Cybersecurity by the Numbers, Part Deux

March 25, 2019

In our last installment, I talked about those huge numbers representing the implied costs of data breaches to individual business and society.  In this column, I want to talk about another set of big numbers getting lots of media play: namely, the cybersecurity workforce gap.   Depending on whose study you cite, there is an expected gap between available jobs and cybersecurity practitioners of somewhere on the order of 3,000,000 jobs by 2020.  Now that’s a big gap!

Read these articles carefully.  Most fail to dive into the numbers, explain the methodology, or define the sample size.  They gleefully jump into what they perceive are the ramifications of such a large gap.  And what do they see first?  Big dollar signs for you and me!

In many of these media click-bait blockbusters, the focus is on all that sweet, sweet money those of us in this business will be raking in as we fill critical vacant positions in companies that compete like Roman gladiators to fill.  We will be able to take our pick of any remotely relevant position as we watch corporate recruiters and human resource personnel throw open the company coffers to beg for the fruits of our labors. 

$200K per annum?  Pffft.  Will you take $275K?  Maybe.  Will $350K do it?  Free on-site catered meals?  Done.  A new car for a sign-on bonus?  Will this sporty BMW suffice?  Bring your dog to the office?  Absolutely.  Cadillac health plan?  A given.  A real office with a door and windows and not an open floor plan? Well, let’s not get carried away.

The people interviewed in these articles are often recruiters and others invested in what I call “the churn”.  These folks get employed, contracted, and paid when people change jobs.  It can be lucrative work in a space like cybersecurity, and they are all in.  It’s like the entire infrastructure built around buying and selling homes: realtors, home inspectors, appraisers, contractors, and even the local Recorder of Deeds get a scrape of the deal.  There may not be as many middlemen in the job-hopping market, but you get the idea.

Of course, your anecdotal evidence may fly in the face of these fantastic conclusions.  Mine certainly does.  To understand the disconnect, my employer did a study of their own, but with a very specific methodology with a statistically significant sample size.  You can look up the details yourself but let me parse some of the key findings for you.

Firstly, that 3,000,000 job number is global, not national.  Our study shows nearly two-thirds of those jobs will be in the Asia-Pacific region.  The number for just the United States comes in around 800,000.  That’s a fair bit less than the total.  In other words, if you want to play the ex-pat game, your next big position may be in Singapore.

Of these big numbers, it’s important to know that there is no monolithic ‘cybersecurity job’.  There are dozens of career tracks and roles that can be lumped under the name of cybersecurity.  There are auditors, analysts, SOC monkeys, pentesters, CISOs, trainers, consultants, governance and compliance experts, and an entire host of related jobs. When you look at the number again, those 800,000 open positions, mapped against dozens of job categories, across a country the size of the United States, a different picture comes into focus.  Sure, this is a great profession with a world of opportunities.  It’s a great time to be in cybersecurity, but you may still want to think before dropping a down payment on that yacht.