cybersecurity staffing industry report...sep 04, 2019 · 110 data breaches occurred, exposing...
TRANSCRIPT
Cybersecurity Staffing Industry Report
Goldgaber Research GroupPrepared for Signature Consultants Updated Q4 2019
Goldgaber Research GroupPrepared for Signature Consultants Updated Q4 2019
2
According to the U.S. Bureau of Labor Statistics, the employment of computer and information technology occupations is projected to grow 12% from 2018 to 2028, faster than the average for all occupations.3
Goldgaber Research GroupPrepared for Signature Consultants Updated Q4 2019
3
Rise in Cyberattacks Drives Record Demand for Cybersecurity Professionals
Recruiter KPI Summary
To paraphrase Charles Dickens, the state of today’s global technology may be described as the best of times, and the most challenging of times. For example, among consumers, the digital convergence has brought unprecedented lifestyle conveniences; improvements in healthcare; and new, desirable features in homes and automobiles.
Unfortunately, these innovations have also created significant cybersecurity and privacy challenges as hackers continue to breach these systems at alarming rates. To defend themselves from cyber threats to computers, networks, mobile devices and Internet of Things (IoT), companies are acquiring the latest cyber intelligence tools to track and alert them about the newest vulnerabilities. Nevertheless, there is no substitute for qualified cyber professionals. As a result, corporations, organizations, and government agencies are struggling to hire people who know how to use the tools; understand the threats and their consequences; and have the know-how to respond to live attacks in real-world situations.
Every year in the U.S., 17,000 jobs for information security analysts go unfilled, according to CyberSeek, and jobs requesting public cloud security skills remain open for 79 days on average—longer than almost any other IT skill.1 The need for qualified cybersecurity talent isn’t going away; on the contrary, the number of cybersecurity job postings has grown 94 percent since 2013, compared to only 30 percent for IT positions overall. That’s over three times faster than the overall IT market.2
According to BLS data, employment of computer and information technology occupations is projected to grow 12 percent from 2018 to 2028, faster than the average for all occupations. These occupations are projected to add about 546,200 new jobs. Demand for these workers will stem from greater emphasis on cloud computing, the collection and storage of big data, and information security.3
An estimated 1.8 million cybersecurity jobs will go unfilled by 2022, according to research by (ISC)2.4 Companies will have to utilize creative techniques to find cyber professionals, such as contracting with staffing companies that have expertise in cyber defense, partnering with joint public-private ventures, and recruiting professionals while they are still in college.
1 CyberSeek Index, Cyberseek. 2 Recruiting Watchers for the Virtual Walls: The State of Cybersecurity Hiring, by Burning Glass Technologies, June 2019. 3 BLS Occupational Handbook Outlook: Computer and Information Technology Occupations, last modified Sept. 4, 2019.4 “Cybersecurity Hiring — An Issue for All,” by (ISC)2, Feb. 6, 2018.
Goldgaber Research GroupPrepared for Signature Consultants Updated Q4 2019
4
Technology’s Benefits
On the positive side of the ledger, technology is playing an important role, as people continue to heavily rely on several devices for communications, managing finances and organizing their lives. The digitization of the economy is revolutionizing the way day-to-day business is conducted on all levels of commerce, from Fortune 500 companies and financial institutions, to mom-and-pop retail stores. “Advances in computer processing, cloud computing, and smart devices are making it faster, cheaper, and easier for firms to leverage data to improve nearly every aspect of their business,” stated U.S. Securities and Exchange Commission Commissioner (SEC), Robert J. Jackson Jr., in a 2018 speech.5
By 2020, Domo estimates that for every person on earth, 1.7 megabytes of data will be created every second. Domo also reports that every minute in 2019, there are 4.5 million searches on Google, 18 million texts are sent, Americans use 4.4 million gigabytes of internet data, and 390, 030 apps are downloaded.6
The new technology, including hardware, software and social media, is benefiting consumers’ lives in ways previous generations could not imagine, even in the most prescient works of science fiction. In just the past decade, constantly improving cell phones, for example, have eliminated the need for separate cameras, watches, alarm clocks, radios, GPS, and many other devices. In addition, phone applications allow consumers to use their phones for thousands of activities, including paying for goods at retailers; hailing taxis; listening to any song they desire; navigating their car; and staying in touch with people around the globe on sites like Facebook and Instagram. In short, modern life would come to a screeching halt without technology.
As part and parcel of these digital advances, computer systems and networks are becoming more and more interconnected with the fusing together of internet-enabled information, operational systems that control manufacturing, and consumer technologies; i.e., end-user products and services that include home automation and sensor-enabled automobiles. Interconnected systems include automated buildings and homes; utilities; manufacturing plants; automobiles; aircraft; oil and gas production; personal medical devices; and virtual assistants.
5 “Corporate Governance: On the Front Lines of America’s Cyber War,” Robert J. Jackson Jr., March 15, 2018. 6 DOMO: Data Never Sleeps 7.0.
