Demand for cybersecurity professionals continues to far outpace supply, according to aBurning Glass Technologies report released last week.
Cybersecurity hiring remains concentrated in government agencies and among defense contractors, the third annual cybersecurity job market report notes, but hiring has started to boom in industries handling consumer data.
Over the last five years, for example, hiring in the finance sector spiked 137 percent, healthcare climbed 121 percent, and retail jumped 89 percent.
“This has driven up salaries for cybersecurity workers, but it also means that jobs stay open longer,” the report says.
Cybersecurity jobs are commanding a significant premium in the market, noted Burning Glass CEO Matt Sigelman.
“If you compare the spectrum of cybersecurity jobs to the salaries of IT jobs overall, you’ll find an (US)$8,000 premium,” he told TechNewsWorld. “That’s not chump change.”
Cert Shortage
Burning Glass also found that more than one third of cybersecurity jobs (35 percent) call for an industry certification, compared to 23 percent of IT jobs overall.
In addition, eight in 10 cybersecurity jobs demand a bachelor’s degree, and roughly the same number call for three years’ experience or more, the report notes.
Those requirements are making it difficult to meet the demand for cyberwarriors.
“There are some cybercertifications where there are more job postings than people in North America who have that cert,” Sigelman observed. “That’s a shortage.”
Even common certs are in high demand. For example, there are upwards of 60,000 CISSP holders — Certified Information Systems Security Professionals — in the United States. Yet there were 45,000 job postings with that cert as a requirement.
“Almost everyone who has one would have to switch jobs, and even that wouldn’t solve the problem,” Sigelman said.
Growing Gap
Positions calling for financial skills or a security clearance are even harder to fill than other cybersecurity jobs, Burning Glass found. Jobs calling for a security clearance take 10 percent longer to fill than other cybersecurity positions, on average, and positions calling for knowledge of accounting or Sarbanes-Oxley regulations take 17 percent longer.
“I don’t think this gap is going away anytime soon,” Sigelman said.
A lot of the certifications being asked for aren’t entry-level, either. For example, one of the qualifications for a CISSP is five years of work experience in the field.
“That’s a slow boat to turn, so there aren’t going to be enough people with CISSP certifications in the near future,” Sigelman observed.
Cybersecurity jobs have grown three times faster than IT jobs generally in the last five years and that growth doesn’t seem to be letting up, he noted. “This is not a flash-in-the-pan phenomenon, and the level of skill required to get cyberjobs makes this a tough problem to solve.”
No Backing for Backdoors
Three former high-ranking intelligence, homeland security and defense department officials have come out strongly against weakening encryption for the purpose of fighting terrorism and crime.
“We believe that the greater public good is a secure communications infrastructure protected by ubiquitous encryption at the device, server and enterprise level, without building in means for government monitoring,” Mike McConnell, Michael Chertoff and William Lynn wrote in an op-ed piece published last week in The Washington Post.
McConnell is a former director of the National Security Agency; Chertoff is a former homeland security secretary; and Lynn is a former deputy secretary of defense.
A “requirement that U.S. technology providers create a duplicate key will not prevent malicious actors from finding other technology providers who will furnish ubiquitous encryption,” they wrote.
“This could lead to a perverse outcome in which law-abiding organizations and individuals lack protected communications but malicious actors have them,” McConnell, Chertoff and Lynn warned.
“Any hole in any technology defense will be exploited by attackers eventually,” said Steve Hultquist, chief evangelist at RedSeal Networks.
“Encryption must be built without a backdoor to be exploited by those who would take advantage of the illusion of security,” he told TechNewsWorld.
If the United States weakens its encryption, it will encourage other nations to follow suit, suggested McConnell, Chertoff and Lynn.
“There will be no principled basis to resist that legal demand,” they wrote. “The result will be to expose business, political and personal communications to a wide spectrum of governmental access regimes with varying degrees of due process.”
The op-ed piece is a sign of the times, observed Eric Chiu, president and founder of HyTrust.
“Data breaches are happening more often, and the attacks are getting bigger. Data is the new currency, and attackers are going after our most sensitive personal information and government secrets,” he told TechNewsWorld. “Encryption is a key safeguard to ensure that our data stays safe and doesn’t get into the wrong hands.”
Breach Diary
- July 27. Patient data of 1,006 valve-replacement candidates and research subjects at OhioHealth Riverside Methodist Hospital is at risk due to loss of unencrypted flash drive discovered missing on May 29, The Columbus Dispatch reports.
- July 27. U.S. Rep. Eleanor Holmes Norton, D-D.C., introduces bill in Congress to provide people affected by Office of Personnel Management data breach lifetime identity theft protection.
- July 27. Sens. Tom Carper, D-Del., and Ron Johnson, R-Wis., introduce bill that grants federal agencies clear legal authority in utilizing EINSTEIN, the Homeland Security Department’s continuous diagnostics and monitoring system.
