This is an exciting time to be a cybersecurity/information security professional. After years of being grouped with people that work in other security fields, and having no formally recognized professional identity, cybersecurity professionals have finally achieved critical mass to enter the mainstream of the digital workforce. The cybersecurity field is now considered a prime employment growth area, as a convergence of factors have forced public and private sector entities to get serious about safeguarding their assets and infrastructures. As a result, there has been a dramatic increase in employment opportunities for those with cybersecurity training and experience, with competitive compensation now reflecting the true value and importance of the skills required.
State of the IT Security Profession
A series of bi-annual reports titled ‘The (ISC)² Global Information Security Workforce Study’ have documented the growth of the cybersecurity industry over the past seven years. The 2011 study is based upon interviews with over 10,000 information security professionals working in both the public and private sectors around the world. This year’s report indicates that, despite a troubled global economy, the cybersecurity workforce has reached 2.8 million individuals worldwide. Frost and Sullivan, which conducted the 2011 study on (ISC)²’s behalf, predicts that this will grow to almost 4.2 million professionals by 2015. Few professions can point to such a dramatic growth rate.
Today’s information security professionals are engaged in a wide variety of activities that seek to solve a broad range of problems. Their duties include risk management; intrusion detection/prevention; security awareness training, organizational policy development and interpretation; forensics; product development counseling through the secure development lifecycle (SDLC); disaster recovery and business continuity planning; penetration testing; and incident investigation.
"Academia has begun to recognize they can perform a major service…by preparing cybersecurity professionals for organizations responsible for [a] nation’s critical infrastructure" |
Patrick Howard, US Nuclear Regulatory Commission |
In addition to existing challenges, Frost and Sullivan also predicts plenty of new security challenges that will only serve to enhance the scope and importance of this career field. Some include security of application software; significant growth in the use of mobile devices; threats resulting from the use of social media; and the growing use of cloud computing and related technologies. Further, the threat of state-sponsored cyber warfare adds another dimension to the need for skilled professionals.
A Rapidly Evolving Profession Creates Opportunities
The information security industry is undergoing continuous change in response to the dynamics of technology. Worth evaluating as future career opportunities are positions that are considered by those currently in the field to be the areas in greatest need of additional training and education. According to (ISC)²’s study, the greatest need for training and education are in the following areas:
Cybersecurity risk management. This idea is frequently cited as the ‘new’ approach to managing cybersecurity across a network or organizational entity. Historically, risk management is a concept that has always been practiced but infrequently discussed. The practice of risk management requires the study of cost-benefit analysis, knowledge of business management and other non-technical disciplines related to the management of large organizations. The most comprehensive guidance for allocating security mechanisms in a cost-effective manner is the NIST 800 series Special Publications, but the practical application of this concept is a work in progress.
Leo Scanlon, chief information security officer at the US National Archives, notes: “The federal government remains on the cutting edge of the effort to apply risk management at the enterprise level, and this experience will be very valuable as commercial organizations look to integrate IT security investments with their growing audit compliance obligations.” Whether working as an IT security professional in the private or public sector, the ability to implement security practices using a risk management framework will be key to one’s career growth.
Software security. Secure software development is a challenge that has been recognized by the US Department of Homeland Security (DHS) and elevated as an issue of concern across the developer and academic communities. Indeed, the DHS’ Software Assurance Forum initiative has produced model software assurance curricula for use at the university level. It is anticipated that government and private sector customers will require an increased level of security in the software products they plan to procure – both now and in the future.
Criminal investigation and forensics. The growing threat of cybercrime will create new employment opportunities in both the criminal investigation and forensics career fields. Every law enforcement agency will be seeking individuals who can work effectively in the current and future cyber environment, from those handling IT-based financial and white collar crimes, to those who can perform technical analysis on digital equipment used in a criminal case.
Cyber warfare. There are two aspects to cyber warfare – defensive and offensive. The US Department of Defense (DoD) recently recognized that the internet is a new sphere of potential military conflict and established the US Cyber Command, charged with overseeing and coordinating cyber warfare activities. Similar efforts have been repeated throughout the globe as of late, including in China, Germany, Australia, and the UK.
