The unemployment rate for information security professionals is essentially zero.
For individuals with the right skills, that’s probably enough to break out the champagne – a guarantee of lifetime job security at good wages.
But organizations in general, both public and private, are stuck dealing with the very large cloud in front of that silver lining: Nonexistent unemployment means there are not enough people with the right skills to protect them from the multiple online threats they face daily.
The size, number and sophistication of attacks continue to rise, while the number of trained security professionals is not keeping up with the demand.
[ SPEAKING OF GOOD PAY Symantec CEO among highest paid chief executives ]
The “skills gap” alarm is being sounded from multiple directions. The Enterprise CIO Forum recently cited an infographic from Norwich University’s Online Information Assurance Program, which ticks off the reality in a list of statistics:
- The demand for cybersecurity pros has grown more than 3.5 times faster than the demand for other IT jobs over the past five years, and cybersecurity jobs have increased more than 12 times faster than the demand for all other non-IT jobs.
- There was a 73 percent increase in infosec job postings between 2007 and 2012 in the U.S., compared to an average increase of 6 percent in all jobs.
- Industries reporting shortages of infosec staff include: Government, 36 percent; manufacturing, 29 percent; financial services, 28 percent; retail/wholesale, 27 percent; healthcare, 22 percent.
- The U.S. Cyber Command has openings for 5,000 infosec professionals, the U.S. federal government is seeking 10,000 and the Department of Homeland Security has 600 openings.
Elsewhere, at a symposium last month on command and control and countersecurity organized by King Saud University in Saudi Arabia, Mark Goodwin, of Virginia Tech University warned the audience that, "some reports say that we have globally less than 1,000 people who are truly qualified, whereas we need over 30,000 to address the problem.”
Cisco’s 2014 Annual Security Report puts the worldwide shortage of infosec professionals at 1 million.
David Shearer, executive director of (ISC)², which has been tracking the workforce shortage for more than a decade, said it will get worse. He said he expects the gap between the demand for infosec professionals and the supply to grow to 1.5 million by 2020.
Montana Williams, senior manager, cyber security practice at ISACA (previously known as the Information Systems Audit and Control Association), said one report he read said the shortage is already at 4.5 million.
(ISC)²’s latest Global Information Security Workforce Study (GISWS) found that, “62% of nearly 14,000 respondents (up from 56% in 2013) reported that their organizations have too few information security professionals,” even though they had higher budgets to hire more people.
He said the major problem has shifted from a lack of money to, “an inability to find the right talent.
“The main issue is that technology is advancing at a far more rapid pace than our ability to secure it,” he said. “Everything from medical records to household devices to automobiles is going digital.”
One obvious question about the growing gap is why it seems to be taking both the IT industry and organizations in general, both private and public, by surprise. After all, security threats have been around for decades, and have been expanding exponentially in recent years.
Besides career security, the field also offers better-than-average pay. A recent salary survey by Computerworld found that from 2013-14, average pay had increased by 6.7 percent for CSOs, from $155,221 to $165,600; by 5.3 percent for infosec managers, from $112,509 to $118,484; and by 3.5 percent for infosec specialists, from $87,605 to $90,696. (More from that survey targeting security pros, see Money on the mind of security pros.)
Still, Bobby Dominguez, CSSO of Lynx Technology Partners, said he thinks organizations were a bit blindsided by the acceleration of attacks.
“I don’t think it was really recognized as an issue until the breaches became headline news,” he said. “You can see the steep climb coming in mid 2013, especially after the banking industry began to experience distributed denial of service (DDoS) attacks.”
He said government regulatory requirements over the past couple of years also increased demand, and then, “once the private sector became affected,” demand spiked.
But Dominguez said another reason is the increasing sophistication of attacks, which has required a “skills shift” away from “passive” security.
“The real skills gap started when security departments began to augment their programs to include malware reverse engineering, forensic analysis and threat analytics,” he said. “This was driven by the attacker’s increased use of customized, targeted attack malware and sophisticated, blended techniques that were difficult to detect among the normal noise of security events in a network.”