There are projected to be 1.5 Million job openings for information security personnel, and that number is expected to more than double over the next four years. Certainly, recruiting and retaining qualified personnel is difficult for any profession. In this article, we’ll take a closer look at the information security job market. Is it as bad as the dire warnings we hear? What can be done about this, and what are the underlying causes?
How dire is the infosec job market?
Some estimates of the information security job market are not as aggressive. The US Bureau of Labor Statistics estimates there are 100,000 infosec analyst positions total as of 2016 and that will increase to 128,500 by 2026. We must consider semantic differences between “information security analyst”, “information security personnel”, and other terms — even so, such semantic differences should not account for orders of magnitude differences. Given that the United States employs a disproportionate number of the infosec personnel worldwide, it is hard to justify a total unemployment figure of 1.5M. Perhaps those are not actual openings, but CISOs (or equivalent) musing how many personnel they would ideally have on their team?
Another figure thrown around is that there is 0% unemployment in information security. This author knows qualified, flexible information security people who are unemployed, so like unemployment figures in general, one must approach that one with a grain of salt. We have no doubt that recent college grads with concentrations in information security and complete flexibility in where they live are having no issue finding entry-level positions as Security Operations Center (SOC) analysts, but more senior people are being hampered by ageism, being tied to a given geographical location, or the sorely misguided notion that a recent grad who only has to be paid 3/5 of what the senior level person does can do the same job. One can extrapolate from that last point and hypothesize that these alarmist job reports are designed to get as many people in the information security market as possible. Doing so will flood the market, commoditizing the job skills, and reduce the cost that needs to be paid to them.
Better staffing models
What if we went the other way in the balance of supply and demand though: instead of flooding the supply, let’s decrease the demand for infosec personnel. Obviously, it would be ideal if this were possible by virtue of technologies being more secure and having security incidents largely go away, but that will probably never happen. Instead, we should look at how we are performing our security staffing. Right now, the majority of large companies have or are building SOCs — they want to run and staff every aspect of their information security programs. This is fine if you are a big technology company like Google or Microsoft where information security should be one of your core competencies, but why does every major retailer like Walmart, Target, and Best Buy have a large security team? Just as companies outsource functions like accounting and legal counsel — retaining an internal staff to oversee the work and deal with critical issues — information security can be largely outsourced.
The way security outsourcing is done today is largely by the use of Managed Security Service Providers (MSSPs), who too often provide a one-size-fits-all model and are not well integrated with their customers. Something similar happened to this in the Target breach, where there offshore security team (which was acting essentially as an MSSP) identified the problem multiple times over weeks before their core team acknowledged it was actually a breach. One cannot fathom outside counsel letting their customer drop the ball on a legal matter multiple times. At the same time, one does not employ outside counsel and expect that 95% of what they forward to you is not really important. An MSSP who understands the environment and can properly vet all alerts provides much more value to the clients.
There are massive economies of scale to security operations:
- Just as the best programmers are an order of magnitude better than the mediocre ones, one can expect that the best security analysts are an order of magnitude better than the mediocre ones. (Update: US CyberCom indicates they might be 50-100 times better.) Not every organization can hire these rockstars, but if they work for a security outsourcing firm they can support many clients at once.
- There is a massive amount of time wasted in the analysis process that can be trimmed away (six-sigma style) through the use of better tools and automation, but this takes investment of engineering budget and labor. Such investment is easier to justify when it is amortized over many clients.
- A common element of job satisfaction for many, if not most, security personnel is the ability to learn new things. A larger team provides more training opportunities, both because more classes can be held in-house, and personnel have coverage for the time they are in training. Additionally, teams with many rockstars provide the opportunity to learn from each other and mentor the more junior staff.
Lets say you have 100 companies that all want to have a SOC. You need, on average, around 12 dedicated people to staff a SOC, so that’s 1200 people. Among those 1200 people, you probably have 12 rock stars, so barely one in ten of the companies could bring one in. If instead all 100 companies went to one outsourcing company, the analysis load could probably be handled by 1/10th the staff (including all the rock stars), at 1/5th the cost to the companies (including a tidy profit and better pay to the analysts). We use security operations for this example because it is easy to illustrate, but the principles apply across security programs: compliance, training, architecture, even the management of the program itself (CISO or equivalent). It is a win-win for firms to outsource their security functions to firms that can attract the top talent and leverage economies of scale.
Why is there a shortage anyway?
Putting aside the notion of how many positions actually need to be filled, why are security jobs so hard to fill anyway? Since recovering from the dot com boom, CS and IT graduates have rebounded and are now at an all time high. A few reasons were alluded to above, and there is one still bigger one; they are:
Geography: many talented people are geographically fixed, usually for family reasons, and most companies still have a fixed mindset that security personnel must be collocated. There is an old military mindset that the SOC should look like NORAD, even though in practice they are typically quiet as analysts need to concentrate. The requirement for collocation is particularly ironic when they have multiple offices around the globe but somehow feel that personnel must be in one of those offices. Sometimes security concerns are cited as the reason for disallowing remote work, but then personnel are still allowed (even encouraged) to work remotely after-hours.
- Price point: As noted above, if everyone is trying to fully staff out a security team, that drives up the price of security personnel. Additionally, senior security personnel cost at least 50% more than junior personnel. Unlike programmers though, who if they have the right aptitude will typically be rockstars by the time they graduate university, security depends much more heavily on experience. There is a need to understand what can go wrong, and this is often learned through seeing many, many things go wrong. Nevertheless, companies balk at paying for this kind of experience that just cannot be trained. One must also consider that the top law school graduates are now making $190,000/yr right out of school. It’s a good analogy: top infosec personnel provide similar protections to their employers and clients as lawyers do, and just like attorneys will often work crazy hours when new in their careers. If these personnel made $190k right out of grad school, there would not be a shortage of infosec personnel.
- Skills mix: A security team needs many people with many different skills. Besides analysts, they need writers, trainers, project managers, engineers, and people managers, just to name a few. There are even many different types of analysts: forensic analysts, network analysts, malware analysts, event analysts, and so forth. While there are strong ties between these skills, they are not simply interchangeable. You cannot take a network analyst and drop them into a forensic analyst role; granted — it will be far easier for them to learn than someone else — but there is no way they will hit the ground running. More importantly, these people are invested in the specific skills they have developed, so the network analyst will often not want to take a forensic analyst position. Consequently, when we talk about the market, it is a bit unhelpful to say there are 28 thousand, or 1.5 million, or 3.5 million openings, because those openings might call for a skills mix that is not being properly developed.
- Mindset: We saved the best for last: the main reason information security jobs are hard to staff is that they require a different mindset than other technology jobs. Most technology jobs, like software development, network technicians, quality assurance, et cetera, are all about making things work. As long as all the features work as advertised, you are done. Sometimes one of the features needs to be resilience, to protect against natural failures or disasters, so you build in some redundancy, maybe geographical separation, and you are done. Security is different because you have to think about how things can break, and not just against failures, but against active malfeasance. The difference can be identified anytime a developer has responded to a vulnerability by saying, “We did not address that because no one would ever do that.” Well, hackers do think about that sort of thing, and in the past 20 years those skills have become profitable. In order to defend against such attacks, we need to be thinking along the same lines to identify what the risks are that we need to protect against.
The fact of the matter is that there is a shortage of qualified information security personnel. Even if it is not dire, we need more smart people to get a leg up on the attackers, and we need to better utilize those smart people. BuboWerks was founded to focus on attracting the rockstars of information security and effectively utilize them to help solve the information security woes of many clients. If you are feeling short-staffed in the information security department, contact us and we can discuss how BuboWerks can help.