Goldgaber Research GroupPrepared for Signature Consultants Updated Q4 2019
5
The Dark Side of Interconnected Computers and Devices
Unfortunately, technological advances and the world’s interconnected computer systems continue to be threatened by global cyber threats. The critical infrastructure of the United States—including electrical power grids; financial systems; telecommunications; healthcare; transportation; water; defense; and the internet—is highly vulnerable to cyberattack. A cyberattack is defined as an attack launched from one computer or more against another computer, multiple computers, or networks.
The convergence of everything digital brings many advancements and new services such as the IoT, but can present an immense security challenge. Operational technologies are becoming more interconnected with other technology domains and that, in turn, is increasing the risk of disruption and the integrity of products and services.
Cyberattacks are a growing global menace, with almost daily reports of costly threats, hacks, attacks, or major cyber events. The sources of all these attacks are evolving from rogue programmers; to organized crime rings; to state-sponsored actors such as Russia, China and North Korea. The Identity Theft Resource Center’s 2018 End-Of-Year Data Breach Report found that there were 1,244 data breaches in 2018, with hacking being the most common form of breach. Though the total number of reported breaches was down 23 percent from 2017, 2018 saw a 126 percent increase in the number of records that contained sensitive personally identifiable information (446,515,334 records exposed in 2018 vs. 197,612,748 records exposed in 2017).7 2019 monthly reports show that in July 2019 alone, 110 data breaches occurred, exposing 104,546,381 sensitive records and an unknown number of non-sensitive records.8
On average, it takes 279 days to identify and contain a data breach, according to Ponemon Institute and IBM Security’s 2019 Cost of a Data Breach Report. The global average cost of a data breach for 2019 is $3.92 million, up 1.5 percent from 2018. This represents an increase of 12 percent over the last five years (from $3.5 million in 2014 to $3.92 million in 2019).9
7 Identity Theft Resource Center, 2018 End-of-Year Annual Data Breach Report, Dec. 31, 2018. 8 Identity Theft Resource Center, 2019 Data Breaches.9 Ponemon Institute and IBM Security 2019 Cost of a Data Breach Report, released July 2019.
Goldgaber Research GroupPrepared for Signature Consultants Updated Q4 2019
6
The average cost of a breach in the U.S. is $8.19 million, more than double the worldwide average, which increased from $7.91 million in 2018. In addition, the average cost for each lost or stolen record containing sensitive and confidential information also increased from $148 in 2018 to $150 in 2019. The study also found that the formation of an incident response team reduces the cost of a data breach by an average of $360,000.10
IBM research based on data breach report data attributes the rising expenses to the multiyear financial impact of breaches, increased regulation and the complex process of resolving criminal attacks.11
A matter of when, not if
The Identity Theft Resource Center reported that hacking, an umbrella category that includes phishing and ransomware/malware, continued to rank highest in the type of attacks included in its annual survey. Because of these alarming statistics, many cyber professionals say that it’s not a matter of if your organization’s systems will be breached; it’s when.
Companies and government agencies are more vulnerable to cyberattack now than in 1975, when just 17 percent of S&P 500 firms’ market value was tied to intangible assets. That trend has now reversed. In 2015, for example, the percentage skyrocketed to 84 percent, with many firms susceptible to theft of their intellectual capital that resides on company hard drives or in the cloud.12 Companies also have to worry about loss of brand value and customer trust as a result of breaches. The Ponemon Institute study found that breaches caused an abnormal customer turnover rate of 3.9 percent in 2019.13
10 Ibid.11 “IBM Study Shows Data Breach Costs on the Rise; Financial Impact Felt for Years,” July 23, 2019. 12 Intangible Asset Market Value Study 2019.13 Ponemon Institute and IBM Security 2019 Cost of a Data Breach Report.
Goldgaber Research GroupPrepared for Signature Consultants Updated Q4 2019
7
The High Cost of Cyberattacks
Global ransomware damage costs were $5 billion in 2017, and have since more than doubled, with an expected global cost of $11.5 billion in 2019 and $20 billion in 2021, according to research firm Cybersecurity Ventures. At the end of 2016, a business fell victim to a ransomware attack every 40 seconds. Cybersecurity Ventures predicts ransomware attacks will increase to every 14 seconds by 2019—and every 11 seconds by 2021.14
These damage cost projections are based on historical cybercrime figures, including recent year-over-year growth; a dramatic increase in hostile nation state-sponsored and organized crime gang hacking activities; and a cyberattack surface which will be an order of magnitude greater in 2021 than it is today.15
One of the major cyberattacks of 2017 and 2018 included the Equifax data breach, in which cybercriminals accessed approximately 145.5 million U.S. Equifax consumers’ personal data, including their full names, social security numbers, birthdates, addresses, and drivers’ license numbers, as well as some consumers’ credit card numbers.13 On March 1, 2018, Equifax announced that 2.4 million additional U.S. customers were affected by the breach.16
Another major breach occurred in the ransomware attack, WannaCry, which took over computers, encrypted the contents of their hard drives, and then demanded a payment in bitcoin to free the data. The major victim may have been the UK’s National Health Services.17
14 “Cybercrime Damages $6 Trillion by 2021,” Cybersecurity Ventures, Dec. 7, 2018.15 Ibid.13 “Equifax,” from Wikipedia, the Free Encyclopedia.16 “Equifax Identifies Additional 2.4 Million Customers Hit by Data Breach,” Mar. 1, 2018. 17 “What is WannaCry Ransomware, How Does it Infect, and Who Was Responsible?” CSO, August 30, 2018.
