This feature first appeared in the Spring 2023 issue of Certification Magazine. Click here to get your own print or digital copy.
Industry analysts estimate that the total global cost of cybercrime across all of 2022 is equivalent in U.S. currency to $8.4 trillion. Put another way, the worldwide cost of cybercrime last year was greater than the GDP of any nation on earth except for China ($14.7 trillion in 2022) and the United States ($20.9 trillion in 2022). It's an ever-widening economic sinkhole that could swallow the GDP of third-place Japan ($5.1 trillion in 2022) and still have room for a seven-course meal.
There's no immediate solution, and a similarly swelling gap is compounding the problem: There aren't enough skilled cybersecurity professionals to go around. Industry research conducted last year estimates that there 3.4 million unfilled cybersecurity jobs worldwide, including more than 700,000 just in the United States.
There are a lot of dismal conclusions and fearful takeaways that could be gleaned from that tempestuous cloud of data. One silver lining, on the other hand, is that the combination of expanding crisis and lack of skilled professionals means plenty of opportunity for anyone with a professional interest in information security. Want a secure career in a growing industry? Step right up.
If you have the requisite skills — or are willing to gain them — then a career with an inviting profile awaits. The U.S. Bureau of Labor Statistics estimates that there are more than 130,000 jobs in the United States for individuals who “plan and carry out security measures to protect an organization’s computer networks and systems,” and that's just the people who are already employed.
Growth in the field over the next 10 years is projected at 35 percent, meaning that an estimated 45,500 more jobs will be created just in the United States by 2031 — a level of expansion described as being “much faster than average.” The pay is pretty good, too: BLS research pegs the median annual salary for “information security analysts” at $102,600, or $49.33 per hour, up from $99,730 and $47.95 per hour (respectively) just two years ago.
Skills and knowledge both scarce
You can't enjoy a slice of that pie, of course, without making room for a heaping serving of vegetables — information security workers have a lot on their plates. In the course of our recent Security Certification Survey, we asked the certified information security professionals who responded to rate their level of agreement with a series of statements about security operations at businesses and other private organizations.
One of the biggest hurdles to effective cybersecurity is a people problem. More than 75 percent of those surveyed either agree (49.3 percent) or strongly agree (28.5 percent) that enterprise security staffs are too small. The neutral “neither agree nor disagree” middle ground was staked out by 19.3 percent of respondents, leaving slightly fewer than 3 percent who disagree (1.9 percent) or strongly disagree (1 percent) that security staffs are too small.
Staffing shortages, however, don’t tell the whole story. A perhaps equally telling issue is the general lack of individual security smarts. Roughly 70 percent of those surveyed either agree (47.8 percent) or strongly agree (22.7 percent) that employees not hired for technology jobs tend to lack adequate basic information security training.
Even people who are trained to work with computers and information technology (IT) tend not to know as much about security best practices as they should. Two out of every three survey respondents either agree (46.9 percent of those surveyed) or strongly agree (18.8 percent) that security training of IT personnel on enterprise staffs — those who perform specific IT functions — is not adequate.
The result is that security staffs aren’t just contending with outside attacks, but must also continually guard against gaps in the security awareness of their coworkers.
Tools and technology
On top of manpower challenges and a general lack of security training, most of the certified information security professionals who responded to the survey believe that organizations are bogged down by sketchy software, hardware, and policy protections. More than 53 percent of respondents either agree (41.5 percent) or strongly agree (12.1 percent) that enterprise security controls are lacking.
That’s compared to just 18 percent who either disagree (16.4 percent) or strongly disagree (1.9 percent) that controls are not up to snuff. (A further 28 percent of those surveyed signaled a perhaps lesser degree of satisfaction with the status quo by choosing to neither agree nor disagree.)
Old or aging security technology is less of a hindrance. A bit less than half of those surveyed either agree (38.2 percent) or strongly agree (11.1 percent) that enterprise security controls are outdated. Some organizations, it would seem, are keeping up with changes, as indicated by the 23 percent of respondents who either disagree (21.3 percent) or strongly disagree (1.9 percent) that controls are outdated. (The remaining 27.5 percent of respondents took no position.)
