Cyber security census_report

1

August 5, 2013

Cyber Security Census

Sponsored by:

2

Research Objectives 3

Today’s Cyber Security Professionals 4

What Cyber Professionals Want in Their Next Job 10

Who Are Tomorrow’s Cyber Security Professionals? 18

Recruitment and Retention 21

Table of Contents

3

Cyber security professionals are in high demand in numerous industries across

the United States. The demand for cyber pros has grown more than 3.5 times

faster than the demand for other IT jobs over the past five years and more

than 12 times faster than the demand for all other non-IT jobs.* Estimated

current staffing shortages are between 20,000 and 40,000 and are expected to

continue for years to come.**

To meet the current and future demand for cyber pros, today’s employers

must better understand how to recruit and retain a qualified workforce.

To facilitate this understanding, Semper Secure surveyed 500 cyber pros from

40 different industries across 43 states, the District of Columbia, and Puerto

Rico. The resulting report:

Summarizes the origins and characteristics of today’s cyber pros

Outlines cyber pros’ career goals and aspirations

Recommends strategies for recruiting and retaining

Research Objectives What motivates today’s cyber security professionals and how do we train and recruit the next generation?

*Source: http://www.pkware.com/Blog/2013/03/12/shortage-of-it-security-professionals-could-comprise-companies-network-security

**Source: http://www.reuters.com/article/2012/06/12/us-media-tech-summit-symantec-idUSBRE85B1E220120612

4

Today’s Cyber Security Professionals Today’s Cyber Security Professionals

5

$116K

5%

34%

44%

85%

Who Are They? The typical cyber pro is well educated and well compensated

Take Away: Demand > Supply

Professional certification

Bachelor’s degree

Master’s degree

Doctorate

Do You Hold Any of the Following Academic Degrees in Computer Science, Mathematics, or Electrical Engineering?*

CISSP: Certified Information Systems Security Professional

CCNP: Cisco Certified Network

Professional Security

CEH: Certified Ethical Hacker

Most Popular Certifications

The average annual salary of today’s U.S. cyber pro ($55.77 per hour)

*Respondents asked to select all that apply

6

1%

4%

4%

5%

8%

5%

7%

7%

Utah

Washington

Colorado

NY

Texas

Maryland

D.C.

Virginia

California

Where Are They?

LOCATION

Cyber pros contribute to numerous industries across the U.S.

Take Away: Cyber pros are concentrated in CA and the D.C. metro area

4%

6%

6%

7%

8%

9%

11%

13%

14%

14%

IT

Biotechnology

Financial Services

Education

Other

Legal and Insurance

Heath/MedicalServices

Defense/Aerospace

Manufacturing

Government

19% Greater D.C. metro area

19%

INDUSTRY

7

Where Did They Come From? Cyber pros typically discover the field during their careers

Take Away: Support educational programs to develop future employment pool

When Did You First Become Interested in Cyber Security?

Career

A New Field

One in four cyber pros (26%) have been working in the field for less than

five years.

Higher Education*

36% 43%

*Became interested in college or graduate school

21% Other

8

13%

18%

25%

27%

31%

39%

44%

56%

Why Did They Stay? Today’s cyber pros have a genuine interest in their work; want engaging and meaningful careers

Take Away: It’s not just a paycheck to cyber pros

What Interests You the Most About the Cyber Security Profession?*

Interesting, challenging work

Important and meaningful work

Love the technology

Constant change/Dynamic industry

Job security

High salary and benefits

Validates my talent and skill

Opportunity to work with the best people

Just one in four cite salary and benefits as a top interest

*Respondents asked to select top three

9

What Do They Like? Cyber pros enjoy a variety of leisure pursuits

Take Away: The cyber elite are people too

Madden Football

Reading

Cooking

Spending Time Outdoors

Traveling

Game of Thrones

NCIS The Big Bang

Theory

CSI

Super Mario

Brothers

Halo

Call of Duty

Pac-Man

Non-Technology Activities Favorite TV Shows

Favorite Video Games

10

What Cyber Professionals Want in Their Next Job

11

Catalysts for Change Cyber pros choose new employers for growth, money, and prestige

Take Away: Provide opportunities so staff develops with you, not your competitors

Top Reasons Cyber Pros Change Jobs:

New job with greater growth opportunity New job with better total compensation New job with more prestige or at a better organization

#1

#3

#2

Cyber security professionals are more loyal than you

think.

