Cyber Skills In High Demand Well Into The Future
The cybersecurity job market is wide open—if you have the skills. If you don’t, there are plenty of opportunities to get up to speed and perhaps boost future career opportunities.
Foote Partners, which tracks information technology (IT) jobs across all skill levels, projects the global demand for cybersecurity talent will climb to six million by 2019 with an expected shortfall of 1.5 million professionals. “We’re going to need as many people as possible to ‘hit the ground running’ to meet the demand,” notes Foote. “Without a doubt, a cybersecurity skills gap has developed on a global basis,” Foote notes in its recently published IT Skills and Certifications Pay Index. “The fact is, it’s going to take years to narrow this particular skills gap, but we’ll get there if the money and incentives are sufficient to get vendors, employers, and training organizations focused on the solution.”
With a lack of widely accepted definitions, descriptions, or requirements for cybersecurity positions, Foote says employers are becoming much more aware that they don’t have the right people in their security departments. “They may have good technical people who can fix firewalls and implement basic perimeter solutions,” Foote says in its study. “But what’s missing are enough of the sort of people who can make the case for cybersecurity being linked to business challenges and business developments. That’s going to be the significant weakness. The linkage between the business and the infosecurity practice is still too weak in practice despite a lot of interest in the subject.”
While some political leaders have called for increased support for developing the cybersecurity workforce, 76 percent of respondents to the Intel Security/CSIS survey say their governments are not investing enough in meeting the demand for cybersecurity jobs. And more than half of the survey’s respondents believe the cyber skills shortage is worse than talent deficits in other IT specialties, which emphasize continuing education and training.
“Government and the private sector haven’t brought enough urgency to solving the cybersecurity talent shortage” says Chris Young, senior vice president and general manager of Intel Security Group, which published Hacking the Skills Shortage in a partnership with the Center for Strategic and International Studies.
Microsoft has been very vocal about advancing the development of cybersecurity in the Internet of Things (IoT) and globally-relevant IoT standards. The company recently suggested policy actions that government might take to help promote IoT, including establishing a joint government and industry standing body to pursue guidelines for cybersecurity, and reviewing and recommending research and development funding and investment in cybersecurity.
IOT JOB RECRUITMENTS
Market projections and the rapid development of IoT products and services have become a major influence in cyber recruitment. “The emphasis on analytics is apparent and turning those analytics to address the security issues is something IoT developers are doing now,” says Janel Garvin, CEO of Evans Data Corp., another market research firm.
Gartner predicts that by 2020, more than 25 percent of identified attacks in enterprises will involve IoT, although IoT will account for less than 10 percent of IT security budgets. Another study by AT&T, The CEO’s Guide to Securing the Internet of Things, reports that 90 percent of organizations it surveyed lack full confidence in their IoT security.
A survey of IoT “stakeholders” by the U.S. National Institute of Standards and Technology (NIST) identifies “workforce development” as a major issue in cybersecurity. (NIST recently published Networks of ‘Things,’ to define the IoT and to help researchers better understand IoT security challenges.)
GETTING WITH THE PROGRAM
One bright spot in putting a dent in the shortage of qualified cyber “talent” is the growing number of university-level and company, and even government-sponsored cyber training programs. Security certifications posted the highest gains among all IT certification categories over the last three, six, and 12 months, according to Foote data.
Cisco Systems recently announced that it plans to cut 5,500 jobs in a corporate-wide shift to higher-margin software programs, including security. In the weeks before the announcement, Cisco posted 88 “software engineering jobs in security” on its Careers website, and said it would invest US $10 million in a two-year Global Cybersecurity Scholarship program to help close the security skills gap. Cisco will offer training, mentoring, and certification that align with Security Operations Center Analyst industry job requirements. Cisco also recently introduced a Cyber Ops Certification to its portfolio of security certifications and revised its Cisco Certified Internetwork Expert (CCIE) Security Certification to address new expert-level skills.
Stanford University has added a new course in network security to its online Stanford Advanced Computer Security Certificate program and updated its emerging threats and defenses course to reflect the latest knowledge. Brown University has launched a 16-month Executive Master in Cybersecurity program starting in the fall 2016 for “highly driven individuals” with five to 15 years of professional and managerial experience. Stevens Institute of Technology in New Jersey now features an undergraduate program in cybersecurity in its computer science curriculum.
