cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jmccumber
Newcomer III

Cyber Workforce Shortfalls

OK - we've all seen the statistics, projections, and analyses.

 

How do you feel about the projected shortfalls in our cybersecurity workforce?  Are there really over 600K position unfilled?  How is this number assessed?  Do "most" CISOs and other senior security talent rake in salaries north of US$500K per annum?

 

I fear some of what we are seeing in the media is rehashed FUD statistics reminiscent of the days when every virus outbreak or insider threat was costing business billions in losses.

 

What say you?

 

Mc

34 Replies
Hacker
Newcomer II

@jmccumber

 

Send me the link to apply 🙂

 

Care to share the article where you read this information?

 

 

Cyber Security Officer
Web: QUE.com
jmccumber
Newcomer III

Hey, Hack,

 

Here's an article from Forbes last year that tops out around $380K

 

https://www.forbes.com/sites/stevemorgan/2016/01/09/top-cyber-security-salaries-in-u-s-metros-hit-38...

 

I remember seeing one where the $600K number was floated, and immediately reached out to a US Government CISO friend, and we both had a good laugh.  We both were looking where to apply.  Let me do some digital archaeology and see if I can dig it up.

 

Mc

Altonac
Newcomer I

I think the shortfall is actually subjective. I say this because you have all these vacant positions globally and at the same time there are a low quality of individuals available to fill the positions hence they remain unfilled. I maintain that education and security generalists are what is needed as there’s too many security professionals specializing in too little and only meet the technical requirements and not the business end. If we can address this then we’re on our way to filling those vacancies with quality individuals.
jmccumber
Newcomer III

Altonac,

 

Very interesting perspective.  Thanks for posting.

 

Mc

bobrayner
Newcomer I

It's certainly a growth industry; there has been strong demand for the skills over the last decade or two.

We work in an industry dominated by FUD (from vendors, for instance) but we learn to sort the wheat from the chaff

Pay rates are price signals; and around the world pay rates show that there's a shortage. Here in the UK I get a fantastic day rate, even though what I do doesn't feel particularly hard.
jmccumber
Newcomer III

Bob,

 

Insightful comments from the UK - thanks.  ....and yes, we are in the FUD-driven industry.  So many service and product vendors believe they best way to force someone to write them is check is through judicious application of FUD.

 

I will be in the UK in two weeks at our EMEA offices.  Perhaps you could pop on over, if you're in the neighborhood.

 

I want you all to know, I certainly don't have all the answers.  The purpose of this thread is to simply state the issue, and solicit your opinions.  I personally feel we place too many barriers to entry in the profession, and are strangling our own pipeline.  

 

Mc

 

Hacker
Newcomer II

@jmccumber

 

With these salaries, I maybe in the wrong industry hahaha.

 

 

Cyber Security Officer
Web: QUE.com
vistauxx
Newcomer I

One of the largest employers in this space is the Federal Government.   

 

Opinion, observation, and NOT academically researched for publication (Please correct me):

 

Contractors often are paid more in salary than their Federal Supervisors.   There is a natural limit of the 170s to 180s for these positions as direct labor as a contractor.   There are very few instances where there is a confluence of labor quality and contracting  terms / clauses where this type of salary would be permitted.   My experience seems to me to be that these rates are more common due to contracting clauses rather than specifically due to labor quality.

 

There is a cadre of well qualified, motivated federal employees who "get it" and work hard at protecting our national infrastructure (in many ways, not just cyber).  They do this a rates well below those suggested in jmmccumber's posit.  These rates are published.   To get above 130 they are moved to management and are rarely directly involved in a hands on manner.

 

IMHO there is a significant (I might argue a infrastructure threatening) shortage of qualified "protectors".   There are lots of reasons for this, not the least of which is "publication of code is more important than security", "we can fix it in version 2,3,4,5,6,7,8.04 . . . . . ".  Is it interesting to you, as it is interesting to me, that the list of "Top 10" (OWASP) vulnerabilities  has the top 2 as the SAME for at Least 4 years running? {OWASP_Top_10-2017_(en).pdf.pdf} (the double pdf is correct).  

 

Let's stop looking at the "black swan" salaries (those who lose their job at the first recognized breach of the infrastrucutre they are responsible for -- the word recognized is important here because of the significant number of unrecognized breaches still ongoing).   Let's recognize that it is easy and realistic to make 110K - 120K (top 16% of salaries nationwide) with 2-3 years of experience in a challenging, interesting, lifelong learning (or you don't "get it"), nationally important, leading edge of "work anywhere you want"  profession.

 

Altonac
Newcomer I

Vistauxx I’m in South Africa and it’s the same here. I myself am a security consultant and find the maturity and skill set of the in-house professionals somewhat lacking hence the position I find myself in. The has to be a collaborative effort and knowledge transfer from consultant to in-house in order to make for a better security posture