Goldgaber Research GroupPrepared for Signature Consultants Updated Q4 2019
8
In fact, the healthcare industry has long been a top target for cyberattacks. For the ninth year in a row, healthcare organizations had the highest cost of a breach—$6.45 million on average (over 60 percent more than other industries in the study). Healthcare companies on average pay $429 per lost or stolen record, according to Ponemon Institute’s 2019 Cost of a Data Breach Report. That’s an increase from $408, or 5.15 percent, in 2017—and nearly three times higher than the cross-industry average of around $150 per lost or stolen record.18
Fear of corporate cyber threats on the rise
These threats are now a top concern for executives. In a recent survey of risk professionals and other senior executives by Marsh and Microsoft, nearly two-thirds (56 percent) of respondents identified cyber threats as a top-five risk management priority (6 percent say it is the top risk), but only 19 percent expressed confidence in their organization’s ability to manage and respond to a cyber event, and only 30 percent have developed a plan to do so. That is roughly double the percentage who rated cyber that high in a survey Marsh conducted in 2016.19
Similarly, the World Economic Forum’s “The Global Risks Report 2019” placed cyberattacks and massive data fraud among the year’s top five risks (4th and 5th, respectively)—marking the second time two technological risks were among the top five.20
With the barrage of cyberattacks, it should come as no surprise that people who can defend companies from these threats are in great demand.
18 Ponemon Institute and IBM Security 2019 Cost of a Data Breach Report. 19 Marsh, By the Numbers: Global Cyber Risk Perception Survey, February 2018. 20 World Economic Forum, The Global Risks Report 2019, 14th Edition.
Goldgaber Research GroupPrepared for Signature Consultants Updated Q4 2019
9
Growing Demand for Cybersecurity
With the dramatic spike in cyberattacks, changes in digital technology, and an array of new regulatory concerns, both the private and public sectors have plans to boost spending on cybersecurity, with investment in cyber defense professionals serving as a major component of these investments. Several companies have announced that they are expanding their cybersecurity budgets, including J.P. Morgan Chase, which doubled its budget to $500 million. Companies like Microsoft are investing over $1 billion annually on cybersecurity research and development and are committed to maintaining that budget in the coming years.21
In the public sector, the White House reported that they are seeking $17.4 billion of budget authority for cybersecurity-related activities for the Fiscal Year 2020 President’s Budget, which, due to the sensitive nature of some activities, does not represent the entire cyber budget.22 This is a $790 million (5 percent) increase in cybersecurity spending across all agencies for Fiscal Year 2020, which is above the Fiscal Year 2019 estimate of $16.6 billion (2019’s request was an 11 percent increase over 2018).23
In fact, 56 percent of respondents in the 2019 Harvey Nash/KPMG CIO Survey of over 3,600 IT leaders listed cybersecurity as a board priority this year, compared with 49 percent in 2018.24 25 In addition, the survey shows that more IT leaders have been reporting budget increases than at any other time in the last 15 years.26
Research firm Gartner’s annual forecast estimated that in 2019, worldwide enterprise security spending is forecast to grow 8.7 percent to $124 billion, an increase from Gartner’s 2018 prediction of $114 billion.27 Gartner forecasts North America IT spending to grow 3.7 percent in 2019.28
21 “Microsoft to Continue to Invest Over $1 Billion a Year on Cyber Security” by Reuters, Jan. 26, 2017. 22 “Cybersecurity Funding,” The White House, 2019.23 Ibid.24 Harvey Nash/KPMG CIO Survey 2019: A Changing Perspective, June 2019. 25 Harvey Nash/KPMG CIO Survey 2018: The Transformational CEO, June 2018. 26 Harvey Nash/KPMG CIO Survey 2019: A Changing Perspective. 27 “Gartner Forecasts Worldwide Information Security Spending to Exceed $124 Billion in 2019,” Gartner Newsroom, Aug. 15, 2018.28 “Gartner Says Global IT Spending to Grow 0.6% in 2019,” Gartner Newsroom, July 10, 2019.
