topic Very interesting certification heat map (nationwide and state specific) in Career Discussions

Very interesting certification heat map (nationwide and state specific)

tryan — Mon, 26 Feb 2018 18:12:40 GMT

While trying to determine my next certification pursuit, I found a useful (in my opinion) data site. It shows a breakout of a collection of popular certs (Security+, CIPP, GIAC, CISSP, CISA, CISM), the number of certification holders for each, and the number of job openings requesting that particular certification:

http://cyberseek.org/heatmap.html

For instance, at the national level it shows 76,413 CISSP certificate holders and 72,700 job openings requesting that certification. To me, that would indicate that the certification rate is keeping pace with the industry demand.

For CISM however, it shows 12,428 certificate holders and 23,932 job openings requesting that certification. In my mind, that would seem to indicate that if one is pursuing certifications to remain marketable and employable (such as myself), the CISM would be a wise investment as demand seems to outpace supply.

What do you think? Filtering the results to just my state showed a similar pattern.

P.S. For my fellow grizzled and cynical IT veterans, I would like to mention the fact that I have no affiliation, vested interest, or benefit from the site mentioned above. Prior to 9:00 a.m. EST on 2/26/18, I had never heard of the above site.

(Edited: Title changed during editing and I didn't catch it until now).

Re: Certificate and Certification are NOT Synonymous Terms

Irishsam — Mon, 26 Feb 2018 18:06:26 GMT

I would think the ratio of Certificate holders verses Job openings doesn't take into consideration that many of those Certified CISSP's are already in the work force. So I would still think they would be in demand. And the competition for jobs just improves the work force.

Re: Very interesting certification heat map (nationwide and state specific)

MDCole9761 — Fri, 09 Mar 2018 15:46:45 GMT

Thanks for the heatmap link! Really cool site that I had never heard of either...

I'm currently seeking work with my CISSP out of state (Florida- I'm located in Indiana currently) and this really helps to see what the market is like where I'm looking (and where I'm at). It pretty much validates that I should be looking to move to a different state as Indiana doesn't have much of a demand for cybersecurity compared to other states.

Re: Very interesting certification heat map (nationwide and state specific)

MDCole9761 — Mon, 26 Feb 2018 19:50:14 GMT

Thanks for the heat map link! Really cool site that I had never heard of either...

I'm currently seeking work with my CISSP out of state (Florida- I'm located in Indiana currently) and this really helps to see what the market is like where I'm looking (and where I'm at). It pretty much validates that I should be looking to relocate to a different state as Indiana doesn't have much of a demand for cyber-security compared to other states.

Re: Very interesting certification heat map (nationwide and state specific)

jordanpw — Tue, 27 Feb 2018 02:26:18 GMT

Very cool resource. Thanks for sharing.

Re: Very interesting certification heat map (nationwide and state specific)

Bertikus — Thu, 01 Mar 2018 07:05:29 GMT

It is a very interesting page, thank you. One question I have in reading the stats they present is: Does the 76K job openings only represent the job openings? Meaning, of the 72K CISSP holders, I would think that the vast majority of them is employed (as I am). Most in a position that requires CISSP. So are they saying that there is another 76K positions vacant that need to be filled? If so, then CISSP is clearly the way to go with many more vacancies.

Re: Very interesting certification heat map (nationwide and state specific)

MDCole9761 — Thu, 01 Mar 2018 13:39:42 GMT

As Irishsam speculated above, I would concur that it's likely the stats are showing the total number of cert holders (in this example, CISSP) vs the vacant jobs requiring a CISSP cert.

When you think about it, knowing how many certs are in an area is easy to extrapolate from certificate registration information (such as (ISC)2) and job posts by location are relatively easy to pull from job boards. What would be difficult, is knowing how many of those cert holders are employed without a lot of work and/or conducting surveys. So I would venture to say that, assuming most CISSP cert holders are employed, the # of jobs in that area reflects the true "unfilled demand" for that area.