Boston University offers a Master’s in Computer Information Systems with a concentration in security that is certified by the Committee on National Security Systems under the National Security Agency’s INFOSEC Education and Training Program, and is recognized by the NSA and U.S. Department of Homeland Security (DHS). The DHS, meanwhile, has developed its own Cybersecurity Internship Program to recruit people from the nation’s top undergraduate and graduate programs. DHS interns make approximately $5,800 under the full-time 10 week program, but must be U.S. citizens and be enrolled in a Bachelor’s or Master’s degree program with a major in computer science, electrical engineering, computer engineering, software engineering, or a related discipline.
India’s National Association of Software and Services Companies (NASSCOM) is working with the Data Security Council of India and the security software firm Symantec to launch National Occupational Standards, a program aimed at creating a pool of certified cybersecurity professionals in the country. Singapore Telecommunications Limited has formed the Singel Cyber Security Institute to train new IT professionals in basic cybersecurity skills. Accenture, a global professional services company, has opened a cybersecurity center in Bangalore to offer a broad range of cyber defense services.
WHO’S HIRING (AND HOW)?
Who’s hiring? At this point, government agencies and companies big and small. According to a list published by the University of Maryland University College, which offers degrees in cybersecurity, the top 10 employers of cybersecurity professionals are (in order) Northrop Grumman, General Dynamics, Science Applications International Corp., ManTech International, PricewaterhouseCoopers, Booz Allen Hamilton, Hewlett-Packard, Dell, CACI, and Accenture.
The most in-demand cyber skills? The University of Maryland identifies firewalls, network security, Linux, Unix, CISA, cryptography, transmission control protocol/Internet protocol (TCP/IP), system and network configuration, and scanners as the focus of much of its curriculum.
Where do you find this much sought after cybersecurity talent? One strategy is to just buy it. A study by The Economist Intelligence Unit, commissioned by Cognizant, calls it acqui-hiring—where companies buy other companies to acquire the talent and skill sets of their personnel rather than their products and services.
This is hardly new to technology-based industries. In August, Cambridge, UK-based ARM Holdings, which acquired Israel-based Sansa Security a year ago, added about 40 engineers to the Sansa security engineering team, and about 90 of Sansa’s engineers have joined ARM. “ARM Israel is growing rapidly and we are currently recruiting talented engineers to join our team, with a number of positions open,” says Yaron Magber, director of engineering and design center manager. Magber says the design center is heavily focused on software development with an emphasis on IoT security, “which generates a lot of interest among local engineers.” Magber says much of the focus is on embedded real-time software development on devices and coding using C and other structured languages for Linux and Android targets, through to Cloud-based Software as a Service (SaaS) technologies. “The Israeli market is highly competitive and vibrant, with many large multinationals offering compelling benefits, professional challenges, and an international atmosphere,” says Magber. “Our local HR team recruits by approaching candidates directly, and may also receive job applications via channels such as LinkedIn or the ARM website.”
Analog Devices, Inc. appears to have made a similar move with the acquisition of the Cyber Security Solutions business of Sypris Electronics LLC, which works mostly with military and other government organizations. The CSS team will remain in Tampa, FL and West Lafayette, IN and form the core of ADI's new Secure Technology Group. ADI says it expects the acquisition to create new opportunities for the company in IoT, industrial, and automotive markets.
“It is very competitive,” says Jason Taylor, chief technology officer at Security Innovation, which offers a variety of cyber services, including consulting and training through its offices in Seattle, Wilmington MA, and New Taipei City, Taiwan. “Most of our hires are job-ready, or at least 90 percent of the way there. We also hire interns who may not have any security experience but do have good CS skills and proven ability to learn quickly.”
Security Innovation job candidates must submit a resume, complete a questionnaire and a series of tests (that may include a take-home coding question), undergo a background check, a phone screen, and a series of interviews. “We’re looking for deep technical skills, a good understanding of application security and the soft skills necessary to be a good consultant and partner to our customers,” says Taylor. “In the future, we will probably need more knowledge of IoT and embedded technology.”
