By Tim Johnson
McClatchy Washington Bureau
WWR Article Summary (tl;dr) If you are mulling over career options, you may want to give cybersecurity a look. With some lead software security engineers making $230,000 a year, it can be a lucrative career. In addition, the demand for well-qualified cybersecurity talent is growing exponentially.
WASHINGTON
Want a career with zero chances of going jobless?
Try the booming field of cybersecurity. Companies can’t hire fast enough. In the United States, companies report 209,000 cybersecurity jobs that are in need of filling.
It’ll only get worse. By 2019, according to the Cybersecurity Jobs Report, the workforce shortfall may reach 1.5 million. Globally, the shortage could hit 6 million, it added.
“The internet is growing faster than the growth of people to protect it,” said Michael Kaiser, chief executive of the National Cyber Security Alliance.
It is a problem with the full attention of the White House, which in July called for “immediate and broad-sweeping actions to address the growing workforce shortage and establish a pipeline of well-qualified cybersecurity talent.”
A dramatic rise in cybercrime has put government in competition with private companies for hiring cybersecurity experts.
Private companies recoil at the possibility of hackers stealing their proprietary information, holding their data for ransom or plundering their servers of the personal information of clients.
The shortage in job candidates is not an easy or quick problem to address, experts said.
“It takes a long time to develop the instincts to be an effective cybersecurity engineer. You can’t just come out of college and know what to do,” said David Foote, a tech industry researcher and co-founder of Foote Partners of Vero Beach, Fla.
“The threat landscape changes all the time, and that’s hard to train for,” Kaiser added.
Foote said both government and private industry faced shortages: “In the short term, it’s not looking good. There are so many employers who are way behind in staffing.”
Efforts to poach cybersecurity experts occur at a blistering pace.
Some 46 percent of working cybersecurity professionals said they received solicitations for other jobs “at least once per week,” according to the State of Cyber Security Professional Careers, a survey released last month jointly by the Enterprise Strategy Group and Information Systems Security Association.
“Turnover in the cybersecurity ranks could represent an existential risk to organizations in lower-paying industries like academia, health care, the public sector and retail,” the survey said.
In the federal government’s push to expand cybersecurity training, it has targeted all levels of education, including $125 million in National Science Foundation grants to primary and secondary schools. It has also designated nearly 200 colleges and universities as National Centers of Academic Excellence in Cyber Defense.
Many universities are gearing up programs to meet the surge in demand.
“We will start teaching the first group of students in two weeks,” said Alan M. Usas, the director of the new executive master’s in cybersecurity program at Brown University in Providence, R.I. “Interest has been extremely high.”
But luring younger students into cybersecurity can be a tough sell.
“People who are graduating from college are looking for the next killer app or to create the next startup,” said Katrina Timlin, an associate fellow in the Strategic Technologies Program at the Center for Strategic and International Studies, a Washington think tank.
Cybersecurity has little of the cachet of other areas of information technology, such as machine learning, and cybersecurity experts aren’t even always loved at their own companies. Their departments are not revenue generators. And their constant efforts to penetrate systems can raise hackles.
“They have to have that nonconformist edge where they can pick apart a problem. That kind of personality pushes some people’s buttons,” Timlin said.
As they look for flaws in existing networks and systems, cybersecurity experts can find themselves at loggerheads with technology engineers who built the systems, she said.
Cybersecurity encompasses far more than just technology issues.
“Most every company that has an internet presence by definition is a global company,” Usas said. When hacks occur, “there’s forensic work that needs to be done,” he added, but often legal and policy issues come into play, as well as human behavior analysis.
“There are a number of straight deep tech jobs, but there are also a number of hybrid jobs,” Foote said, noting that computer hacks can affect accounting and finance divisions, as well as logistics, marketing and legal affairs.
Those who are already established in cybersecurity and leading teams at companies are well-compensated.
“There is some talk out there, I’ve heard it, that lead software security engineers are making $230,000 and $240,000 a year. It’s crazy,” said Foote.
Foote’s consulting firm receives compensation data from 2,914 employers who report on what they pay 255,650 full-time technology professionals.
In the most recent quarter, Foote said, the firm found an average salary of $99,000 for a cyber security specialist with three years’ experience in design, deployment and administration of security systems. For a more senior employee with at least five years of experience and strong knowledge of digital controls and protection strategies, the national average salary is $118,000.
Cybersecurity jobs in the United States pay an average of $6,500 more than other information technology professions, a premium of 9 percent, according to a July report, Hacking the Skills Shortage, by Intel Security and the Center for Strategic and International Studies.