Salaries remain high but cybersecurity skills gaps put organizations at risk
Unlike cloud computing, the concept of cybersecurity didn’t burst onto the IT scene in the past 10 years. Securing data has always been of the utmost importance.
From our inaugural survey to this year’s 10th annual IT Skills and Salary Report, cybersecurity has remained one of the principal IT focal points. Since 2011, security has ranked either first or second in terms of top tech interest by our survey respondents.
While cybersecurity has always been a priority, managing it has changed drastically in the last decade. IT security professionals have different responsibilities than they did in 2008.
Let’s examine the major factors affecting cybersecurity professionals today and how the field has transformed since we started surveying IT pros 10 years ago.
Demand for cybersecurity professionals
It’s rare nowadays to see a jack-of-all trades IT professional. With all of the components and assets making up the IT department and data center, the need for specialization has been heightened. There are too many moving parts to have the same individual oversee security architecture and application development.
The supply has yet to catch up with that rising demand for security specialists. According to our survey, 31 percent of IT decision-makers are struggling to find qualified cybersecurity talent, making it the most difficult hiring area for the second straight year.
“There’s clearly a shortage of true cybersecurity people in the industry,” said Dave Buster, Global Knowledge’s Senior Portfolio Director for Cybersecurity.
According to our reports, cybersecurity skills gaps started to become a real issue in 2015. Companies always planned to invest heavily in cybersecurity, but our survey respondents didn’t voice a major concern about a lack of talent until the past few years.
And it’s not like the position doesn’t pay well. Cybersecurity professionals have the highest average global salary ($87,850) and the second highest North American salary ($112,764). While high salaries typically attract the best and brightest, Buster believes IT professionals may be scared off by a misconception about cybersecurity.
“The technology isn’t as difficult as they think it is,” he said.
Buster says that cybersecurity used to be a part-time function. Now it’s a full-time job and typically makes up 5 to 10 percent of an IT department’s budget.
Rise in cyberattacks
In our inaugural 2008 IT Skills and Salary Report, we reported a record year for data security breaches. That record, it’s fair to say, has been surpassed with each ensuing year.
That’s not exactly a high score you want to beat.
Ten years ago, cyber criminals were mainly focused on website attacks. Over the course of our reporting, they’ve evolved to focus on password attacks. Then, they started hacking credit card databases and using credit card skimmers on ATMs and gas pumps. Now, they’re turning smart devices in homes, such as surveillance cameras and DVRs, against the consumer.
“We have one layer of problems; then, every couple of years we add another layer,” Buster said. “The problems don’t go away but we get better at solving them.”
Security has been top of mind for a majority of our survey respondents. Last year, a developer shared this thought when asked about the trends shaping their work:
“Security, Security, Security. With all of the hacking of company systems, every level of an IT department needs to be aware of how they can do their jobs better and make their code or the systems they administer more secure.”
The question no longer is “will my company get attacked?” The question is “when?”
We noted in our 2015 report that technologies and services shifted from incident prevention to incident response. The inevitability of cyberattacks led to this shift. Organizations are now focused more on detecting, responding and maintaining operations during an attack.
Addressing the skills shortage
As decision-makers struggle to find the right cybersecurity professionals, skills gaps have widened. Companies haven’t been able to hire their way out of their skills gaps problems. Instead, their better option is to train existing personnel. And we’re not just talking about tech employees either.
Cybersecurity is no longer solely an IT problem. Modern-day hackers are targeting humans, not machines.
Rather than hack a website or program, it’s much easier for cyber criminals to call an employee, say they’re from IT, and ask for their password. If that doesn’t work, maybe a phishing email will succeed in installing malware or stealing personal information off your computer.
Every employee in an organization should have some level of cybersecurity awareness. IT professionals should get real cybersecurity training and cybersecurity specialists should have routine, intensive training.
Security certifications are part of that rigorous training. One trend that’s remained consistent over the course of our survey is that cybersecurity certifications are some of the highest-paying in the industry.
In 2017, four of the top five highest-paying certifications are security-based-ISACA’s Certified in Risk Systems and Control (CRISC), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) and (ISC)2’s Certified Information Systems Security Professional (CISSP).
CISSP has had impressive staying power. In 2008, we listed CISSP as No. 3 on our list of 10 Tech Certifications that Actually Mean Something. It was the fourth highest-paying certification in 2008 and the third highest in 2009. It’s currently fourth with an average salary of $118,179 in the U.S. and Canada.
While we’ve reported higher average salaries for certified professionals versus their non-certified peers, certified security employees have an even greater advantage. Security-certified personnel earn an average of $103,234 compared to $90,512 for all certified professionals.
In terms of cybersecurity professionals, the average salary in the U.S. and Canada is $112,764, trailing only cloud computing. That’s a 24 percent increase from a reported average salary of $85,699 for Computer Security Specialists in 2008.
And the level of skills directly impacts compensation. Certified professionals who have risen to the level of vice president or director can make up to $63,000 more than specialist-level employees.
An educated workforce is key
Data breaches were top of mind 10 years ago and still are today. That hasn’t changed. The approach to cybersecurity, however, has shifted.
Security technology alone won’t cut it. It’s practically obsolete soon after purchase. Skilled and informed employees are invaluable, especially as they learn new security techniques and build expertise over time.
Global Knowledge’s cybersecurity curriculum was built with this in mind and covers vital topics across policy, business process and technology. In fact, we own the largest portfolio of authorized security technology training in the world.
IT security positions, and certifications for that matter, have gotten more specialized. And so has our training.
And reality has set in-cyberattacks are inevitable. The key no longer is prevention; it’s detection and response.
One thing hasn’t changed over the last decade: cybersecurity professionals are some of the highest paid in IT, and that is unlikely to change anytime soon.
As attacks continue to evolve, so too will the needs of cybersecurity specialists. They are some of the brightest and most dynamic individuals in the industry. And still, they can’t keep up with the pace of technology by sheer will. Continual skill development, through training and certification, is crucial to bolster your cybersecurity workforce.