- July 28. Medical information of some 3,000 people in Georgia Department of Human Services Community Care Services Program is at risk by the unintentional disclosure of the data in an email to a contractor, DHS reports.
- July 28. McLean Hospital in Massachusetts begins notifying some 12,600 people that their healthcare data is at risk from the loss of four unencrypted backup tapes discovered missing on May 29.
- July 29. The same group of hackers who breached the systems of the U.S. Office of Personnel Management and medical service provider Anthem also compromised the systems of United Airlines, Bloomberg reports. The carrier denies its systems have been penetrated.
- July 29. The customer order database at the Hanes website was breached by an intruder in June, and information on about 900,000 customers is at risk, HanesBrands reveals.
- July 29. Since the data breach at the U.S. Office of Personal Management, federal civilian agencies have increased their use of strong authentication for privileged and unprivileged users from 42 percent to 72 percent, White House CIO Tony Scott reports.
- July 29. Indiana resident James Young files federal lawsuit against Medical Information Engineering resulting from data breach at the medical services provider. An estimated 1.5 million Hoosiers are affected by the intrusion.
- July 30. Bugcrowd releases its first State of Bug Bounties report, revealing that over a 30-month period, it identified 926 high priority vulnerabilities in 193 programs, and paid 3,626 bug fighters an average of $199.67, with a top reward of $10,000.
- July 31. A data breach affected the point of sale systems of the Salita’s Mexican Restaurant chain, the company confirms, and it advises customers who ate at the eateries from July 1-27 to check their payment card accounts for fraudulent charges.
- July 31. The University of Connecticut school of engineering was the target of a cyberintrusion traced to China, it reports. The breach was discovered on March 9 but could have originated on Sept. 24, 2013. There is no evidence that any data was removed from the school’s servers.
Upcoming Security Events
- Aug. 6-9. Defcon 23. Paris Las Vegas, 3655 S. Las Vegas Blvd., Las Vegas, Nevada, and Bally’s, 3645 S. Las Vegas Blvd., Las Vegas, Nevada. $230, cash only at the door.
- Aug. 24-25. Gartner Security & Risk Management Summit. Hilton Hotel, 488 George St., Sydney, Australia. Registration: prior to June 27, AU$2,475; after June 26, AU$2,875; public sector, AU$2,375.
- Sept. 12. B-Sides Augusta. GRU Harrison Education Commons Building, 1301 R.A. Dent Blvd., Augusta, Georgia. Free.
- Sept. 12-21. SANS Network Security 2015. Caesars Palace, Las Vegas, Nevada. Long Courses: $3,145-$6,295. Short Courses: $1,150-$2,100.
- Sept. 16. ISMG Data Breach Prevention and Response Summit. The Westin San Francisco Airport, 1 Old Bayshore Highway, Millbrae, California. Registration: $695.
- Sept. 16-17. SecureWorld Detroit. Ford Motor Conference & Event Center, Detroit. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
- Sept. 18. B-Sides Cape Breton. The Verschuren Centre, Cape Breton University, Sydney, Nova Scotia, Canada. Free.
- Sept. 22-23. SecureWorld St. Louis. America’s Center Convention Complex, St. Louis. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
- Sept. 28-Oct. 1. ASIS 2015. Anaheim Convention Center, Anaheim, California. Through May 31: member, $895; nonmember, $1,150; government, $945; student, $300. From June 1 through Aug. 31: member, $995; nonmember, $1,250; government, $1,045; student, $350. From Sept. 1 through Oct. 1: member, $1,095; nonmember, $1,350; government, $1,145; student, $400.
- Oct. 2-3. B-Sides Ottawa. RA Centre, 2451 Riverside Dr., Ottawa, Canada. Free with registration.
- Oct. 6. SecureWorld Cincinnati. Sharonville Convention Center, 11355 Chester Rd., Sharonville, Ohio. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
- Oct. 9-11. B-Sides Warsaw. Pastwomiasto, Anders 29, Warsaw, Poland. Free with registration.
- Oct. 12-14. FireEye Cyber Defense Summit. Washington Hilton, 1919 Connecticut Ave. NW, Washington, D.C. Registration: before Sept. 19, $1,125; after Sept. 18, $1,500.
- Oct. 15. SecureWorld Denver. The Cable Center, 2000 Buchtel Blvd., Denver, Colorado. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
- Oct. 19-21. CSX Cybersecurity Nexus Conference. Marriott Wardman Park, 2660 Woodley Rd. NW, Washington, D.C. Registration: before August 26, $1395 (member), $1595 (non-member); before Oct. 14, $1595 (member), $1795 (non-member); after Oct. 14, $1795 (member), $1995 (non-member).
- Oct. 28-29. SecureWorld Dallas. Plano Centre, 2000 East Spring Creek Parkway, Plano, Texas. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
- Nov. 4. Bay Area SecureWorld. San Jose Marriott, 301 South Market St., San Jose, California. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
- Nov. 11-12. Seattle SecureWorld. Meydenbauer Center, 11100 NE 6th St., Bellevue, Washington. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.