Cyber Security Talent Shortage & Industry Dynamics
CYBER SECURITY
TALENT SHORTAGE
& INDUSTRY DYNAMICS
WHITE PAPER
January 2017
January 2017
1
Cyber Security Talent Shortage & Industry Dynamics
THE PROBLEM
PERSONNEL SHORTAGE
The demand for skilled cyber security talent is outstripping supply. In 2014, there were 238,158 unfilled cyber security jobs
in the United States. Cyber security job postings have grown 91% from 2010 to 2014, a growth rate that is 3.3x more than
all other IT jobs. Cyber security jobs also take 24% longer to fill than all IT jobs and 36% longer than all jobs.
Growth in Job Postings (2010-2014)
Job Posting Duration (2013)
91%
45 days
36 days
33 days
All IT
All Jobs
28%
Cyber Security
Cyber Security
All IT
Source: Burning Glass – Job Market Intelligence: Cyber Security Jobs, 2015.
Source: Burning Glass – Job Market Intelligence: Report on Growth of
Cyber Security Jobs, 2014.
As we can see, the supply of skilled security professionals is limited and only expected to worsen over the next five years.
The demand for cyber security professionals is expected to reach 6 million (globally) by 2019 with a projected shortfall of
1.5 million. This imbalance will drive higher demand for Cloud security, Managed Security Service Provider Services
(“MSSP”), Security Information and Event Management (“SIEM”) solutions, and integrated security adoption as
organizations look to find ways to more efficiently manage their network security infrastructure by either offloading these
responsibilities to third party MSSP’s and/or find ways to manage security tools more efficiently. Evolve is focused on
training and staffing individuals within these service lines to meet the eminent demand.
Demand-Meeting Projections for Security Professionals (U.S. or Global)
5,963
5,424
1,507
4,908
4,416
3,972
3,568
168
379
1,197
901
620
3,400
3,593
3,796
4,007
2014
2015
2016
2017
Supply-Constrained Projections
4,227
4,456
2018
2019
Skilled Labor Shortfall
Source: Bank of America Merrill Lynch – Cyber Security Primer (January 8, 2016). Information Security workforce study 2015.
January 2017
2
Cyber Security Talent Shortage & Industry Dynamics
UNSUSTAINABLE INCREASE IN SALARIES
In 2014, employers posted 49,493 jobs requesting a CISSP certification, when there are only 65,362 CISSP holders
nationwide, of which practically all are already employed. This example illustrates that employers have been forced to
“poach” talent from other companies in order to satisfy their labor needs. In order to lure talent away from other
organizations, exorbitant salaries must be offered. The average salary for information security analysts is $92k, which is 9%
greater than all IT jobs.
Average U.S. Salaries in Information Technology (2014)
$79,770
$82,690
$91,600
$83,839
$68,670
$54,961
Help Desk
Support
Web
Developers
Network
Administrator
Computer
Information
Programmers Security Analyst
All IT
Select IT Occupations Feeders into Cyber Security
Source: U.S. Bureau Labor Statistics (May 2014) for Computer Occupations (15-11000).
INCREASED THREATS TO SMALL AND MEDIUM BUSINESSES
Sixty-two percent (62%) of known security breaches were targeted at small to medium sized companies and 60% of those
affected will go out of business within 6 months, according to the 2013 Verizon Cyber Crime Survey. The largest
misconception of Small and Medium Businesses (“SMBs”) is that they are unaware of the risks. Cyber Streetwise reported
that 66% of SMBs simply didn’t believe they were at risk from a cyber-attack. The National Cyber Security Alliance has found
shocking statistics showing the careless attitude towards security, with 45% of smaller companies providing no internet
safety training to employees even though 69% handle sensitive information. IPSOS research found that 69% of the 6.5
million small companies in the U.S. are unaware of the risk and cost of data loss through cyber-attacks. The average cost
of a security breach on a SMB is around $47,000, according to Kaspersky, an anti-virus software manufacturer, and
Statistica shows that cybercrime cost SMBs over $781 million in the U.S. in 2013.