The majority (65%) have worked for two or fewer

different organizations during their career.

12

Secure Growth

What Do You Believe is The Next Step in Your Career?*

Cyber pros look for career growth through new challenges and leadership opportunities

Take Away: Create opportunities to keep staff challenged and engaged

Take on more difficult

challenges

Continue same type of

work in a different domain

Assume responsibility for cyber and

physical security

Become a CIO/CISO

Start own company/

consult

Assume a leadership

role

22% 18% 16% 15% 10% 8%

*Respondents asked to select only one

13

2%

4%

6%

6%

13%

14%

14%

16%

25%

Cool Tech

The technology is by far the most important part of a

cyber pro’s job.

Cool technology aside, cyber security professionals want to

do work that makes a difference.

Work flexibility (14%) is valued more than benefits and

prestige.

The technology

Work is of national importance

Control over my work and work environment

Work flexibility/telecommuting opportunities

Compensation

Quality of my coworkers

Benefits

Prestige

Convenience

Cyber pros favor jobs that allow them to work with interesting technology

Take Away: When recruiting, emphasize the technology

What is Most Important to You About Your Job?*

*Respondents asked to select only one

14

High Quality of Life

1. Flexible work arrangement (47%)

2. High total compensation (44%)

3. Training/education/career development (29%)

4. Being well respected/admired (28%)

5. Close relationships with people who share similar values (25%)

6. Substantial amount of vacation/time off (23%)

7. Low cost of living (21%)

7. Minimal traffic congestion (21%)

9. Access to outdoor recreation options (16%)

10. Access to cultural activities (11%)

Make no mistake, the money still matters

Take Away: Don’t miss on the money, but don’t forget the full picture

What Aspects Are Most Important to Your Overall Quality of Life?*

Flexible work arrangements

(which 81% say their employer offers) and total compensation are key to cyber pros’

quality of life.

Cost of living and traffic congestion are

low priorities, which makes sense with much of the industry based in

CA and D.C./VA.

*Respondents asked to select top three

15

Integrity and Leadership

Reputation for integrity; a code of honor

Reputation as a leader in cyber security

Known for addressing leading challenges in cyber security

Relatively high compensation scale

Expansive cyber security career opportunities

Excellence of leadership

Excellence of coworkers

Today’s cyber pros want employers to demonstrate integrity, leadership

Take Away: Nothing matters more than integrity

23%

30%

30%

31%

33%

34%

44%

What Are the Most Important Attributes of an Ideal Cyber Security Employer?*

*Respondents asked to select top three

16

33%

27% 12%

5%

23%

Leading Locations California and Washington D.C. are clear leaders

Take Away: Emphasize ties to Washington D.C., call out what differentiates VA

One in three cyber pros view California as the center of cyber security innovation.

But Washington D.C. is not

far behind. Nearly half (44%) say the greater D.C./VA/MD area is the center of cyber security

innovation.

What State or Geographic Region Within the United States Would You Consider to be the Center of Cyber Security Innovation and/or Activity?*

44%

D.C. Metro Area

California

Virginia

Washington D.C.

Maryland

Other

*Respondents asked to select only one

17

In a Perfect World, Everyone Works For Google Cyber pros favor Google, the Federal government, or self-employment

Take Away: The Federal government is a desirable employer, focus on retention

If You Could Work for Any Employer, Whom Would You Work For?*

Google

Federal government

Self-employed

Cisco

Cyber pros view Symantec-Norton, IBM, McAfee, and

Cisco as leading companies in the cyber security industry.

*Respondents asked to write in a response

#1

#2

#3

#4

18

Who Are Tomorrow’s Cyber Security

Professionals?

19

Different Origins, Different Values

How big of a driver are the tech toys? It depends on when you

discovered the industry:

17% of those who found it during

their career think the tech is cool

31% of those who found during

some form of education think the tech is cool

43% of those who found it during

grad school think the tech is cool

Cyber pros who discover the industry during their careers and during their education value very different things

Take Away: Know your audience – emphasize the tech when recruiting college grads, focus on importance of the work when developing/retraining staff from within

#1 Work is of national

importance The technology

#2 Work flexibility and

telecommuting opportunities

Compensation

#3 The technology Control over my work and work environment

What is Most Important to You About Your Job?

