Exploring the Information Security Talent Pool
August 4, 2015
The field of information security continues to grow and diversify as the impact of Internet and computer security expands to every corner of our lives. We took a deep dive into the talent pool of information security professionals on LinkedIn to determine what insights we could glean on the changes in our industry over the last few years.
We presented the first iteration of this research at the Black Hat CISO Summit on Tuesday, August 4 in Las Vegas. The full set of slides from this presentation is embedded at the bottom of this post, and we’d like to share some of the highlights here. In the future, we’ll revisit these numbers and see how the trends continue.
LinkedIn data identified over 189,000 professionals in active information security positions worldwide as of June 2015. Titles on LinkedIn are self-reported with a mix of general positions like “Information Security” and specialties like “Firewall Engineer” and “Penetration Tester.”
Almost half of the 189,000 professionals we analyzed are in the United States (47%). India and the United Kingdom each had ~7% each. In total, ten countries have 76% of the talent pool of information security professionals - it appears that many countries are lacking a significant concentration of information security talent within their borders.
LinkedIn data is naturally biased towards locations where we have a large member base. However, trends are similar even when accounting for these biases by examining the proportion of a country’s professionals that are infosec. In an increasingly digital world, countries lacking security talent risk damaging both the economic opportunity and data privacy of their citizens.
Demand for security professionals is significant in many countries and regions as measured by LinkedIn job postings. In the United States, there were 4 actively employed information security professionals for every 3 new jobs posted in 2014. Unless 3 of those 4 people are going to jump ship every year, we are in an unsustainable situation where we need to find and develop more talent.
Many other countries, including Canada, China, Australia, New Zealand, UK, Ireland, Hong Kong, India, and Singapore, have similarly high demand. In the San Francisco Bay Area, there’s one new job posting for each person already working in infosec, indicating that the workforce would have to double to meet current demand. Other major metropolitan areas in the United States and Canada are also experiencing significant demand. A list is provided in the slides below.
It’s not surprising that talent will migrate to regions with high demand; we saw significant infosec growth in Texas, Florida, Portland, Charlotte, Denver, Phoenix, and the Bay Area from June 2013 to June 2015. Many other regions in the United States are stagnating or losing staff. This is an opportunity for savvy hiring teams to reclaim talent in their home region. Several major infosec regions are outlined in the map below. Those in green have gained talent, red have lost talent, with the circle size representing the number of infosec professionals in that region. To be a true measure of talent movements, this data only considers members who have been part of the information security labor force over the entire period.
When it comes to company size, we saw significant movement from large 5000+ person corporations to small, more dynamic companies. This talent migration is especially notable when you consider the scale of these large firms. The change is also reflected in shifting roles, with 10.6% more Chief Information Security Officers and 6.3% more infosec managers since 2013. Like professionals in other functions, infosec talent is migrating to nimble companies that give them more ownership and provide new challenges.
New Entrants to the InfoSec Field
We analyzed how professionals entered the information security field, starting by identifying approximately 22,000 LinkedIn members who had information security concentrations in their field of study. Of that group, 21% went on to information security positions. 19% became consultants, likely in the information security space. Others went into development, quality assurance, information technology, and operations in significant numbers. Having talent that understands information security working in other fields can be seen as a win for the ecosystem as a whole - companies from all industries are recognizing the value of infosec training. However, with less than half of those who complete an information security program entering information security directly, it is clear that education alone will not solve the security talent shortage.
The good news is that an increasing percentage of entrants into the information security talent pool are coming from technical backgrounds. In 2000, about 26% of hires into the field came from engineering, development, analyst, or system/network administration roles. Today it has doubled to 48%. If you add roles such as help desk, quality assurance, and other technical operations positions, the percentage is closer to 55%. It’s imperative that the vast majority of information security teams have strong technical backgrounds to properly represent this discipline when interfacing with teams internally and counterparts on the other side of the table. A technical background empowers an infosec leader to understand the impact of recommendations, suggest innovative solutions, and relate with their team in the field.
We also explored tenure for information security professionals. The average tenure is roughly 3 years, with the tenure for management positions consistently above that average and entry level roles consistently below. The industry where an information security professional works also has an impact on tenure. Banking and financial services were right at the average, industries focused on technology were below, and other non-technology industries were generally above the average - it’s possible this could be due to more established lanes of control and governance in banking and other non-technical fields.
These findings line up well with conventional industry wisdom. Information security roles in today’s technology companies can be dynamic, fast-paced, and uniquely challenging, but present big opportunities for career growth for those who succeed. On the other hand, established controls and regulations in financial services and other non-tech fields can result in a more stable role.
Our research also explored the Chief Information Security Officer (CISO) position - the de facto head of an organization’s information security program. These are the ultimate decision makers when it comes to a company’s security needs. Approximately half of CISOs come from a technical background and have an average of 13 years of work experience. The average tenure for CISOs is almost 4 years, and the industry tenure trends mirror those of information security staff as a whole. As mentioned above, the CISO position is rapidly expanding, particularly at smaller companies. We expect the role to be an increasingly important part of the security landscape moving forward.
In closing, we found information security to be an exciting and quickly changing field. We hope that sharing our facts and observations will help professionals make more informed career decisions as they navigate the information security landscape. Similarly, we believe that companies can use this data to determine how to best develop and identify talent, both within and outside their organization.