There is money being invested in security technology, but most certified security professionals don’t seem to feel that security spending is either carefully thought-out or adequate to address problems. About 42 percent of survey respondents either agree (29.5 percent) or strongly agree (12.6 percent) that money for enterprise security measures is spent unwisely, while just 23 percent either disagree (16.4 percent) or strongly disagree (6.8 percent). (Thirty-five percent took a neutral position.)
A more serious problem concerns the amount of money being spent, as opposed to whether it’s been well-invested. A worrisome 72 percent of those surveyed either agree (44.4 percent) or strongly agree (27.5 percent) that there is not enough money being spent to install or improve security measures. Just 12 percent either disagree (10.6 percent) or strongly disagree (1 percent) that not enough money is being spent, while 16.4 percent are on the fence.
Information security professionals have a variety of duties and responsibilities. Some design and install security infrastructure, while others are charged with actively monitoring computer and network activity. Some specialists are involved in determining and defining policy documents, while others test and examine existing protections.
There’s quite a bit of work to be done, and only so many hours in the day. Are we pushing the current workforce too hard? About 45 percent of those we surveyed either agree (26.7 percent) or strongly agree (18.9 percent) that they are overworked. Almost exactly one-third (33.5 percent of respondents) took a neutral position, while the remaining 21 percent disagree (18 percent) or strongly disagree (2.9 percent) that they have too much on their plate.
For most certified information security professionals, the tasks they perform are complex and engaging. A solid 78 percent either agree (52.7 percent) or strongly agree (24.4 percent) that their work is challenging, with a further 12.2 percent taking a neutral position. That leaves just 11 percent who either disagree (9.3 percent) or strongly disagree (1.5 percent) that their work is engaging.
We did ask one question that touches on the broad issue of compensation. Generally speaking, are certified information security professionals satisfied with their current salary? Only about 38 percent either agree (28.2 percent of respondents) or strongly agree (10.2 percent) that their current salary is satisfactory, while 24.8 percent took a neutral view. The remaining 37 percent either disagree (29.1 percent) or strongly disagree (7.8 percent) that their current salary is satisfactory.
Certification = employment
Certification is a long-established pillar of the information security realm, with many security credentials requested by name in employment listings. You don’t have to be certified to get a job: 54.4 percent of those surveyed were not required to have a security certification when hired for their current job. Forty-five percent, on the other hand, did have to meet a certification requirement in order to start work.
Even in cases where certification is not required, however, it could be a factor in any hiring decision that gets made. Asked to estimate the impact of certification on being hired at their current job, 50.7 percent of certified information security professionals said it was either influential (27.9 percent) or very influential (22.8 percent), with an additional 26 percent reporting that certification was at least somewhat influential.
It’s also true that many choose to get certified with an eye on future employment. Setting aside the popular rationales of gaining skills and increasing compensation, we asked those surveyed to name the two most important benefits of getting a certification.
Three of the top four responses are directly employment-related. The most popular choice is “Improve or confirm qualifications for my current job,” followed by “Gain qualifications for a future job.” The outlier — “Grain greater confidence in my own skills” — was a little bit more popular than “Become eligible for positions of greater responsibility with my current employer.”
Workplace and education
Every business or organization has to grapple with information security-related challenges in 2023. To judge by our survey audience, however, a sizeable chunk of the information security jobs available are focused in three workplace sectors: government (18.8 percent of those surveyed), financial services (11.3 percent), and computer or network consulting (10.3 percent).
Other popular employment sectors include software (8.5 percent of respondents), education (7 percent), health or medical services (5.6 percent), and telecommunications (also 5.6 percent).
For teens and young adults who are considering information security as a potential career, definitely don’t rule out higher education. Among survey respondents, 41.8 percent pursued their formal education far enough to hold a bachelor’s degree, while 36.5 percent went one step further and claimed a master’s degree, and 1.9 percent hold doctorate degrees.