If you were approached by a high school or college student seeking career advice, you could do a lot worse than to advise them to consider a path in cybersecurity. The job market for professionals with the technical skills to fight cyberattacks is looking more promising all the time.
In a world that runs on software, cybersecurity has become a top-level agenda item, with corporate leaders, security experts and Washington officials all the way up to the White House urging action action – particularly in the past week. The steady drumbeat of media reports of data breaches at retailers, universities, health care facilities and government agencies has only served to increase the sense of urgency.
But while policymakers and corporate leaders sound the alarm, there may be too few trained technology professionals to meet the demand. Experts agree that the “cyber skills gap” is real and growing.
“We just have not been training enough people to man the defenses of every business at work, every government at work, every military mission,” White House Cybersecurity Director Cheri Caddy said at a University of Connecticut symposium in October. “We need to do more.”
A January survey of information technology professionals by the industry group ISACA found that 86 percent of the organization’s members believe there’s a global shortage of skilled cybersecurity workers. The same survey found that while nearly half believe their organizations are vulnerable to attack, only 38 percent feel prepared to respond to a cyberattack.
“As Washington calls for action, we hope they take a clear and straight-forward approach, working in close coordination with industry,” said Robert Stroud, international president of ISACA and vice president of strategy and innovation at CA Technologies. “Cybersecurity is everyone’s business, and creating a workforce trained to prevent and respond to today’s sophisticated attacks is a critical priority.”
The Cyber Skills Gap: Demand vs. Supply
According to Burning Glass, a tech placement firm that publishes various research products on industry labor trends, cybersecurity openings have grown twice as fast as other IT categories in recent years.
From 2007-2013, the number of job postings for cybersecurity talent grew by 74 percent, Burning Glass reports, with more than 209,000 openings posted in 2013 alone. Due to high demand, those jobs also command a 15 percent salary premium, Burning Glass notes, with an average salary of more than $93,000 (and much higher for applicants at the chief information security office level).
That dynamic has led to a push from government, industry and the higher education sector to create new programs for training cybersecurity workers. As part of the Obama administration’s recent push on cyber policy, for example, the president called for $25 million in grant funding for cybersecurity training programs at historically black colleges. Many of these initiatives will no doubt play a critical role in helping to boost the talent pool for industry and government.
But what may make the biggest difference in resolving the cybersecurity skills gap, some experts say, may not be a policy solution, but a market solution—in the form of rising salaries for those with the needed training and qualifications.
In fact, a 2014 report from the RAND Corporation makes that case, suggesting that generous compensation packages will ultimately attract enough workers to the field to meet demand, though there may be a lag as skilled cybersecurity professionals work through the education pipeline. Indeed, a January 28 article in the Wall Street Journal reports that compensation packages for chief information security officers are rising rapidly, thanks to heavy demand for people with the skills to prevent and respond to attacks on corporate and government systems.
Cyber Attacks: Not ‘If,’ But ‘When’
Of course, an evolving market solution in the form of salary premiums doesn’t obviate the need for smarter cybersecurity policy and a constructive partnership between government and industry. And both the private and public sector need to continue to be prepared for the eventuality of a cyberattack, as industry watcher Charles McLellan suggests at ZDNet.com.
“One thing about cybersecurity is certain: it’s no longer sufficient for organizations simply to guard the network perimeter with a firewall and install antivirus software on endpoints,” McLellan writes. “[Chief security officers and chief information security officers] need to continually monitor the evolving threat landscape, and to replace an ‘if we get hacked’ mindset with a ‘when we get hacked’ one.”
For more resources on cybersecurity from the Chamber (including the free 56-page page Internet Security Essentials for Business 2.0 guide), government agencies and other expert organizations, click here.