In a very short period, we’ve gone from a shortage of cybersecurity workers at 200,000 to 3.5 million workers short. You can find these statistics anywhere online, about the workforce shortage for cybersecurity jobs, so I didn’t post any links here. It seems everyone thinks something a little bit different about the cybersecurity workforce. We need to standardize the language of cybersecurity and a good place to start is with job titles.
There don’t seem to be any real facts to support the number of cybersecurity workers we will need. We don’t really know what the digital workforce of the future will look like or what skills will be required. It’s reasonable to state that jobs in emerging and exponential technologies, including cybersecurity, have a bright future. But the rest of the “workforce” message seems to be that everyone will have a cybersecurity job making $80,000+ per year, as soon as they complete six-month boot camp.
We’ve taken a deep dive into one of the most talked about positions in the industry and tried to provide some clarity and facts.
To date, the Department of Labor has not defined a specific Standard Occupation Code (SOC) for this job title. A search for “cybersecurity” at O*Net online, returns 20 occupations, but no exact matches. The closest match, based on a review of the skill sets from both job descriptions, is Information Security Analyst. This job title is also used in all branches of the Military (MOC).
We also did a search at O*Net online based on Cyberseeks’ TOP SKILLS REQUESTED for a Cybersecurity Analyst:
- Information Security
- Information Systems
- Network Security
- Security Operations
- Vulnerability assessment
- Threat Analysis
- Intrusion detection
Of the 20 occupation titles returned, only three contained any of the TOP SKILLS REQUESTED defined by Cyberseek:
Computer Network Support Specialists: information security, security operations, vulnerability assessment, Linux, threat analysis, network security
Computer and Information Systems Managers: Intrusion detection, cryptography
Computer Systems Analysts: Intrusion detection
While these job titles/descriptions contain elements of the Cybersecurity Analyst job description from Cyberseek, the “best” match still seems to be Information Security Analyst.
We then went to Indeed.com and did a search for “Cybersecurity Analyst” with the following parameters:
>$80,000/yr. (Cyberseek lists this job with an average salary of $85,000/yr.)
mid-level (matches Cyberseek)
posted in the last 15 days
excluded postings from staffing agencies
40 job postings were returned. Only one of those job postings had the exact match, the remainder contained some word variation. We compiled and classified all the skills into the following main categories (in respective order):
- Critical Thinking
- GRC (Governance, Risk and Compliance)
- Threat detection and response/Forensics
- Wide variety of Industry expertise
- Ability to work independently
We also complied the educational requirements listed:
Most of the job postings indicated a preference for at least a bachelor’s degree
Most of the job postings indicated a minimum of 5 years’ experience (some junior positions indicated 1-3 years’ experience)
25% of the postings listed a required certification (mostly advanced) for the position
This is not an empirical data study. We’ve made what we think are reasonable assumptions and conclusions, based on the data presented here. This is intended to be a talking point around the future workforce conversation and some risks/solutions for moving forward.
We all need to speak the same language of cybersecurity:
We should not be creating/modifying/duplicating work processes that are already in place. If the “correct” job title is Information Security Analyst, we should use that title instead of Cybersecurity Analyst. If Cybersecurity Analyst is a more representative, accurate job title, we need to approach the Department of Labor and have the discussion about modifying/updating their classification and respective job title. More employers should be standardizing their job descriptions based on Department of Labor defined position(s) Standard Occupation Codes (SOC). “Making up” job descriptions to get more work out of people is ineffective and inefficient. It disrupts the labor market and creates confusion for everyone.
The job growth projections and estimations at Cyberseek.org for “Cybersecurity Analyst” are significantly different than the job growth projections and estimations at the Department of Labor for “Information Security Analyst”. These inexplicable discrepancies in salaries/job outlook etc., cause confusion among educational institutions, private employers, government agencies and potential candidates.
Many of the job postings for Cybersecurity/Information Security Analysts indicate that an Active Security Clearance is required. Candidates who hold Active Security Clearances are likely to be members of the military who have recently completed their tours of duty. This is a risk factor for potential candidates and is a concern for job placement post training/certification/education.
Jobs involving cybersecurity, with few exceptions, subject candidates to background checks as part of the security clearance process. Based on the incarceration statistics for minorities, this requirement will have an effect on government(s) and private employer(s) ability to satisfy equitable population demographic parameters (diversity & inclusion). The causal factors for disproportionate inmate populations by race and/or ethnicity are outside the scope of this analysis, however it is a risk for achieving the goals of an equitable workforce.
There are many two-year degree programs that are proposing that entry level candidates, with no prior information technology background, post two-year education, will be qualified for advanced cyber security positions. Based on the criteria we have identified; advanced cyber security positions require complex skills and a wide variety of experience that simply can not be attained in two years. While there are some candidates with exceptional aptitude that may advance faster than others, we must stop over promising and under delivering, both to prospective employers looking to hire candidates and candidates looking to find new skills and career pathways.
Our world is changing, and our workforce needs to adapt. Too many companies are making the assumption that older workers do not have value in emerging and exponential technologies. Our learning pathways and candidate pools need to be modified for lifelong learning. For a more detailed viewpoint on the digital age workplace, you can read our blog here.
Very few of the skills listed in the job descriptions on Indeed identified some of the most common tools of a cybersecurity analyst, like Wireshark or NMAP. “Analysts” by definition, are not the primary drivers of policy. While networking is certainly a component of cybersecurity, it doesn’t require a specific high-level certification, i.e. Cisco.
Employers seem to be adding “everything and the kitchen sink” to cybersecurity job descriptions, with wild variations in skill parameters. As an industry, and as subject matter experts, we need to help employers understand what they need, then build the workforce that addresses those needs. Clearly, employers should not be the drivers for what the job description should be for the workforce of the 21st century.
Every other career pathway has a clearly defined framework of progressive job skills, certifications and education requirements towards a terminal degree. In our rush to capture revenue, we’ve sidestepped, or attempted to sidestep best practices and just plain common sense. It’s an easy fix to get back on track. We hope this analysis contributes towards that track.