Market expansion adds to cybersecurity talent shortage

Cybersecurity job openings: 1 million in 2016; 1.5 million by 2019.

Editor’s note: Steve Morgan is the Founder and CEO at Cybersecurity Ventures.

Cybersecurity Ventures recently reported worldwide spending on cyber defense products and services is forecast to exceed $1 trillion for the five-year period from 2017 to 2021 — driven by the dramatic rise in cybercrime, the ransonware epidemic, the refocusing of malware from PCs and laptops to smartphones and mobile devices, the deployment of billions of under-protected internet of things (IoT) devices, the legions of hackers-for-hire, and the more sophisticated cyber-attacks launching at businesses, governments, educational institutions, and consumers globally.

The market expansion will add to the cybersecurity workforce shortage, which is expected to reach 1.5 million cybersecurity job openings by 2019, according to the most recent Cybersecurity Jobs Report. An analysis of employment data in the report provides various insights into the current and future labor pool.

  • Cybersecurity workers can command an average salary premium of nearly $6,500 per year, or 9% more than other IT workers, according to Burning Glass Technologies.
  • According to a report from DICE, a leading IT job board, the top five IT security salaries are: No. 1 – lead software security engineer at $233,333; No. 2 – chief security officer at $225,000; No. 3 – global information security director at $200,000; No. 4 – chief information security officer at $192,500; and No. 5 – director of security at $178,333.
  • The top U.S. chief information security officer (CISO) jobs pay annual salaries exceeding $400,000. The leading cities — by salary — are: San Francisco; New York; Washington, D.C.; Los Angeles; and Chicago.
  • IDC predicts that “by 2018, fully 75 percent of chief security officers (CSO) and chief information security officers (CISO) will report directly to the CEO, not the CIO”. This will arguably push those positions higher up in to the salary stratosphere.
  • “The landscape of cyber risks is so widespread and evolving that forward-thinking (public) companies are seeking a new leader – a chief risk officer (CRO) – who will oversee all areas of risk exposure: IT risk, physical security, personnel security and protection of assets – including intellectual and reputational capital, stated Jeremy King, founder at Benchmark Executive Search. The chief risk officer will be the most in-demand position over the next five years – a single leader who can create a culture of security, map organizational structures and set budgets.”
  • On a per-capita basis, the leading states for cyber hiring are Washington, D.C., Virginia, Maryland, and Colorado; all have high concentrations of jobs in the federal government and with related contractors.
  • Last October (2015), the U.S. government began hiring 6,500 new cybersecurity IT professionals. It has hired 3,000 so far, and plans to hire another 3,500 by January 2017, the White House said.
  • Only 11% of the world’s information security workforce are women, according to the Women’s Society of Cyberjutsu (WSC) — a 501(c)3 non-profit passionate about helping and empowering women to succeed in the cybersecurity field. WSC states that 50% of professional occupations in the U.S. are held by women, and that 25% of computing occupations in the U.S. are held by women. The small representation of women in cyber is a big opportunity for them to enter a field with a severe labor shortage.
  • African Americans are underrepresented in the cybersecurity field. According to data from the United States Department of Labor which publishes the Bureau of Labor Statistics (BLS), ‘Black or African-American’ people make up only 3% of the information security analysts in the U.S. The International Consortium of Minority Cybersecurity Professionals (ICMCP) and the International Colloquium for Minorities In Cyber Security (MICS) are two organizations devoted to promoting career opportunities for African Americans and other minorities in cybersecurity.


In response to the labor crunch, the field of managed security services firms is rapidly expanding. Market researcher Gartner reports the IT security outsourcing segment recording the fastest growth (25%) in its Information Security, Worldwide Forecast — which was updated in the first quarter of 2016. As CISOs remain challenged around recruiting security talent, they are increasingly turning to third parties for help.

Cognitive computing is coming to the cybersecurity industry, and it holds out hope to reduce some of the labor burden faced by corporations and governments. Cognitive computing is the simulation of human thought processes in a computerized model. Cognitive computing involves self-learning systems that use data mining, pattern recognition and natural language processing to mimic the way the human brain works. IBM – a major player in the cognitive space — announced earlier this year it would be bringing its Watson platform to the security market later in 2016.

While cognitive and other technologies including cyber analytics are aimed at automating tasks and finding threats which are currently handled by humans — the cybercrime wave is expected to keep the pressure on enterprises who must figure out how to recruit cyber defenders or cross-train IT staffers into those roles.

What does it all mean?

Looking at the market expansion and job figures, what’s the takeaway? Simply put, the cybersecurity labor shortage is going to get worse before it gets better, and employers need to prepare.

Women and minorities represent an untapped resource, but they need to be proactively recruited and embraced by the cyber community.

IT workers can be cross-trained, but that supposes they are eager to make the switch — and willing to potentially step down to entry-level security positions before working themselves up to more lucrative pay.

Managed security providers and IT security outsourcing firms are challenged around recruiting as their businesses scale, and many regulated corporations can not hand off their security management so easily.

College Grads?

Wait, we forgot about college grads — cyber’s new market entrants. Surely they will help make a big dent in the labor shortfall – no? Not so fast. Students are graduating from the top 10 U.S. computer science programs without taking a single course on cybersecurity. There’s a large influx of tech grads, but they are not necessarily cyber grads.