Goldgaber Research GroupPrepared for Signature Consultants Updated Q4 2019
10
Where the money is going is changing, too. “Spending is moving from saturated segments such as mobile phones, PCs and on-premises data center infrastructure to cloud services and Internet of Things (IoT) devices,” said John-David Lovelock, research vice president at Gartner.29
The driving force behind the security spending is a fear of data breaches. Gartner believes privacy concerns will drive at least 10 percent of market demand for security services through 2019 and will impact a variety of segments, such as identity and access management (IAM), identity governance and administration (IGA) and data loss prevention (DLP).30
Cybersecurity Ventures forecasts that cybercrime will cost companies $6 trillion globally by 2021, up from $3 trillion in 2015.31 As a result, they predict that global cybersecurity spending, driven by cybercrime, will exceed $1 trillion cumulatively from 2017 to 2021.32
Robust demand for cybersecurity experts
Getting additional funding to hire more workers is a major component of cybersecurity budget expansion. Sixty-five percent of IT leaders surveyed in the 2018 Harvey Nash/KPMG CIO Survey said that a lack of talent is obstructing their cyber defense strategies, the highest recorded by the survey since 2008.33
Skills shortages are at an all-time high, with 67 percent of survey respondents struggling to find the right talent, and big data/analytics, cyber security, and AI reported to be the scarcest skills.34 In ISC(2)’s 2018 Cybersecurity Workforce study, respondents (those who work in the cybersecurity field) said the cybersecurity workforce gap is their No. 1 job concern, outranking historically topmost responses such as lack of time, adequate lack of budget and lack of work-life balance.35
“Companies are having the hardest time in more than a decade finding the technology talent they need,” said Sean Gilligan, Harvey Nash’s president of technology recruitment, North America. “The need for data analysis remains the number one concern, demand increases for AI and cyber security skills, and requests for skills like cloud and mobile development remain constant. One of
29 “Gartner Says Global IT Spending to Reach $3.8 Trillion in 2019,” Gartner Newsroom, Jan. 28, 2019. 30 “Gartner Forecasts Worldwide Information Security Spending to Exceed $124 Billion in 2019,” Garter Newsroom.31 “Cybercrime Damages $6 Trillion by 2021,” Cybersecurity Ventures.32 Ibid. 33 Harvey Nash/KPMG CIO Survey 2018: The Transformational CEO. 34 Harvey Nash/KPMG CIO Survey 2019: A Changing Perspective 35 ISC(2) Cybersecurity Workforce Study, 2018.
Goldgaber Research GroupPrepared for Signature Consultants Updated Q4 2019
11
the growing trends we are now seeing is the client requesting professionals who have more of a hybrid of skills— someone with expertise in multiple cloud platforms, a software engineer experienced in DevOps, or a front end developer who can do mobile. Having these blended capabilities is a major asset for companies of all sizes, but it is rare.”36
More than half of participants (51 percent) in the 2019 Harvey Nash/KPMG CIO Survey expect headcount to rise in 2019, 4 percentage points higher than a year earlier.37
A study by Frost & Sullivan shows that hiring managers in the fields of healthcare, retail and manufacturing are particularly interested in hiring additional cyber defense professionals, with nearly 40 percent in each sector wanting to expand their workforce by 15 percent or more.38
The public sector also needs more cyber professionals. The federal Office of Management and Budget reported that the federal government is struggling to improve its cyber defense systems: “Public and private entities have struggled to secure their systems as adversaries increase the frequency and sophistication of their malicious cyber activities.”39
The OMB found that there is little situational awareness, few standard processes for reporting or managing attacks, and almost no agencies adequately performing even basic encryption. As a result, the OMB concluded that “the current situation is untenable.”40 In addition, a June 2019 report submitted by Senate investigators accuses eight critical government agencies of failing to apply even basic defenses to cyberattacks—instead relying on outdated systems, failing to apply mandatory security patches, and ignoring well-known threats and weaknesses, some for more than a decade.41
According to Verizon’s 2019 Data Breach Investigations Report, out of 23,399 cyberattack incidents in 2018 confirmed by federal, state, and local governments, 330 were confirmed data breaches. Espionage was the motivation behind 66 percent of public sector breaches.42
Despite these growing issues, qualified candidates for cybersecurity jobs are scarce and getting scarcer, which creates a challenge for companies to properly defend themselves against threats.
36 “Tech Spending Outside IT Departments Creates Opportunities, but Opens Door to Potential Security & Consumer Trust Risks,” KPMG, June 12, 2019. 37 Harvey Nash/KPMG CIO Survey 2019: A Changing Perspective.38 2017 Global Information Security Workforce Study: Benchmarking Workforce Capacity and Response to Cyber Risk,
a Frost & Sullivan Executive Briefing.39 National Cyber Strategy of the United States of America, The White House, Sept. 2018. 40 Coldewey, Devin. “Government Investigation Finds Federal Agencies Failing Cybersecurity Basics,” Techcrunch.com, May 30, 2018. 41 Johnson, Alex. “Federal Cybersecurity Defenses are Critical Failures,” NBC News, June 26, 2019. 42 2019 Data Breach Investigations Report, Verizon, May 2019.