“GOVERNMENT” JOB OPPORTUNITIES
While you can find jobs in the field just about anywhere, the Baltimore and Washington, D.C. metro areas have some of the highest concentration of cybersecurity jobs in the United States. U.S. government agencies, such as the NSA, DHS, NIST, and the Department of Defense (DoD), and government contractors normally require that cybersecurity job applicants be U.S. citizens and have a security clearance, or can obtain one. U.S. intelligence agencies, along with the DoD (which says it hopes to hire 6,000 cybersecurity specialists in 2016), are competing with commercial contractors for cybersecurity tech talent. So is the Federal Bureau of Investigation, which is actively seeking candidates for computer scientists positions located throughout its 56 field offices. All applications must have a Bachelor's degree in computer science or Bachelor's degree with 30 semester hours in a combination of mathematics, statistics, and computer science.
The DHS is hiring cybersecurity specialists and is especially interested in people with experience in digital forensics, network analysis, system administration, computer network defense, and incident response. (More specific information is available on the US-CERT Career website or USAJOBS.com.)
The DHS has created a government-wide framework that establishes a set of standard qualifications for cybersecurity personnel for federal agencies. The program, called the National Cybsersecurity Workforce Framework, organizes specialty areas into seven categories that define tasks and skills. The framework provides a national standard to align cybersecurity education, jobs, and professional development. The DHS has also developed a Cybersecurity Workforce Development Toolkit, which provides tips and tools to plan and build an organization’s cybersecurity workforce. The Toolkit includes templates and activity checklists for recruiting and retaining cybersecurity tech talent. The DHS also maintains the National Initiative for Cybersecurity Careers and Studies (NICCS) Cybersecurity Training Catalog, which is the nation’s largest searchable repository of cybersecurity training, with access to more than 2,000 cybersecurity courses. Under the DHS Framework academic institutions and training vendors can qualify to become an approved NICCS Training Provider.
The Federal Communications Commission (FCC) has also taken more of an interest in privacy protection. FCC Chairman Tom Wheeler recently told a conference that the commission expects to become more involved in promoting cybersecurity through some form of regulation, particularly as more high-frequency bands are opened up to accommodate 5G networks, and in vehicle-to-vehicle communications. And in August, the European Commission (EC) signed a contract for a public-private partnership with the European Cyber Security Organization (ECSO) ASBL. Representing the private sector, ECSO says it will work directly with the EC to improve Europe's industrial policy on cybersecurity. While staffing plans are still not clear, ECSO will host its first working group meetings beginning in September.
MILITARY CYBER PROCUREMENTS
Not surprisingly, military interest in cyberspace is picking up, with much of the work being conducted by outside tech talent.
In March, the U.S. Marine Corps launched the Marine Corps Cyberspace Warfare Group to “perform both defensive and offensive cyber operations in support of United States Cyber Command and Marine Forces Cyberspace Command.” While the group is already active, it has joined with the U. S. Navy Fleet Cyber Command in issuing a solicitation for a contract valued at $26 million to cyber train its military and civilian employees. In July, the U.S. Navy awarded Lockheed Martin Corp.’s Space Systems unit in Sunnyvale, CA an $8.3 million contract to make cybersecurity upgrades to the Navy’s submarine-launched nuclear missiles.
The U.S. Air Force has also awarded a four-year cybersecurity training contract with a maximum value of $6.4 million to root9B, an organization of former government and military cyber operations experts.
How much can you make as a cybersecurity professional? Foote Partners’ most recent IT Professional Salary Survey update (July data) says cyber specialists are averaging $99,000 in base salary in 67 U.S. cities. Senior level specialists are averaging $117,523 with a top average salary of $147,655 in San Jose. Certified Cyber Forensic Professionals and CyberSecurity Forensic Analyst certifications are currently among the highest paying IT certifications in the entire Foote Pay Index. Noncertified cybersecurity skills also rose 6.3 percent in market value in the first six months of 2016.
About Ron Schneiderman
Ron Schneiderman is the author of Modern Standardization – Case Studies at the Crossroads of Technology, Economics, and Politics, published by John Wiley & Sons.