Those who discovered

the industry in their

career

Those who discovered

the industry in

college

20

#1 Flex work

arrangement Flex work

arrangement High

compensation

#2 Training/

development High

compensation Flex work

arrangement

#3 High

compensation Training/

development Respect and admiration

Different Roles, Different Goals

Take Away: Understand the staffing role and tailor incentives accordingly

Doers, managers, and entrepreneurs

What is Your Ultimate Career Goal?

Doers: Cyber security specialist

Managers: Chief Information Security Officer

Entrepreneurs: Start my own company/ consulting

What is Most Important to Your Overall

Quality of Life?

Doers Managers Entrepreneurs

Doers are also less likely than the others to have held more

than two jobs or moved more than 250 miles for a new job.

21

Recruitment and Retention

Professional Development: Cyber security professionals want to be challenged and move up. Provide opportunities to develop your current employees so they do not become your future competition

Internal Recruitment: Exposure during one’s career is still the most common means of entering the cyber security field. Recruit and train internally to make current employees new cyber security professionals

External Recruitment: Focus external recruitment efforts on youth in college and graduate programs. Emphasize the technology to spark interest. Follow up with the perks: pay, flexibility, and job security

Support New Educational Programs: Foster interest in the field early on through tailored educational and work-study programs

Maintain institutional knowledge, attract new recruits, and support educational programs to meet the growing need for cyber security professionals

22

The cyber security salary calculator generates a cyber pro’s expected salary based on their job title, years of experience within the cyber security field, geographic region, academic qualifications, and professional certifications. Use the calculator now: www.meritalk.com/csx/calculator

Cyber Calculator Expected salaries for cyber pros

The equations that power the Cyber Security Salary Calculator draw on survey data collected from 500 cyber security professionals in May of 2013. The survey results have a margin of error of ± 4.33% at a 95% confidence level. Surveys were completed over the web through a link from a trusted source.

Example One: Deputy CIO

Deputy CIO/CTO/CISO 15-19 Years of Experience DC Metro Region Doctorate or Post-Doc

Five or more Certifications

Average Salary:

Example Two: Mid-Level Cyber Pro Cyber Security Manager

5-9 Years of Experience

California

Bachelor’s Degree

Two Certifications Average Salary:

Example Three: Junior Cyber Pro Non-IT Management

Less than 1 Year of Experience

Minnesota

Associate’s Degree

Zero Certifications Average Salary:

$142,826.30 $91,124.90 $111,529.10

23

Methodology

Gender:

81% Male

19% Female

Cyber Security Professional Titles

29% CIO/CTO/CISO

2% Deputy CIO/CTO/CISO

22% IT Director/Supervisor

19% Cyber Security or Information Security Manager

3% Network Manager

1% Data Center Manager

4% Other IT Manager

20% Non-management IT

MeriTalk surveyed 500 cyber security professionals in May 2013. Surveys were completed over the web through a link from a trusted source. The data has a margin of error of ± 4.33% at a 95% confidence level.

100% of respondents work in cyber security and information security

24

Semper Secure Board Members Jim Duffey, Chairman Secretary of Technology Commonwealth of Virginia Cameron Kilberg Assistant Secretary and Senior Policy Advisor Office of Virginia's Secretary of Technology Jeffrey Eisensmith Chief Information Security Officer Department of Homeland Security Michael Howell Roberta Stempfley Acting Assistant Secretary of the Office of Cybersecurity and Communications (CS&C) Department of Homeland Security Dr. Ernest McDuffie Lead National Initiative for Cyber Security Education David Ihrie Chief Technology Officer Center for Innovative Technology Jenny Menna Director, Stakeholder Engagement and Cyber Infrastructure Resilience Division Department of Homeland Security

Major Linus Barloon II Chief, J3 Cyber Operations Division White House Communications Agency Robert Brese Chief Information Officer Department of Energy Diane Miller Director, InfoSec and Cyber Initiatives Northrop Grumman Lee Vorthman Manager, Cyber Security Lead NetApp David Stender Associate CIO for Cybersecurity and Chief Information Security Officer Internal Revenue Service Michael Watson Chief Information Security Officer Virginia Information Technologies Agency Michael Dent Chief Information Security Officer Fairfax County Government Kenneth Ball Dean, Volgenau School of Engineering George Mason University