross-trained the technical people from those acquisitions into cybersecurity. The company employs expert cybersecurity advisers, consultants, incident responders, engineers and security operations center staff - difficult positions to recruit for.

Automated security solutions from the vendor community shows promise for helping to reduce the cyber staffing dilemma. "Traditional manual approaches to cybersecurity are proving to be unsustainable." said Brett Helm, Chairman and CEO of DB Networks. "Intelligent IT security automation through machine learning and behavioral analysis is faster, more accurate, and frees up skilled professionals to focus on more critical issues."

A potential strategic response in the U.S. is to send more kids to cybersecurity school. U.S. colleges and universities offer excellent cybersecurity education and Masters Degree programs - and there is clearly a burgeoning job market for graduates. But parents will need to get involved and nudge their high-schoolers to think about a career in the field.

[ ALSO ON CSO: So, you want a Masters Degree in cybersecurity? ]

The U.S. will have to fill its hundreds-of-thousands of cybersecurity positions over the next decade. The options are cross-training our IT workforce and getting more young people in to cybersecurity school - or outsourcing those jobs to other countries.

Symantec is pursuing another option, which may spur a trend if it works. The National Association of Software and Service Companies (Nasscom), a non-profit trade association in the Indian information technology and business process outsourcing industry, and Symantec recently signed a pact to develop world class skilled and certified cyber-security professionals. The partnership will focus on developing five prioritized job roles in cyber-security along with a master training program which also has scope to fund scholarship for 1,000 women undertaking the cyber-security certification by Nasscom, according to a Nasscom statement.

Join the CSO newsletter!

Error: Please check your email address.

Tags symantecIT careersCSOcareersIT management

More about CiscoCSODiceNewsStanford UniversitySymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Morgan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place