Cybersecurity's success is measured by silence — no news to report, no breaches to clean up and no cyberattacks to recover from.
Silence is achieved by the estimated 805,000 cybersecurity professionals in the U.S., according to an international (ISC)² survey of more than 3,200 individuals "responsible for security/cybersecurity."
(ISC)² estimates the cybersecurity workforce is 2.8 million people. "It's not an easy group to pin down, which is why it hasn't been done before. Now that we are establishing a clearer picture of what the actual scope of the challenge is, we can begin to solve the problem together as an industry," Wesley Simpson, COO of (ISC)² told CIO Dive in an email.
For professionals considering a job in cybersecurity, the outlook is promising. Not only is there a 0% unemployment rate, cyber touches on every aspect of the business, he said.
"One of the key successes cybersecurity professionals revealed in the study was that they become a go-to resource for colleagues and can raise their profile within their organizations," said Simpson.
CIO Dive analyzed recent reports on the state of cyber and IT talent. Here are some of the most interesting numbers:
145%: How much the global security workforce needs to grow to meet demandThe cybersecurity industry is fraught with limitations, including a general talent drought, lack of diversity and maturing threat actors.
The cybersecurity workforce gap in the U.S. is about 500,000 people, so (ISC)² estimates the cybersecurity industry needs a 62% talent-increase to meet business demands.
Last year about 65% of businesses reported a security staff shortage, according to the survey. The shortage in skills outranked other concerns, like strapped resources. The result? More than half of companies say they are are at "moderate or extreme" risk.
IT, more broadly, is struggling. There are six hires for every 10 open technology positions, according to iCIMS' Benchmark Report on Hiring Tech Talent, based on 25 million tech applicants from January 2016 through May 2019.
The retail and telecommunication and information services industries are driving the bulk of the talent demand, according to iCIMS. Tech's net new hires eclipse the U.S.'s overall net new hires; 18% compared to 14%, respectively.
When salaries are dissected across geographical location, U.S.-based talent is likely to earn about $90,000 on average, according to (ISC)². Those with certification make almost $20,000 more than those without.
In North America, security professionals with certificates make about $93,000 compared to uncertified counterparts who earn about $76,500.
Cybersecurity workers are likely to carry four security organization certifications and three security organization memberships, according to (ISC)². CISSP is the top security certification, held by 36% of professionals, followed by 26% with CISSP with concentration, 24% with CCNA Security and 18% with CCSP.
A lack of certificates shouldn't deter professionals from applying to security jobs, or hiring managers from considering their candidacy. "Not every position requires a CISSP with 5 years of experience. They need to hire for what they actually need," said Simpson.
While security analysts are among the most difficult roles to fill, software application developers are the most in-demand and make up 32% of all tech positions. Application software developers can make an average salary of nearly $107,000, according to iCIMS. But information system research scientists can earn a mean salary of almost $124,000.
2 years: How long it takes women in IT to move to cybersecurity leadershipLiz Joyce was often mischaracterized as a salesperson when her career began as a security consultant. She's now HPE's CISO.
Women make up 30% of the cybersecurity workforce, up from 11% in 2017, according to (ISC)². A higher percentage of women, 7%, are more likely to earn a top-ranking technology position, like CTO, than men.
While men unilaterally hold more IT security leadership positions, women are catching up. One-quarter of the women ascended to leadership roles in the last two years, according to a 451 Research survey commissioned by Kaspersky.
The majority of CISOs, 70%, have a difficult time finding specialized security professionals, according to 451 Research. But analysts say half the population is ignored during recruitment, referring to women.
4,570: The number of vacant cybersecurity jobs in VirginaVirginia is the No. 1 state for cybersecurity employment, according to Comparitech. Virginia was the top-ranking state for information security analysts, per 1,000 jobs.
However, the number of vacancies has likely influenced a slow-down in salary since 2013 for the state.
The average salary for Virginia-based security professionals is just shy of $112,000. There has only been a 5.11% increase in annual salaries in five years, despite a 37% increase in employment during that time, according to the report.
Amazon has an estimated 20,000 open tech positions this year, according to iCIMS. With its new Virginia HQ2 location, the company is spending $700 million into retraining 300,000 employees.
Texas, Colorado, New York and North Carolina round out the top five states for security professionals. New Yorkers earn the highest salary at $122,000, but Utah has the highest long-term projection for roles at 50%. Utah's average salary for information security analysts, however, is nearly 7% lower than the average, coming to about $86,790.
The most prominent states for tech talent, regardless of role, include California, Florida, Texas, North Carolina and New York.
The Texas tech sector contributes nearly $142 million to its state economy. And Florida had a 5% year-over-year increase in software and web developers and top schools for IT, including University of Central Florida's Collegiate Cyber Defense team.
29%: The portion of potential hires with a background in business or engineeringAs the talent gap widens, 65% of security workers intend to stick with the industry for the remainder of their careers, according to (ISC)².
"If you take a look at the growing functions that IT is involved in, security is usually a collateral duty that they are already handling, but just not getting the credit," said Simpson.
When hiring for the cybersecurity workforce, (ISC)² recommends to "level-set" on qualifications and be aware that 70% of qualified candidates will come with a title that isn't necessarily security-specific. Additionally, 29% of potential hires will have a background in business or engineering instead of computer or information science.
Only a little more than half of cybersecurity professionals had intentions of entering the security workforce while in school.
Hiring managers want more diverse backgrounds, including talent in risk management, legal, communications, accounting and other STEM majors, according to Simpson.
But looking in "their own backyard," companies can draw on existing employees "and invest in reskilling employees who already know the specific business, technology and processes."