January 2017
3
Cyber Security Talent Shortage & Industry Dynamics
INDUSTRY DYNAMICS
GROWTH IN INFORMATION SECURITY
Enterprise security spending growth is expected to outpace total IT spending by more than 2x as the threat landscape
continues to evolve and expand. An annual study performed by Verizon shows that since 2013, the number of Security
Incidents and Data Breaches have increased 70% and 242%, respectively.
Security Incidents (2013-2015)
79,790
63,437
47,000
Data Breaches (2013-2015)
2,122
1,367
621
2013
2014
2015
2013
Source: Verizon Data Breach Investigation Reports.
2014
2015
Source: Verizon Data Breach Investigation Reports.
Note: A Security incident is defined as any event that compromises the confidentiality, integrity, or availability of an information asset. A Data Breach is defined
as an incident that resulted in confirmed disclosure (not just exposure) to an unauthorized party.
According to a study conducted by FireEye, a forensics and malware protection security company, 90% of companies have
been breached, and the average breach goes undetected for 205 days. Once attackers pierce the perimeter, they have free
reign to compromise sensitive data, especially since internal networking equipment (i.e. switches and routers) is generally
not secure.
Global spending on enterprise information security in 2015 was estimated at $79 billion and is expected to reach $110
billion by 2019. The recent surge in spending in 2014 and 2015 has been mostly reactionary due to the higher frequency of
notorious sophisticated attacks. Organizations will prioritize security budgets on solutions that are focused on offering tools
and services that help to improve manageability, such as SIEM and MSSP. Longer term spending will then be focused on
solutions that provide detection and prevention using advanced threat intelligence. Each of these focus areas will require
sophisticated cyber security professionals to manage the security programs, solutions, and technologies, which is where
Evolve is focused.
Enterprise Information Security Spending
($ in billions)
$110
$90
$70
$62
$68
$79
$86
$93
$101
$110
$50
2013
2014
2015E
2016E
2017E
2018E
2019E
Source: Gartner, Bank of America Merrill Lynch – Cyber Security Primer (January 8, 2016). Information Security workforce study 2015.
January 2017
4
Cyber Security Talent Shortage & Industry Dynamics
CURRENT TRAINING MODEL IS BROKEN
The most severe challenge to the information security profession relates to the education versus experience conundrum.
Many companies hiring in the cyber security industry today have a personal preference to hire based on experience and are
not concerned with what degree or certification one has. James Arlen, a Senior Consultant at Leviathan Security Group,
adamantly believes that the industry needs to stop equating education with experience. Arlen stated that "it is too hard for
the average organization to hire actual qualified people – degrees, certifications and fudged resumes do not magically
create qualified people." It is experience with attacks and perhaps even unsavory hacking hobbies that can make the
difference between filling a job with a talented defender, or with a salesman who has a pedigree but no grasp of the devilin-the-details meat of cybersecurity.
TRADITIONAL EDUCATION (COLLEGES AND UNIVERSITIES)
Traditional schools are not equipping their graduates with the tools necessary to secure these high paying cyber security
jobs. Traditional education (colleges/universities) curriculum focuses on theory and design versus providing real-life handson project experience. College courses are also very expensive and take a long time to complete. One year in an information
security or computer science program at a college costs 2x-3x more than an immersive bootcamp program and takes 2x
longer to complete. Many individuals are willing and capable of entering the industry but do not have the luxury to go back
to college for a 4-year bachelor’s program or even a 2-year master’s program. Evolve provides an intense fully immersive
alternative to acquiring the necessary skills to enter the cyber security industry in a timely fashion.
Cost Comparison
Time Comparison
$37,820
$10,000
Evolve
$17,216
$18,990
UIC*
Devry*
36 Weeks
17 Weeks
DePaul*
* Equivalent to one-year tuition in IT related program (15 credit hours per
semester)
Evolve
College (1-year)
Note: Evolve ‘s 17 weeks includes 4 week of remote and 13 weeks of inperson.