Identity management and access control. ID management and access control is a major concern that will provide future opportunities for individuals seeking to enter the information security career field; as it is a critical component of any organizational security program. As recent events have demonstrated, even the more sophisticated identity management solutions – such as the RSA token – may be vulnerable to attack by skilled hackers.
"The federal government remains on the cutting edge of the effort to apply risk management at the enterprise level, and this experience will be very valuable as commercial organizations look to integrate IT security investments with their growing audit compliance obligations" |
Leo Scanlon, US National Archives |
Patrick Howard, CISSP, and CISO at the US Nuclear Regulatory Commission, adds that the development of academic programs that provide training in cybersecurity relative to the protection of critical infrastructure is a growth opportunity. “Until recently, cybersecurity has generally been overlooked with respect to critical infrastructure protection. However, academia has begun to recognize they can perform a major service to [a] nation by preparing cybersecurity professionals for organizations responsible for [a] nation’s critical infrastructure.”
Promoting the Cybersecurity Career Field
Over the past decade, the US federal government has recognized the importance of building the nation’s information security workforce and noted the lack of training opportunities that exist at the undergraduate, graduate, and post-graduate levels. Government is now working with academia and the professional community through the National Initiative for Cyber Security Education (NICE) to establish “operational, sustainable and continually improving cybersecurity education”, directed at multiple segments of the citizenry.
NICE is composed of four tracks: (1) national cybersecurity awareness; (2) formal cybersecurity education; (3) federal cybersecurity workforce structure; and (4) cybersecurity workforce training and professional development.
Another government-initiated program making a significant impact in increasing the quantity and quality of the information assurance workforce through education is CyberWatch, an Advanced Technological Education (ATE) Center headquartered at Prince George’s Community College in Maryland. CyberWatch represents itself as “a principle contributor to information assurance education, including the [primary/secondary schools], associates, bachelors, graduate, and professional certification levels”.
Compensation Trends
Information security has evolved into a very well compensated career field, with salaries proven to be highly competitive with other technology sectors. The 2011 (ISC)² report found that the average salary reported by US-resident survey respondents who held an (ISC)² certification was $106,900. The average annual salary of individuals who did not hold an (ISC)² certification was $92,900. Another recent salary survey completed by PayScale.com reported similar averages (see table below).
Computer Security Function | Median Salary |
Computer security specialist | $63,605 |
Data security analyst | $61,448 |
Senior sales director | $99,226 |
Security director | $111,773 |
Security engineer | $82,941 |
Security architect | $102,563 |
Security consultant | $78,099 |
(Source: PayScale.com) |
Together, certain factors have combined to increase the salary scale for cybersecurity professionals. First, there is a recognized shortage of individuals working in the field. High demand has, in turn, created a competitive employment environment that will likely result in fast-growing compensation scales. For example, a recent legislative proposal submitted to the US Congress by the Obama Administration requested that the DHS be given specific authority to offer enhanced compensation for hiring and retention of cybersecurity professionals. Also, the US State Department currently offers a 10% salary increase to information security personnel who hold an approved certification, such as CISSP.
Moving to the Next Level
Next, the shift to a risk management approach for cybersecurity will require more broadly skilled and technically aware graduates from the public policy and business management disciplines, which, in turn, command higher salaries. In the near future, information security managers will rise to senior positions within their organizations. These promotions will be a result of their recognized strategic vision, technical savvy and the understanding of cyber risk they bring to the positions of chief operating officer, chief executive officer or deputy secretary in both private and public sector organizations.
Those who have followed the evolution of the ‘computer security’ field and have observed the inevitable intersection of automation, threats, and vulnerabilities, will have likely predicted that there would one day be the need for a distinct and separate career field. One need only look at future technology forecasts to see that there is – and will remain – rapid and continuing growth of opportunities in the information security field.
'These opportunities will be well-compensated positions that will provide a satisfying and fulfilling career for those who elect to enter the profession. There is no better time than the present to consider a career in cybersecurity.
Members of the Bureau include federal IT security experts from government and industry. John R. Rossi, CISSP-ISSEP, was the lead author of this peer-reviewed article. Visit the Bureau website for a full list of members. |