Goldgaber Research GroupPrepared for Signature Consultants Updated Q4 2019
12
Put simply, it’s a classic supply-and-demand problem, with too many vacancies for too few candidates. Statistics demonstrate that companies are struggling to hire cybersecurity workers. According to (ISC)2’s 2018 Cybersecurity Workforce Study, the shortage of cybersecurity professionals is close to three million globally.43 Nearly two-thirds (63 percent) of respondents report that their organizations have a shortage of IT staff dedicated to cybersecurity, and nearly 60 percent say their companies are at moderate or extreme risk of cybersecurity attacks due to this shortage.44
Estimates for the growth of the cybersecurity workforce
Several organizations have provided robust estimates about the growth of the cybersecurity workforce. Cybersecurity Ventures’ predicts 3.5 million openings by 2021; (ISC)2 estimates 1.8 million openings by 2022; and ISACA estimates 2 million openings by 2019.45 The disparity of the three surveys is that the (ISC)2 and the ISACA surveys appear to focus on “information security” jobs, and not actually “cybersecurity” jobs, which helps explain their substantially smaller figures, according to Steve Morgan, editor-in-chief of Cybersecurity Ventures.46
The number of cybersecurity job postings has grown 94 percent since 2013, compared to only 30 percent for IT positions overall: That’s over three times faster than the overall IT market.47
A growing, but still new, subset of the workforce
The cyber defense workforce estimates by CyberSeek may be low; however, it is difficult to quantify because it’s such a new labor category and there may not be accurate records yet. There are no standard job titles and many cyber pros wear multiple hats or don’t even identify as a “cyber professional.”
As Sam Olyaei, director at Gartner’s security and risk management group, says, “When it comes to security roles, there is a lack of standardization around titles, names, terminology—resulting in a lack of clear career paths. The problem, Olyaei says, is that there is no standardization around what the job titles really mean—so a security engineer at one organization could be a security architect in another organization.”48
It’s an important challenge for employers to figure out, as 62 percent of cybersecurity professionals say they want to work for a company with well-defined ownership of cybersecurity responsibilities.49
43 ISC(2) Cybersecurity Workforce Study, 2018. 44 Ibid.45 Morgan, Steve. “Cybersecurity Jobs Report vs Survey,” Cybersecurity Ventures, June 8, 2017. 46 Ibid.47 Recruiting Watchers for the Virtual Walls: The State of Cybersecurity Hiring, by Burning Glass Technologies. 48 Roy, Mekhala. “Gartner: Cybersecurity skills shortage requires a new approach,” TechTarget Search Security, June 18, 2019. 49 “Hiring and Retaining Top Cybersecurity Talent: What Employers Need to Know About Cybersecurity Jobseekers in 2018,” ISC(2), March 2018.
Goldgaber Research GroupPrepared for Signature Consultants Updated Q4 2019
13
Competitive pay may be a given when it comes to employee hiring and retention, but ISC(2)’s study also shows that cybersecurity professionals care about more than just a paycheck. Sixty-eight percent want to know that the C-suite will take their opinions seriously about how to protect the organization; 62 percent want to have the ability to “protect people and data”; and 59 percent consider employee cybersecurity training, investments in emerging security technology, and a strong company code of ethics to be important.50 More than half say they would work for an organization where a breach has already occurred, but they want organizations to be upfront about their current situation so they know what they are getting into.51
Various titles for cyber defense professionals
Of the “core” cybersecurity roles, the largest current demand is for cybersecurity engineers, with 40,988 openings. Public cloud security (170 percent) and knowledge of the Internet of Things (140 percent) are projected to be the fastest-growing skills in cybersecurity over the next five years, according to a Burning Glass Technologies report.52
Five of the 10 core cybersecurity roles have average advertised salaries of $100,000 or more: cybersecurity consultants ($100,000); penetration and vulnerability testers ($102,000); cybersecurity engineers ($108,000); cybersecurity managers/administration ($115,000); and cybersecurity architects ($129,000).53
Demand for automation skills in cybersecurity roles has risen 255 percent since 2013, and demand for risk management has risen 133 percent. Cybersecurity jobs with an automation component also pay considerably more, carrying what amounts to a nearly $14,000 average annual salary premium over another role.54 However, demand for security skills isn’t limited to pure cybersecurity jobs. Increasingly, many IT roles include cybersecurity as part of the job. In fact, the largest number of cyber defense job openings (207,190) are in the category of “operate and maintain,” which includes work roles related to the support, administration, and maintenance of IT systems.55
50 Ibid. 51 Ibid.52 “Recruiting Watchers for the Virtual Walls: The State of Cybersecurity Hiring,” Burning Glass Technologies.53 Cybersecurity Career Pathway, CyberSeek. 54 “Recruiting Watchers for the Virtual Walls: The State of Cybersecurity Hiring,” Burning Glass Technologies. 55 Cybersecurity Career Pathway, CyberSeek.
