Cyber security: What is it and where are the jobs?
Published March 26, 2013 by Chris Harlow
One of the biggest potential threats to the security of businesses and financial institutions today is, arguably,
cyber crime. A recent study by the Ponemon Institute found that over two-thirds of retail banks were hit last
year by at least one Distributed Denial of Service (DDoS) attack – a common form of hacking that aims to
make a machine or network resource unavailable by overloading it with information. Of the 650 IT
professionals surveyed, 78 per cent think these attacks will continue or significantly increase in the coming
year.
The silver lining is that employers will need to increase hiring to keep up. The global cyber security industry
was estimated to be worth around $60bn (£38.5bn) in 2011 by PwC, and Global Industry Analysts Inc have
forecast it to grow to $80bn by 2017.
So what are the career opportunities out there? Tim Dawes, head of the talent attraction team at Beecher
Madden, says that “broadly speaking, jobs fit into one of three categories.” The first is pre-attack, which
involves the testing of a company’s vulnerability to cyber attack and advice on how to improve security. The
second is post-attack, and includes using forensic work to retrospectively find holes and plug them. The
third is maintenance, which is focused on setting up policies and ensuring compliance. Pre- and post-attack
tends to be the realm of consultants, while maintenance is usually handled in-house.
DDoS attacks experienced by retail banks in the past 12 months
Source: Ponemon Institute
Growing awareness of the risks posed by malicious hackers means that hiring is likely to go up over the
coming years. The Sans Institute, which classifies cyber security jobs into eight categories ranging from
engineering to legal, surveyed 225 IT professionals last year, and found that growth is expected across the
board. The greatest increase is forecast to be in architecture, engineering and design roles, with 66 per cent
expecting there to be more or many more of these positions available in the future.
The roles with the biggest salary growth, meanwhile, are predictably in those positions where the required
skills are in shortest supply. For example, 96 per cent of IT executives find it difficult to recruit skilled
incident management and response professionals (see graph below). Accordingly, salaries for incident
managers went up by 15 per cent between March 2012 and March 2013 (IT Jobs Watch).
Recent graduates of computer science or related fields are now being advised to consider the cyber security
industry as an option with excellent growth prospects. The Information Security Group at Royal Holloway
University was the first to launch a Security masters degree in 1992, and is touted by many recruiters as one
of the best places to go for pre-experience security education. But graduates attempting to enter the industry
are often held back by a lack of experience, and there tends to be more demand for career changers from
related fields.
Difficulty in hiring by job role
Category 4
Operations and
security
management
Category 7
Research
Category 8
Legal
Category 1
Strategy, policy,
governance
Category 2
Risk management,
verification and
compliance
Category 5
Engineering,
architecture and
design
Category 3
Incident and threat
management and
response
Category 6
Education,
training and
awareness
Source: Sans Institute
Dawes says that consultancies will seek out senior consultants with a good reputation for business
development and create roles for them to fill. “We are seeing a lot of candidates being recruited into pre- and
post-attack roles in this way,” he says.
Meanwhile, IT professionals may be trained up and moved internally into maintenance roles as companies
aim to become compliant. Those with experience in certain areas of IT support, cloud computing and mobile
device management may also find their skills and experience translate well.
But cyber security is not a universal concern among employers. The Ponemon Institute survey found that 35
per cent of banks still rely on traditional technology like firewalls to stave off attacks, rather than invest
heavily in specialist security professionals. And despite the lack of talent, progression is still largely
dependent on qualifications, experience and obtaining a comprehensive skill set before you can make it to
the top.
Salaries of cyber security professionals in 2012
Job title
Years of experience
Salary bands
Analyst/Associate
1-5
£26,000-£45,000
Manager
1-10
£42,000-£68,000
Senior manager
4-7
£65,000-£97,000
Director
2-6
£85,000-£137,000
Head of
3-9
£85,000-£132,000
Global head
5-8
£97,000-£187,000
C-level director/partner
2-7
£150,000-£280,000
Source: Beecher Madden