This is a five-part series about getting and keeping job in the information security industry. There is no one way to get and keep a job in the information security industry. This is a good thing! The series doesn’t contain THE advice, it just contains advice. Big difference. Some of this information is also found in the Unsecurity book, chapter 10.
The series consists of the following articles:
Abundance of Opportunity – Introduction
First, a little background.
1992. That was the year I started my career in information security. We didn’t really call it information security back then, but it’s (mostly) what it was. There didn’t seem to be much specialization then. Most of us just did what had to be done to keep the business running. Certifications weren’t very popular yet, and there wasn’t a call for security-certified personnel. The first Microsoft Certified Systems Engineers (MCSEs) were named in 1993, and so were the first Certified Information Systems Security Professional’s (CISSPs). The information security industry was just starting to become a mainstream thing.
Today the information security industry is still young and relatively immature. This is especially true when we compare it with other service-related industries. For instance, the American Institute of Certified Public Accountants (AICPA) traces its roots back to 1887, and the American Bar Association was founded in 1878.
The information security industry is also complex. With each passing day, the industry seems to grow in it’s complexity, which is sad because I’m a firm believer that complexity is the enemy of security. The complexity leads to confusion. In fact, confusion reigns. It reigns despite the fact that some among us are too proud to admit it. The confusion creates chaos, and out of the chaos comes opportunity. Opportunities for investors, security product peddlers, consulting companies, and many others.
One opportunity in particular, and the one that we’re most interested in here, is the abundance of well-paying jobs. Like, lots of jobs.
Information security professionals, people like me, are in very high demand. Jobs are everywhere (for certain disciplines), the money is good, and future employment prospects are sky-high. A very frequent question that I get is, “How can I get an information security job?”. I could just tell you what I think, but I would be remiss if I didn’t put things into context for you.
Before you start enrolling in classes, updating your resume, and applying for jobs, you should know more about what you could be getting yourself into. One central theme throughout this series is to slow down. Don’t rush things.
Abundance of Opportunity.
When some people hear the word “opportunity”, they rush head on. They’ll rush without even knowing what the opportunity is. If you’re considering a new career in information security, or a career change, you should know more about the opportunities. If I were you, I’d be asking a few questions.first.
How much opportunity is there?
Do some research! Wait a second. Did you want me to do this for you?!
Fine. Here’s what I’ve found.
There’s a general consensus that the informations security industry is very talent poor, meaning that we’re hurting for more information security professionals. There are thousands of information security positions open right now. In fact, Cyber Seek estimates that there are 315,735 open positions in the United States alone. Here are some additional details about our talent shortage:
- The information security unemployment rate is 0% and has been since 2011. – This bodes well for job seekers, a little less well for employers.
- There’s predicted to be 3.5 million open information security positions by the year 2021. – Great job security.
- The information security profession is growing at a rate of 36.5 percent through 2022 (Source: U.S. News and World Report)
Seems like there are plenty of job openings, so that shouldn’t be a problem. Basic supply and demand would indicate that the pay must be pretty good then. It is.
- A Chief Information Security Officer (CISO)* is the second-highest paying tech-related job (Lead Software Security Engineer is first).
- The salary range for a typical CISO is between $175,000 to $275,000.
- Large organizations, in regulated industries, located in big cities generally pay the most for a CISO, as much as $380,000 to $420,000 annually.
*NOTE: The CISO position is the top of the corporate ladder for information security professionals. Two things to think about. First, you may choose a path of specialization in our industry and never become a CISO. This is not necessarily a career-limiting decision. There are non-CISOs that I know personally who have a tremendous impact and make more salary than the range cited above. Second, it takes a while (or should) to become a CISO. If you’re newly employed in this industry, it may take you more than 10 years to earn such a role. Keyword is “earn”. Please don’t take a role that you haven’t earned. Doing so hurts your career, your employer, and the rest of us in this industry. Wishful thinking…
Here’s another thing that I’ve learned about jobs in our industry, job titles matter. Not only do titles matter, there are a ton of them to choose from. In 2015, Lenny Zeltser identified 822 variations of information security job titles. This is probably a function of the industry’s immaturity and complexity. The job title you target or obtain will likely matter though. According to Nate Swanner at Dice.com, “If you want a decent cyber security salary, presenting yourself as an ‘engineer’ is your best bet: It’s a title that tends to pay on the higher end of the tech pro salary spectrum.”
If salary is your thing, there’s another factor to consider. Location. Some metro areas have a higher demand for security talent and some metro areas have a higher cost of living. Two important factors to consider. The metro areas with the highest paying information security jobs are Charlotte, North Carolina, Chicago, Illinois, and San Francisco, California.
The graphic below is taken from the Cyber Seek website, and it shows the talent demand on a state-by-state basis.
To summarize, there are opportunities just about everywhere. More experience will mean more pay. Physical location and job titles should be taken into consideration too because certain locations and certain titles might mean more opportunity and/or salary.
If you have no experience, you might not have much choice in job title, location or pay. You will probably have to take what you can get. The information that I’ve presented to you thus far should be considered as you decide what path you’ll take in your information security career journey. It’s exciting to be someone who’s just starting out because you’ll have so many options along the way!
What’s the starting salary, and can I afford it?
This will depend on some additional factors such as how much (if any) experience you have, your education level, the type of organization that you choose to work for, and the industry your potential employer operates within. In general, the entry-level salary range is $38,000 – $68,000 for someone with no experience and without a degree. That’s a wide range because there are a wide range of different opportunities available.
The entry-level salary range for someone who has a few security skills (but not much) and a Bachelors degree is $49,214 – $92,285, with a median of $65,338. Again, this is a wide range for the same reason that I cited previously. If you have more experience and/or education, you might expect more salary.
Now that you know more about the abundance of opportunity, we’ll get honest with ourselves and see if you’re the right person for the job. We’ll tackle this in the next article. Coming soon!