Re: Very interesting certification heat map (nationwide and state specific)

tryan — Thu, 01 Mar 2018 14:17:21 GMT

That is correct. I think the only group that could have any level of success finding out how many certificate holders were gainfully employed would be the certification groups (i.e. ISC2). I'm not aware of any surveys they've done, but that would be great information to have.

I used this information to try and find out what certs would improve my marketability (hopefully) based on unmet demand. My logic may be flawed, but my thought process was that if there are a large number of unfilled positions looking for a certain cert, that would be a good cert to focus on.

Re: Very interesting certification heat map (nationwide and state specific)

Mcadit — Fri, 02 Mar 2018 22:42:47 GMT

That's a very interesting resource. In my state, it looks like the CompTIA Security+ is way over-subscribed, but it could be that it's an entry level certificate with many holders moving on to other certifications afterwards.

Re: Very interesting certification heat map (nationwide and state specific)

yevgeng — Mon, 05 Mar 2018 08:20:52 GMT

Thank you for sharing this link! It would be interesting to know how the data was collected. Sometimes job posting would mention certification as "preferred" and not explicitly required. Sometimes certification could also be mentioned along with other certifications (ie "must have one or more of the following: CISSP, CISM, PMP "(yes I've seen postings like that)). So the holder/opening ratio may not be indicative of market saturation but rather it would hint at brand awareness of employers and job seekers. If a lot of organizations recognize, respect and have demand for professionals with given certification, then they will advertise for it via job opening (thus increasing job market for cert). If professionals are aware and respect certain industry certification,they will attempt to earn it and then include it within their job hunting profile (thus becoming part of potential candidate pool). So, from provided data I would say that CISM is less known than CISSP and so less companies ask for it (24k vs 72k). From professional side it may be valued less than CISSP (only about 12k candidates chose to pursue it vs 76k that hold CISSP certification. And some of those people might have both!). Security+ is considered to be great entry-level certification and is relatively easy to achieve (that's probably why there are 164k Security+ certified professionals).

Re: Very interesting certification heat map (nationwide and state specific)

MarcinJkt — Wed, 07 Mar 2018 09:15:53 GMT

I feel the only thing indicated by this heatmap is a tremendous skillset gap that we are facing in the market, where it comes to managerial-level security and risk capabilities. Cool visualization, anyway - would love to see something similar for Europe

Re: Very interesting certification heat map (nationwide and state specific)

Lamont29 — Fri, 09 Mar 2018 01:24:11 GMT

I was certified CISM and CISA prior to the CISSP. I found the testing experience for the CISSP anticlimactic because of my prior preparation and knowledge. The CISM & CISSP will largely cover the same knowledge areas. The CISM seems to be a condensed version of the CISSP in my opinion.

Re: Very interesting certification heat map (nationwide and state specific)

marcosrrc — Sun, 25 Mar 2018 13:50:07 GMT

Very interesting information. I do not see any certification about Cyber Security Risk Management though.

Re: Very interesting certification heat map (nationwide and state specific)

EdmundDantes — Sun, 25 Mar 2018 19:38:16 GMT

While the numbers you cite do indicate a greater shortage of CISMs than CISSPs, I interpret them as showing both certifications are in exceptionally high demand. Think about it. If there are 76K CISSPs, and 77K CISSP job openings, the majority of CISSPs probably already have jobs and aren't looking to fill those openings. There are probably a dozen openings for each available candidate. Them CISMs have it even better.

Re: Very interesting certification heat map (nationwide and state specific)

jbetancourth — Mon, 26 Mar 2018 18:26:29 GMT

I understood the stats exactly as you did, with the job openings referring to additional positions to be filled.

And makes sense that the CISSP is the most requested certification.

Re: Very interesting certification heat map (nationwide and state specific)

mgoblue93 — Mon, 26 Mar 2018 21:04:47 GMT

@MDCole9761

> I'm currently seeking work with my
> CISSP out of state

Just curious...some of my colleagues and I have been curious about this for a while...