Goldgaber Research GroupPrepared for Signature Consultants Updated Q4 2019
14
Other job titles for a cyber defense role may include systems administrator; network architect or engineer; forensics investigator; auditor; systems engineer; or integrator. Globally, the most sought-after positions are operations and security management, with 62 percent of the workforce indicating that there are too few who occupy this position, followed by incident and threat management and forensics, at 58 percent globally.56 In fact, the latter position is in greater demand in LATAM (63 percent) and the Middle East & Africa (65 percent) than any other position.57
Computer and mathematical occupations account for six of the 30 fastest-growing occupations, and information security analysts are one of the fastest-growing cybersecurity roles, according to employment projections released by the Bureau of Labor Statistics in September 2019.58 As the BLS explains, the increasing use of mobile and connected devices will drive demand for application software developers, which are projected to experience employment growth of 25.6 percent. The increased need for robust online security will also rise as more connected devices enter homes and workplaces, and will in turn drive demand for information security analysts. The BLS projects employment of this occupation to grow 31.6 percent from 2018 to 2028, much faster than the average for all occupations.59
Public cloud security (+170 percent projected growth) and knowledge of the Internet of Things (+140 percent) are projected to be the fastest-growing skills in cybersecurity over the next five years.60
Rising salaries
Cybersecurity jobs, which account for 13 percent of all information technology jobs, take 20 percent longer to fill than other IT jobs (on average: 50 days, versus 41 days).61 The difficulty in filling these positions with qualified talent is resulting in dramatically increased salaries for key cybersecurity personnel. According to Burning Glass’s 2019 study, the average advertised salary for a cybersecurity job is now $93,540—16 percent more than the average for all IT jobs. This translates to an average salary premium of more than $12,700 per year.62
56 “2017 Global Information Security Workforce Study,” Frost & Sullivan. 57 Ibid.58 “Employment Projections: 2018-2028 Summary,” U.S. Bureau of Labor Statistics, Last updated Sept. 4, 2019. 59 Ibid. 60 Recruiting Watchers for the Virtual Walls: The State of Cybersecurity Hiring, Burning Glass Technologies. 61 Ibid. 62 Ibid.
Goldgaber Research GroupPrepared for Signature Consultants Updated Q4 2019
15
An ISC(2) study found that only 15 percent of cybersecurity professionals had “no plans” to leave their current employer.63 Considering the willingness by cybersecurity employees to jump ship—paired with a high demand for qualified workers—it’s not a surprise that many cybersecurity employees are able to name their price. A Bloomberg article shares how one of the largest U.S. companies paid $650,000 to entice a cybersecurity expert to join their team in 2012; an extremely lucrative offer at the time. In 2019, that company paid $2.5 million to fill the same role.64
According to the Cisco/Cybersecurity Ventures 2019 Cybersecurity Almanac, the second-highest paying tech job in 2019 is a CISO, with a salary range of $175,000 to $275,000. Fortune 500 corporations in big cities pay as much as $380,000 to $420,000 annually, and more, to their CISO.65
The Almanac also says that 100 percent of large corporations (Fortune 500, Global 2000) globally will have a CISO or equivalent position by 2021, up from 70 percent in 2018.66
Competition for cyber professionals
With the shortage of cyber professionals, it may not come as a surprise that according to ISACA’s State of Cybersecurity 2019 study, 58 percent of organizations surveyed say they currently have unfilled cybersecurity positions — only a 1 percent decrease from 2018’s findings. Nearly one-third (30 percent) say it takes at least three months to fill a cybersecurity vacancy, a 5 percentage point increase from 2018, and 32 percent say it takes six months or more to find qualified candidates (an increase of 6 percentage points from 26 percent in 2018).67
Analyzing the data holistically reveals that over 60 percent of respondent organizations experience at least three months of unfilled cybersecurity positions when hiring new staff.68
63 “Hiring and Retaining Top Cybersecurity Talent: What Employers Need to Know About Cybersecurity Jobseekers in 2018,” ISC(2). 64 Melin, Anders. “Cybersecurity Pros Name their Price as Hacker Attacks Swell,” Bloomberg, Aug 7, 2019.65 Morgan, Steve. “2019 Cybersecurity Almanac: 100 Facts, Figures, Predictions And Statistics,” Cybersecurity Ventures, Feb. 6, 201966 Ibid. 67 State of Cybersecurity: 2019, ISACA. 68 Ibid.
Goldgaber Research GroupPrepared for Signature Consultants Updated Q4 2019
16
Importance of cyber recruiters
Executives want to hire additional cyber defense professionals to cope with increased cyberattacks, but many are concerned that traditional hiring methods will not solve the issue of filling open positions.
The problem is simple. A typical in-house recruiter is well equipped to hire for standard jobs like accountant or auditor, but cybersecurity jobs are much more specialized. An in-house recruiter may struggle to look for candidates who have the skills required for a penetration tester, an application security engineer, an authentication and authorization specialist, a network security engineer, an intelligence analyst, or a security threat and countermeasures specialist.
Some companies try to assist recruiters by having them search for certain certification requirements, such as the CISSP or Security+. The problem with that strategy is that some of the most talented employees in the security field eschew certifications in favor of hands-on knowledge. When asked about the most important qualifications for employment, for example, 49 percent of organizations said “relevant cybersecurity work experience,” while only 43 percent responded “cybersecurity certifications.”69
For that reason, many corporations are turning to niche recruiters to quickly obtain talented information security professionals for either full-time positions or temporary roles until the problem is fixed. At that point, their employees return to their normal routine, but that can take weeks, months or even years.
