There are not enough security specialists to fulfill the present openings, with some predicting this shortage will worsen before it improves. The introduction of the Internet of Things will only make the situation worse. (See related blog, IoT Security: An Avalanche of Problems.) How Bad is it?
The 2015 (ISC)2/Frost & Sullivan Global Information Security Workforce Study estimates a global shortfall of 1.5 million information security professionals four years from now. Sixty-two percent of the nearly 14,000 survey respondents said there are few qualified information security professionals at their organizations. Additionally, Frost & Sullivan projected there would be 195,000 new information security specialists in 2015, up 6% over 2014.
The employment market analytics firm Burning Glass Technologies discovered a 91% growth in cybersecurity jobs between 2010 and 2014. In 2014, there were 238,158 cybersecurity job postings. Cybersecurity jobs account for 11% of all IT jobs. It takes 8% longer to fill cybersecurity jobs than other IT roles. Roughly 50,000 of the job postings in the U.S. requested a CISSP certification (Certified Information Systems Security Professional) and 5 years of experience for job candidates. However, there are only about 65,000 CISSP holders in the country, many more jobs than qualified specialists.
The average annual salary among the security specialists surveyed in the (ISC)2 report was $97,778. There is a difference between (ISC)2 members and other security specialists. Non-member security specialists reported an average annual salary of $76,363. The salaries among security specialists with an (ISC)2 membership averaged $103,117 annually, 35% better than non-members. The average salary growth was 2.1% for members and 0.9% for non-members.
All of the tables and charts that follow are from the 2015 (ISC)2/Frost & Sullivan market study.
The (ISC)2 survey analysis revealed changes in the areas in which security specialists are focusing their training. BYOD and cloud computing have become less important. This appears to be due to the changing threat environment. The emphasis has moved to remediating breaches. Training in incident response, forensics, and event management has increased. Use the chart below as a guide to those areas that are gaining importance so that you pursue them in your training.
Practicing as a security specialist is highly specialized and requires knowledge -- knowledge that must be continually updated. The survey respondents expressed the need for additional training. Although training and experience certainly help, the personality of the specialist also must be considered. The primary attribute needed for success in information security is a broad understanding of the security field. Some might say that a holistic view is important since the security attacks and breaches come in many forms and from many different directions. As specialists close security loopholes, the attackers change their strategies to work around them.
Communication skills are very important. You will need to explain problems and solutions to less knowledgeable people. You will also have to justify the budget for the security investments clearly and in a well-organized persuasive manner. Security is more than working in the closet or at a console. Technical knowledge and awareness, and understanding of the latest security threats come with the territory. Compare yourself to the chart below from the survey. Look for those conditions, knowledge, and traits, and compare yourself to them. Improve where you see weaknesses.
All industries have gaps in their security forces. Not all the gaps are equal. Healthcare, education, and retail top the list. As you can see from the chart below, every industry is an opportunity for employment. The specialist shortage is not static. The percentage of security specialists reporting "too few" information security specialists in 2013 was 55.9%. In 2015, the number increased to 62.2%.
A similar outlook about income and shortages for the security specialist can be found in the "2016 State of the CIO Survey."
Some of my security blogs may be helpful in analyzing if and when you want to enter the security arena, Responding to Security Incident Threats, Who's on Your Network?, Securing through Machine Learning -- Part 1, and Securing through Machine Learning -- Part 2.