In your experience, the jobs your applying to, what's the breakdown for CISSPs required for private v. public sector? Are you looking for commercial work or are you looking for gov't work?

In my travels, and I'm arguably in the 2nd hottest IT market in the country, we only see having a CISSP being needed in about 3% of the private sector openings.

The public and private sector buttons on that heat map back our personal observations up.

In the public sector though, darn near everyone wants a CISSP candidate.

Thoughts?

Re: Very interesting certification heat map (nationwide and state specific)

tryan — Mon, 26 Mar 2018 21:40:04 GMT

I think that's a valid observation. The Department of Defense does require a certification for sensitive positions, and the CISSP is one of the qualifying certifications (link to PDF here). In my CISSP certification class, at least 50% were DoD employees or contractors that had to pass the test by a certain date or they would lose their position.

As a result, it's not difficult to imagine that would fuel a lot of interest in the CISSP and equivalent SANS certifications (i.e. GSLC/GCED).

I have seen a few job postings with a preference for a CISSP, or a requirement for a CISSP or similar certifications, but outside of federal contracting gigs nothing that required a CISSP.

Re: Very interesting certification heat map (nationwide and state specific)

Baechle — Tue, 27 Mar 2018 15:53:02 GMT

Here's my take in the public/private certification requirement:

Soft skills are favored for IT leaders who interact in the C-Suite over technical skills. In either public or private spaces, there is likely few technically certified professionals in the C-Suite and they're more likely to have degrees in business management than computer science. These leaders then turn around and hire more technical subordinates or issue contracts. This is where you begin to find more certifications. In larger organizations these decisions are guided by both Human Resources and Management Accountants.

Management Accountants evaluate the Cost of Quality ("CoQ") that involves assessing four areas, (a) Preventative Costs; (b) Appraisal Costs; (c) Internal Failure Costs; and (d) External Failure Costs. When we're talking about certifications we're talking about mostly (a) Preventative Costs and possibly (b) Appraisal Costs. In either the case of public or private sector organizations, the name of the game here is controlling costs. The fact of the matter is that certified professionals cost more than non-certified professionals.

Let's look at providing an opportunity for an existing employee to become certified, and support that in a continued way. A Preventative Cost includes the increased salary and benefits to retain a now-certified employee. Another Preventative Cost now also includes initial or CPE-required training costs (tuition, travel, and non-productive salary; or increases in salary to offset training costs along with increased leave to attend training). An Appraisal Cost is the cost of the examination (one or multiple attempts). Finally this is offset by the savings from reduced Internal and External Failures.

In the Private space this is notoriously hard to get people to quantify. As long as people can get to their email, business files, and the Internet then there is nothing perceptively to improve. It's not until there is a catastrophe that the Private sector actually valuates the cost of either Internal (inability to transact business) or External Failures (loss of business from poor reputation, or damages from the result of litigation). Effectively this is $0 because the perception is there is nothing wrong. So, from the Management Accountant's perspective, you are adding overhead cost for no benefit. You'll typically find someone looking for certifications in the private sector space when you have senior leaders that have been severely burned by IT failures before.

In the Public space, especially the Department of Defense, the Internal and External Failure Costs are very much quantified - sometimes quantified by loss of life and in most other cases leading to the policy that mandates baseline certification, through lost incumbent votes. Comparatively, the costs of Prevention (through initial and continuous training, and the increased costs of salary and benefits to retain that investment) and Assessment (Paying for government personnel to attend certification exams) is offset by the Internal and External Failure savings values that are very well quantified (because the law requires the government to account for expected and actual losses).

Re: Very interesting certification heat map (nationwide and state specific)

mgoblue93 — Tue, 27 Mar 2018 17:06:19 GMT

Just referencing my previous posts, when I bring up the difference between public and private, it's from the notion of how the CISSP is viewed? What does having the CISSP in a job req really truly mean for an organization?