69 ISC(2) Cybersecurity Workforce Study, 2018.
Goldgaber Research GroupPrepared for Signature Consultants Updated Q4 2019
17
The Rapid Growth of Staffing Agencies
The U.S. staffing industry as a whole is forecasted to grow 4 percent in 2019, and 2020 forecasts show 3 percent growth, equating to $157.8 billion.70 Forty-five percent of IT staffing revenue is generated in the U.S., according to Staffing Industry Analysts’ IT Staffing Growth Assessment: 2019 Update, with a forecast of 3 percent revenue growth in 2019, representing the 10th consecutive year of expansion. IT employment growth has achieved the greatest market penetration relative to other segments in the Americas, where it accounts for 41 percent of professional staffing.71
“Digital business transformation is driving investment in IT projects and workers, particularly those with specialized IT skills,” said Brian Wallins, a senior research analyst at SIA and author of the IT staffing report.72
As the SIA explains, “We anticipate secular tailwinds to continue to support temporary IT staffing growth in the U.S. beyond 2019. Nevertheless, we project a slight deceleration to 3 percent growth in 2020, largely due to moderating economic growth, as reflected in consensus GDP forecasts.73
Staffing companies placed about 3.23 million temporary and contract workers on average each week in 2018, up 1.4 percent from 2017, according to the American Staffing Association. This represents a record high average weekly number of staffing employees for any year since the inception of the ASA Staffing Employment and Sales Survey in 1990.74
Demand is on an upswing for temporary IT staffing as buyers demand the flexibility to tap into these specialized skills, while still managing costs. While a shortage of high-level IT talent creates greater demand for staffing services, it has also resulted in acute recruiting challenges, according to Wallins.75
70 U.S. Staffing Industry Forecast: April 2019 Update, Staffing Industry Analysts, April 19, 2019. 71 “IT Staffing Growth Assessment: 2019 Update,” Staffing Industry Analysts, April 3, 2019. 72 Ibid.73 “U.S. IT Temporary Staffing Growth Outlook Gets Upward Revision,” Staffing Industry Analysts, April 30, 2019. 74 “Staffing Employment Sets Record High in 2018,” American Staffing Association, Mar. 14, 2019. 75 “Growth Assessment Provides Annual Update on the Global State of the IT Staffing Market,” Staffing Industry Analysts, Feb. 21, 2018.
Goldgaber Research GroupPrepared for Signature Consultants Updated Q4 2019
18
For the employer, contracting with a staffing agency also eliminates many of the costs and much of the work of vetting, hiring and keeping employees. Working with an agency also provides the company with more staffing flexibility to deal with market volatility. In turn, that helps the company avoid layoffs and the associated unemployment insurance costs.
When employers use a staffing agency they have the opportunity to ascertain if there is a good relationship with the employee before offering him or her a permanent position. Employees benefit by gaining new on-the-job skills and attaining quicker entry to the workforce.
In addition, temporary workers working with a staffing agency often receive offers of full-time work. According to American Staffing Association’s Staffing Industry Statistics, America’s staffing companies hire nearly 17 million temporary and contract employees during the course of a year. One-third (35 percent) said they were offered a permanent job by a client where they worked on an assignment, and two-thirds (66 percent) of those accepted the offers of permanent employment.76
76 “Staffing Industry Statistics,” American Staffing Association.
Goldgaber Research GroupPrepared for Signature Consultants Updated Q4 2019
19
Reasons for Cyber Professional Shortage
Several factors are causing the shortage in cyber professional positions, according to (ISC)2 research. First, cybersecurity careers remain relatively novel. Almost 90 percent of cybersecurity professionals begin their careers in another line of work.77
Students who are interested in a technology career are usually more interested in web or mobile app development, rather than protecting an organization from cyberattacks. However, this dynamic is changing rapidly as colleges expand their cybersecurity curricula, and the cybersecurity field matures.
Hiring practices are also problematic. When demand far exceeds supply, even the best recruiters will struggle. However, drawn-out and protracted hiring processes may be compounding the problem by discouraging jobseekers, leading them to find employment elsewhere. In a highly competitive market, hiring must be quick and efficient.
Another issue is that too often the people recruiting and hiring lack cybersecurity expertise, which can make it difficult to identify the right candidate. When candidates were asked what about a job description shows them an employer doesn’t understand cybersecurity, they cited descriptions that were vague, included insufficient or excessive qualifications, or required advanced certifications for entry-level positions.78
Employers may also have unrealistic expectations. They need to make sure descriptions for cybersecurity positions accurately match the knowledge, skills and abilities the role requires. (ISC)2 research indicates this is an area for improvement, and the same is true of employers’ investment in training and certifications. In a 2018 (ISC)2 survey, only about one-third of respondents said their company pays for all of their cybersecurity training, yet as previously mentioned, they also found that investment in cybersecurity training is important to the majority of cybersecurity professionals when it comes to working for, and staying with, an employer.79
77 “Cybersecurity Hiring—An Issue for All,” (ISC)2, Feb. 6, 2018. 78 “Hiring and Retaining Top Cybersecurity Talent: What Employers Need to Know About Cybersecurity Jobseekers in 2018,” ISC(2).79 Ibid.
