Forget about Java programming, web design, or mobile app development: Choosing a cyber security career and equipping yourself with the right skills can virtually guarantee you a wide selection of jobs to walk into, whenever you want, and a salary that’s well above the IT industry average.
Cyber security skills shortage
That’s because the world is facing a huge shortage of cyber security engineers of all kinds, and in a seller’s market those with the necessary skills can command a premium price for their services.
To get an idea of the scale of the cyber security skills shortage, consider this: By the end of next year, it’s predicted that one to two million cyber security jobs will remain unfilled. About six million cyber security analysts will be needed, with only between four and five million available to fill the positions.
In fact the cyber security engineer skills shortage is already becoming critical: A recent report by McAfee, Hacking the Skills Shortage, found that 82% of a group of 775 IT and cyber security decision-makers reported that they had a shortage of cyber security skills within their company.
And research carried out by Indeed.com in 2017 confirmed that although organizations are advertising cyber security analyst job postings, there are simply not enough candidates to fill those posts. In the U.S. there are only two candidates for every three job vacancies advertised, while in other parts of the world the situation is even more dire. In the UK and Ireland there is only about one candidate for every three vacancies, and the situation is deteriorating.
More recently, a report called The Life and Times of Cybersecurity Professionals, by Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA), found that 22% of survey respondents who had suffered a security incident over the last two years said their cyber security team was not large enough for the size of their organization, and 18% said that the existing cybersecurity team could not keep up with the workload.
All in all, that’s pretty clear evidence that IT security jobs are going to be in plentiful supply, and those with the right skills will be able to take their pick.
Above average compensation
From the perspective of potential employers, the need to find people to fill their vacancies is urgent because having an insufficient or overworked cyber security team increases the likelihood of a security breach. And organizations with a shortage of cyber security skills are tempting targets for cybercriminals looking for an easy win.
That means that businesses are going to have to offer highly competitive packages – both higher salaries and other perks and benefits – in order to persuade candidates to accept their job offers rather than rival ones.
So what kind of salary can you expect if you choose an IT security job? The U.S. Department of Labor’s Bureau of Labor Statistics says that the median pay in 2016 for an IT security analyst was $92,000 per year, or $44.52 per hour. In 2018 that figure is likely to increase to well over $100,000, or a good 10% premium over less in-demand IT staff. And that’s not including the other benefits you may be able to negotiate in order to be persuaded to accept a position.
Cyber security job openings
Cyber security is a very broad area, so it’s worth focusing on precisely which type of security jobs are likely to need filling, and the types of skills and credentials that are most in demand.
The most common job titles advertised, according to the 2014 SANS Institute Cyber Security Professional Trends Survey, include Security Analyst, Security Engineer or Architect, Security/IT Director or Manager, CISO/CSO, Systems Administrator, Network Architect or Engineer, Forensics Investigator, Auditor, Systems Engineer or Integrator.
And the types of skills that are most in demand, according to job site Monster.com, include incident handling and response, audit and compliance, firewall/IDS/IPS skills, intrusion detection, analytics and intelligence, SIEM management, access/identity management, application security development, advanced malware prevention, and cloud computing/virtualization.
Damage limitation and remediation
Anyone with penetration testing skills is also likely to be in demand as companies seek to understand their security weaknesses. But it’s also true that organizations are increasingly waking up to the fact that security breaches are going to become increasingly inevitable, and the key task of many cyber security analysts going forward will shift from security incident prevention and towards damage limitation and remediation.
“You can’t protect everything equally … we have to find a way to control only what matters,” said Earl Perkins, a research vice president at Gartner, talking to cyber security engineers at a Security & Risk Management Summit earlier this year. “Take the money you’re spending on prevention and begin to drive it more equitably to detection and response,” he added.
The implication of this is that demand for particular skills, such as incident handling and response, intrusion detection, analytics and intelligence, and network monitoring and SIEM management, that will be the key to the best jobs and the highest compensation in 2018 and beyond.
Internet of Identities
Another trend that’s likely to have implications for IT security job vacancies is the proliferation of Internet of Things (IoT) devices.
“Managing the deployment, operations, and security of all these devices will be quite challenging,” Jon Oltsik, a senior principal analyst at ESG, pointed out in a blog post in November. “Someone must figure out network access controls, connectivity, segmentation, baseline behavior, network performance implications, etc.”
ESG calls the need for identity and access management for IoT devices the “Internet of Identities” (IoI), and Oltsik says that the IoI security skills shortage will become acute very quickly. “Security teams will be responsible for IoI policy enforcement, controls and end-to-end monitoring, but this oversight may be impacted by the global cybersecurity skills shortage,” he said. “Security teams will run around like turkeys with their heads cut off as IoT devices multiply in the coming years.”
IT security certifications and education
The 2017 McAfee study also highlighted that many organizations value hands-on experience and relevant IT security certifications, but with such a shortage of cyber security engineer skills, it’s likely that many larger enterprises will be forced to train the staff they need internally, and that means that barriers to entry into IT security jobs will be low. Typical requirements for entry-level cyber security jobs are a bachelor’s degree in a computer-related field, according to the Bureau of Labor Statistics, and it’s likely that many organizations will be satisfied with that and provide on-the-job training where they can’t find people with the certifications or experience they require.
That’s not to say that certification programs are not important. That’s because cyber security has not been a part of many undergraduate courses in the past and cyber security degrees are few and far between, and although that is changing rapidly, many degree courses still do not provide specialist skills in that area. So many current cyber security engineers learn their skills through certification programs, and these will remain vital for candidates and in demand by employers.
“Continuous professional development is critical in the field of cybersecurity because the nature of the threat continuously evolves,” Diana Burley, a professor at George Washington University, told Monster.com. “Many options exist for current professionals to augment their skill set, including certificates from technical training companies, additional degrees through university study, or stand-alone hands-on courses to develop specific skills.”
Cisco and Microsoft security training certificate programs are common among all professionals looking for certification.
One final question worth asking is what kind of employers will be looking for cyber security engineers? Based on the SANS survey, the top five industries for cybersecurity professionals are Banking/Finance/Insurance, Information Technology/Management, Government (Defense), Government (Non-defense), and Consulting/Professional Services, according to Monster.com.
That means that if you are looking for information security jobs, there’s a good chance you’ll end up in the Washington metropolitan area, New York, or the San Francisco-San Jose metro area. The good news is that you’ll be paid handsomely, you’ll have plenty of extra benefits, and if the job doesn’t suit you then you’ll have no problem walking into a better one.