It's NOT to suggest that only the public sector believes in having qualified people on staff. Quite the contrary as both sectors consider cyber a priority equally. Let's not get hung up on jargon either. You can have a private sector employee without a cert who is just as qualified as a public sector employee who got their cert solely as a condition of employment.

My personal opinion, the private sector doesn't care about CISSP certifications because that piece of paper hasn't shown a direct benefit (meaning $$$ -- business are in the business of making money first and foremost) to the bottom line.

> In the Private space this is notoriously hard to get people to quantify.

> In the Public space, especially the Department of Defense, the Internal

> and External Failure Costs are very much quantified

Where does that information come from?

I think Sony, Target, Equifax would like to have a word with you about the impact, publicly, about their breaches.

Re: Very interesting certification heat map (nationwide and state specific)

Baechle — Tue, 27 Mar 2018 18:26:15 GMT

@mgoblue93,

I apologize if I didn't communicate this well. I was attempting to establish why you don't see such a high number of job postings requiring or requesting certain IT certifications when compared to government. I will address each of your points below.

Just referencing my previous posts, when I bring up the difference between public and private, it's from the notion of how the CISSP is viewed? What does having the CISSP in a job req really truly mean for an organization?

The CISSP and any other certification, degree, or diploma is an Appraisal Cost for an organization of its service capability. It serves as a method of examining the service provider (employee or contractor) and determining if they posses a baseline set of knowledge.or aptitude. It then permits an organization to decide, as a result of that baseline if additional Preventative Costs are required by training existing service providers, or replacing them with more capable service providers.

It's NOT to suggest that only the public sector believes in having qualified people on staff. Quite the contrary as both sectors consider cyber a priority equally. Let's not get hung up on jargon either. You can have a private sector employee without a cert who is just as qualified as a public sector employee who got their cert solely as a condition of employment.

I apologize if I stated somewhere that a certification causes someone to be qualified. What I was trying to convey was that a certification program is a way for an organization to appraise if their service providers meet basic training and knowledge requirements.

My personal opinion, the private sector doesn't care about CISSP certifications because that piece of paper hasn't shown a direct benefit (meaning $$$ -- business are in the business of making money first and foremost) to the bottom line.

I agree with you. When an organization wants to make a change, hopefully they do it using real information. Typically this is done with the assistance of a Management Accountant who conducts a Cost of Quality ("CoQ") assessment. The question to be answered here is, "Does requiring our service providers to be certified increase retained earnings?" The problem in many organizations is that the estimated savings from a reduction in Internal and External Failures is hard (or takes too much time and effort) to assess - or the estimate is that the impact to the brand will be minimal or temporary enough to outweigh the cost of adding additional controls.

> In the Private space this is notoriously hard to get people to quantify.

> In the Public space, especially the Department of Defense, the Internal
> and External Failure Costs are very much quantified

Where does that information come from?

I am talking about estimating the savings in preventing Internal or External Failures before they happen, rather than quantifying the loss after it happens.

The difference between the public and private arenas are, that the public space has an entire (Intelligence) community that assesses and reports on their threats, and has had a regulatory or administrative requirement to appraise their capabilities to defend against them for ages. The private sector is only just catching up with the requirement in certain specific sectors such as the introduction of regulations that impact baseline computer security such as HIPAA. In the case of an organization subject to HIPAA for example, t is entirely reasonable to assume obtaining the services of a certified specialist in healthcare IT security has a return on investment in reducing Internal/External Failure Cost such as through avoiding litigation and civil penalties.

The concepts that I'm referring to here are part of the Common Body of Knowledge for the Institute of Management Accountants ("IMA"), blended with the Risk Management portion of the CBK for the CISSP under (ISC)^2.

I think Sony, Target, Equifax would like to have a word with you about the impact, publicly, about their breaches.

You are kind of making my point. There is an interest in increasing security after the costs are established from a realized security incident. What was the certification and training requirement for their IT and Security staff, and what was their estimated savings from Internal/External Failure Costs from implementation of certification prorgams before they calculated the losses from their breeches?