Goldgaber Research GroupPrepared for Signature Consultants Updated Q4 2019
20
In addition, women are underrepresented in the ranks of cybersecurity. (ISC)2 took a more holistic look at who is truly doing the work of cybersecurity in its 2019 Women in Cybersecurity Study, and found that women working in cybersecurity now account for 24 percent of the overall workforce.80 Though this is a significant increase from 2017 estimates of 11 percent, it is still comparatively low.
Though men outnumber women in the cybersecurity field by three to one, more women are joining the field and forging a path to management. Higher percentages of women than men are reaching positions such as CTO; vice president of IT; IT director; and C-level executive.82 Despite this, 17 percent of women said they earned $50,000 to $99,999, a full 12 percentage points less than men (29 percent).81 As the report points out, these successes are important for both female cybersecurity professionals and future generations, as they will help encourage other women to enter the field and chisel away at the worldwide cybersecurity skills shortage—and the pay disparity that still exists.
Cisco’s John Stewart, senior vice president and chief security and trust officer, said in his keynote at 2018’s RSA Conference that Women in CyberSecurity and Girls Who Code are examples of groups that are working to close the skills and diversity gap.
Another group employers cannot afford to ignore is Generation Z (comprised of those born starting in the mid-1990s): These digital natives now make up 25 percent of the workforce.82 Gen Z are used to getting information quickly and conveniently, so employers should consider this in their recruitment efforts. Members of this generation are characterized as diverse, community-minded, entrepreneurial, and pragmatic. They value job security, salary, and benefits; face-to-face and offline relationships; daily communication with the boss; and independent skill development.83
80 Cybersecurity Workforce Study: Women in Cybersecurity,: Young, Educated, and Ready to Take Charge, ISC(2), 2018. 81 Ibid.82 “Generation Z in the Workforce” (Infographic), Concordia University. 83 Ibid.
Goldgaber Research GroupPrepared for Signature Consultants Updated Q4 2019
21
Other Creative Ways to Find Cyber Professionals
Many organizations—including the federal government, which has been under fire for its ability to adequately defend against cyberattacks—are testing creative ways to compete for technologically savvy cybersecurity candidates in a highly competitive market.
The Department of Homeland Security receives thousands of applications each year, but still struggles to find enough workers to fill its 11,000-plus cybersecurity positions, according to FedTech Magazine. To combat this, the DHS developed a three-part method to find qualified candidates. First, they defined which of their job needs are related to cybersecurity in non-IT areas, to ensure they were focusing on their most critical needs. Second, they advertised their cyber jobs in go-to sources for the cyber community like trade magazines; attended cyber conferences and events; scanned online resumes to identify top candidates; and filled their pipeline with college and high school students through internships. Third, they hosted webinars featuring front-line employees to help candidates get a sense of a day in the life of a cybersecurity employee, and broke out their “coolest toys,” including the president’s limo, canine teams, and FEMA response vehicles.84
As a result of their three-tier strategy, the agency was able to make job offers to 300 candidates on the spot at a hiring event and hire another 350 shortly after. Results like this have significantly expedited the agency’s normally slow hiring process.85
In other areas of the federal government, the Health and Human Services Department, which protects the personal health information of one out of every three Americans, was struggling with an 18 percent vacancy rate in cybersecurity positions. They put together a 90-second commercial to sell candidates on HHS’s mission, and included it as a link in many of their job postings. They also found and tested non-IT professionals and recent college graduates for competency and aptitude, then trained them for specific cyber jobs once they were hired. In addition, they retrained current, non-IT workers who were interested in a cyber career with the agency in order to fill cybersecurity positions.86
It’s clear from these trends that cybersecurity is moving more rapidly, and in more directions, than anyone may be able to predict. Titles are evolving, requirements are shifting, and finding the right candidates is often a team effort.
84 “Agencies Should Think Creatively to Find Cybersecurity Pros,” FedTech Magazine. By Heather B. Hayes, Nov. 9, 2018. 85 Ibid.86 Ibid.
Goldgaber Research GroupPrepared for Signature Consultants Updated Q4 2019
22
As Deshini Newman, managing director EMEA at (ISC)² said, “The cybersecurity challenge of combating threats with the right people and the right skills is a relentless one. It is just one reason why organizations must maximize their ability to entice and keep talented and qualified individuals from all corners of society. Bringing new ideas, experience, alternative thinking and approaches to the table, as part of a broad selection of skills, experience and backgrounds can inspire, motivate and help organizations to find innovative solutions to today’s IT and security concerns.”87
87 “(ISC)² Study Reveals a Third of Businesses are Boosting Diversity in IT/ICT and Cybersecurity to Attract and Retain Top Staff,” (ISC)², June 04, 2019.