Corporations and government agencies are scrambling to find new ways to attract people to jobs in information security, thanks to a growing worldwide gap between the demand for IT professionals specializing in security and the number of people entering the field.
"The gap in the workforce is getting to the point where it's almost at a crisis level," says Julie Peeler, manager of the International Information Systems Security Certification Consortium ((ISC)2) Foundation. "I do think it will get worse before it gets better."
The group recently released The 2013 (ISC)2 Global Information Security Workforce Study, in conjunction with technology consulting firm Booz Allen Hamilton, and market research company Frost and Sullivan, that surveyed more than 12,000 information security professionals. The respondents said that the continuing shortage of personnel is straining the existing workforce, which is trying to cope with a widening array of threats.
A separate study from Burning Glass Technologies, a Boston-based company that analyzes job ads, found that over the past five years, demand for cyber security jobs has grown three-and-a-half times as fast as computer jobs overall and 12 times as fast as the total labor market, with more than 67,000 cyber security job postings in 2012.
The growth is driven in part by a proliferation of IT devices and applications. More employees are using their own smart phones, tablets, and home computers both to do work and access the Internet. There's also been the rapid growth of cloud computing. And to a lesser extent, more businesses are using social media as a business tool. All these trends offer new avenues of attack. "There's a lot of openings into the network," Peeler says. At the same time, the number of attacks is increasing, whether from lone hackers, organized crime, or hostile governments. Just recently, for instance, South Korea's banks were paralyzed by a cyber attack that was suspected to have originated in North Korea.
Peeler says part of the problem is that corporate executives have been slow to wake up to the critical need for security IT professionals. "Information security is one of those industries where you only notice it when something goes wrong." But awareness is spreading, she says.
Among the most highly sought-after jobs is security analyst, someone who can assess not only the immediate technical issues but also other areas that might affect security, who can recognize patterns and develop long-term plans. Peeler says one short-term solution some companies are using to address that need is to retrain other types of analysts already on staff, such as economic forecasters, to deal with cyber security.
A joint effort between (ISC)2 and Booz Allen is targeting returning veterans for training in information security. Many already have certifications and can transfer quickly into civilian jobs, Peeler says. Others may have military experience in intelligence or security that can translate to corporate or governmental jobs. Some veterans may even already have security clearances that some government-related jobs require.
But for the longer term, it will be necessary to recruit more students into the field in the first place. Peeler says there will be a need for 330,000 IT security workers world-wide this year; "We're just not graduating them that fast."
Rochester Institute of Technology in New York is working on training more students. Six years ago it started what Sylvia Perez-Hardy, associate professor and department chair of computing security at RIT, thinks is the country's only undergraduate degree program in the field. The program now graduates about 70 students a year, 96 percent of whom either go on to a graduate program or get a job in their field within six months.
"I'd love to see us double the size of the program in the next five years," says Perez-Hardy. To that end, she's trying to promote more awareness of the field among high school, and even younger, students. RIT is developing recruiting material to send to high school guidance counselors, who Perez-Hardy says often aren't aware of the specifics of careers in information security.
In late 2011, the National Institute of Standards and Technology joined with the U.S. Department of Education to promote the field at appropriate levels to students in kindergarten through grade 12. Perez-Hardy says young people's imaginations are fired by the forensic aspects of security. "Any students that really like to solve puzzles, solve mysteries, they get intrigued by how a system gets broken into," she says.
Last February NIST also devoted $10 million to establish a National Cybersecurity Center of Excellence in Gaithersberg, MD. The center works with people from industry and government to provide businesses with usable approaches to cyber security.
Perez-Hardy says the federal government could also bolster the field if it provided more funding for scholarships. Though there is assistance available for juniors and seniors in college, there's no four-year scholarship, she says.
One factor that should attract more people to the field is the pay. Peeler says that the worldwide average salary for security workers with certification, like that offered by (ISC)2, was $101,000 in 2012, which was up 2.4 percent from the year before. Pay for uncertified workers, however, declined 3.6 percent from $75,700. Perez-Hardy says the average starting salary for students with bachelor's degrees is in the mid-$60,000 range, and the highest starting salary for one of her students last year was $103,000.
And because of the sensitive nature of the jobs, many government-related workers have to have citizenship where they're working. Unlike some areas of computing, where jobs migrate to less expensive parts of the world, information security tends to remain in the United States. "These are not jobs that can be outsourced," Peeler says.