CERTIFICATIONS
Currently, the most popular form of training in the cyber security industry involves obtaining various kinds of certifications
(i.e. CISSP, CISA, CEH, CISM, etc.). Historically, certifications have been the industry standard to determine qualifications in
the industry but this perspective has shifted in recent years as employers have realized that certifications alone do not
guarantee quality talent. The chart on the next page shows that employers are not valuing the possession of certifications
as much as they may have in the past. Individuals without a certification are earning more in the form of bonuses at times
than their certified counterpart showing that employers place more value on work performance then they do on
certifications.
January 2017
5
Cyber Security Talent Shortage & Industry Dynamics
Premium Pay as % of Bsae Pay
10yr Change in Premium Pay for Certified vs. Non-Certified Individuals
9.0%
8.5%
8.0%
7.5%
7.0%
6.5%
6.0%
Certified
(357 IT Certifications)
Non-Certified
(392 noncertified IT skills)
Source: Foote Partners, LLC February 26, 2015 News Release.
The leading criticism for certifications involves the lack of experience that comes with obtaining a certification. Training for
certifications are focused on “teaching to the test” and on specific areas or technologies and fails to provide applicable
project experience in order to deliver a well-rounded cyber security educational experience. Amongst employers, the
Certified Information Systems Security Professional (“CISSP”) certification holders are the highest in demand, mostly
because the CISSP also requires five years of industry experience. Even though employers are requesting 49,493 CISSP
certification holders, there are only 65,362 CISSP holders in the country, of which most are already employed.
Certification Job Postings vs. Holders (2014)
65,362
Postings
49,493
Holders
34,167 33,640
15,831
10,730
CISSP
CISA
CISM
5,882
11,750
5,436
GIAC GSEC
1,413
SSCP
3,942 4,920
CIPP
3,733
8,400
GIAC GCIH
2,202 3,600
GIAC GCIA
Source: Burning Glass – Job Market Intelligence: Cyber Security Jobs, 2015.
Various forms of training for security certifications are also very
expensive. The SANS Institute (“SANS”) is the leader in security
certifications training and offer courses lasting 2-6 days that cost
~$850 per day. For example, SANS provides training for the CISSP
exam that lasts for 6 days and costs $5,000 (not including travel,
lodging, or cost of exam). This cost of training is 3.4x more
expensive than Evolve and provides no hands-on experience,
real-world project experience, or job placement services. SANS
has been able to charge premium rates because they have been
the only cyber security training company in the industry to date.
January 2017
Cost Comparison
$34,000
$10,000
Evolve
SANS Institute*
* Equivalent of $850 a day for 8 weeks of training.
6
Cyber Security Talent Shortage & Industry Dynamics
BOOTCAMPS ARE THE SOLUTION
For the past 5-10 years, the technology industry has experienced an alarming labor shortage of programmers and
developers. According to a U.S. jobs report from the Bureau of Labor Statistics, the U.S. was adding an estimated 136,620
jobs per year from 2010 to 2012, and graduating about 40,000 computer science degrees each year, creating a gap of
roughly 100,000 jobs a year. Currently there are 607,708 open computing jobs nationwide, and still only 42,969 computer
science students graduating each year. This gap is expected to continue to widen as our nation unrealistically attempts to
solve the problem by attempting to fill the traditional pipeline by urging people to pursue computer science degrees.
Various types of “coding” bootcamps emerged several years ago and have shown success in helping fill the open computer
jobs and close the labor shortfall gap. In 2015, there were 16,056 graduates from 67 of the larger bootcamps in the country.
89% of these graduates were placed into a job within 120 days and experienced an average 38%, or $18,000, increase in
their salaries.
Graduates of Coding Bootcamps vs. Computer Science Graduate
~45,000
16,056
2,098
2013
5,987
2014
Est. computer
science graduates
per year
Bootcamp Graduates
2015
Source: Course Report – 2015 Coding Bootcamp Market Size Study.
As seen from the success of the current coding bootcamps, obtaining practical and hands-on training has been proven
effective in the marketplace. Employers are becoming much more focused on hiring individuals that have applicable
experience and demonstrate competency in their craft, rather than just relying on degrees and certifications as a proof of
ability.
January 2017
7