Cyber Security Experts Becoming Endangered Species
The cyber security expert gap is at a 12-year high. There were 314,000 cyber security jobs posted between September 2017 and August 2018, but in the U.S. we need a workforce of roughly 714,000 cyber security experts, according to the National Initiative for Cybersecurity Education.
In a recent TechCrunch article on this topic, site contributor Robert Ackerman wrote that companies are trying to cope with the skills shortage by turning to certain automation technologies like artificial intelligence (AI) and machine learning, but since we are still in the relatively early stages of these technologies, they are not yet at the stage of being able to prevent cyberattacks and at best can only mitigate.
Ackerman also pointed to a recent study from (ISC)2, a nonprofit association of certified cyber security professionals, which found that there is a gap of nearly 3 million cybersecurity jobs globally. In fact, I wrote about the security specialist drought back in October 2015, so it appears the skills gap problem has only worsened and not improved in recent years.
There are continuous threats, and they keep getting more sophisticated and harder to detect and mitigate. Software tools are continuing to become more proficient in detecting and blocking attacks, but it appears that attackers are staying ahead of the cyber security experts and their tools. There are unfilled but budgeted positions in many organizations that remain open, leaving organizations and businesses vulnerable.
Don’t forget that old attack procedures are still floating around and can still be devastating. Small businesses and organizations may be attacked more as a conduit to their larger business partners because they have weaker defenses and few, if any, cyber security staff. Large organizations and businesses have their hands full as they expose bigger prizes to the attackers.
Where’s the Budget?
The (ISC)² report states that the bigger the budget, the stronger the likelihood of filling the positions with already skilled experts. The report also discovered that cyber security is a high budget priority for 49% of respondents. Most organizations -- 55% -- expect to increase their spending, while 70% of respondents did not think their budget increase would be enough. Funding should cover recruitment, training, and career development.
What Does an Expert Look Like?
Experts who have a bachelor’s degree in programming, computer science, or computer engineering are preferred. Ideal candidates should also have interests in courses such statistics and math. Employers want staff with cyber security certifications as well as experience in specialties such as intrusion detection, secure software development, and network monitoring -- all of which are in high demand but are hard to fill the positions.
“The Cybersecurity Job Outlook 2019 – Part 1: Employers” report, also published by (ISC)², stated that about 7% of the cyber security experts surveyed were under the age of 29, 13% between the ages of 30 and 34, and the average age is 42. Women represent only 11% of the workforce.
Experts are Expensive
I checked ZipRecruiter for salaries nationwide, which showed that as of April 1, 2019, the average annual pay for cyber security jobs in the U.S. is $96,185. ZipRecruiter observed that annual salaries can be as high as $181,500 and as low as $11,000. The majority of salaries range from $60,000 to $107,000 a year in the U.S.
Where I live in northern Virginia, experts are making an average of $102,973 per year. Virginia ranks No. 13 out of 50 states nationwide in salaries. The difficulty is that with these high paying jobs, stealing talent from other organizations is one of the ways you can expand your staff. On the other hand, you may lose staff to other organizations when they that have higher paying positions.
College or Certification?
Cyber security certificates, certifications, and degrees are all possible avenues to landing the job. You need to identify the job you want, determine the job requirements, and discover what options are available. There are steps for earning the credentials that will help you make the choice that is right for you. A good review of the many pathways to expertise can be found in CompTIA’s post, “Cybersecurity Certificates, Certifications and Degrees: How to Choose.”
There are four factors when selecting the path you should follow:
- How much IT experience do you already have?
- How quickly do you need to obtain cybersecurity skills and credentials?
- Are you looking for a specific job, or are you looking to increase your knowledge and your value to your employer?
- How much can you afford to spend? Will your employer support you?
Grow Your Own Staff
Cyber security is not an entry-level field. Getting a bachelor’s degree in cyber security may be premature. You should gain some general IT and/or computer science knowledge and experience. You could have experience in networks or apps or data centers first, then select what are you want to pursue in cyber security.
Once you select where you want to focus, survey the certifications that you will need. You may find that a four-year degree program is too expensive, but you can gain the certifications after completing a community college program.
If you are an employer, consider training your existing staff in cyber security. They already have knowledge of your IT environment, and that will accelerate their ability to move to the cyber security position in your organization.