The demand for cyber security experts is growing at 12 times the rate of the overall job market.
This is making it one of the most highly sought-after fields in the USA, according to a report by Boston-based Burning Glass International. This trend is also being seen across Europe and the rest of the world. Here at CTPartners we have seen the number of such assignments double over the past 12 months.
Corporations across all industries are adjusting their organisational structures to include CISOs in their senior leadership teams. However, there is a limited supply of senior cyber security professionals with the requisite combination of sophisticated information technology expertise and intelligence security backgrounds needed to protect corporate property from cyber threats.
This role requires a unique combination of skill-sets. The CISO must possess both a highly sophisticated understanding of information technology systems and ideally, formative training in either law enforcement or with the intelligence services.
Typically, the CISO will have immediate and direct access to the CEO, the board and senior management when a threat is detected. While working closely with the CIO on day-to-day operational security, cyber security experts also have to be able to take an objective perspective across a broad spectrum of legal, compliance and regulatory issues that can impact both IT operations and the business as a whole.
Although we use the term CISO, job titles in this role can vary; information risk management officer or chief information assurance officer are also used. The exact wording is normally agreed between the candidate and the employer in the contractual negotiations. The title is less important than the depth and breadth of the information access that this individual holds.
Cyber security experts tend to come from an electrical engineering or computer science background, although it is also possible to transition from a government role in security, detection or prevention. When assessing a candidate, their on-the-job performance is as important as their background.
Also, as this is a skills shortage area, we encourage clients to be less concerned about a candidate's formal educational qualifications and focus instead on what these individuals have achieved professionally and to be flexible and open-minded about their transferable skills.
One of the core competencies that we look out for are excellent relationship-building skills. Cyber security experts have to be able to communicate effectively with the CIO and CTOs, as well as being able to hold their own with senior management and the board. The ability to 'sell' is also important. Cyber security solutions can be costly and their work requires commitment, so it is important to persuade senior stakeholders that this investment is necessary for the business. They are selling a vulnerability – here's what we need to fix and why.
If you want a successful career in this sector, it's essential to keep up to speed on the latest cyber security issues and technological developments. This is why public/private partnerships and two-way communication are so important, be it roundtable discussions, conferences or more informal information sharing.
The same can be said for the public/private sector revolving door. There are lots of good reasons why there is a public-to-private and private-to-public interface in this sector. As well as providing a framework for the cross-fertilisation of ideas, it ensures access to the latest developments in state-of-the-art technology.
For example, in the US, the NSA is increasingly recruiting from Silicon Valley and investing in start-ups. Max Kelly, who was previously in charge of information privacy and security for Facebook, joined Prism in 2010. In fact, the NSA is one of Silicon Valley's biggest customers for data analytics. Likewise, senior-level cyber security experts often leave the public sector to join either specialist consulting firms or technology security start-ups.
While there are certainly excellent female candidates, we are still four to five years away from parity between genders. More women are entering these types of roles, but they are the younger generation and it will take time for them to rise up the ranks.
Corporate roles are the most highly-paid, because large companies are able to pay a premium for these sought-after experts. While salaries will obviously vary depending upon the sector, seniority and size of company, something between £160,000 to upwards of £500,000 would be normal in say healthcare or financial services. One thing to note is that this is likely to remain a highly specialist function and there is no sign as yet that it will provide a route into general management.
In terms of talent management, the key question facing corporations as well as governments and the military sector is where to find these individuals.
In the UK, reservists in the British Army are set to become specialists in cyber security thanks to reforms being carried out to transform the Territorial Army.
The government has warned that the number of IT and cyber security professionals in the UK have not increased in line with the growth of the internet. In 2012 it also established a research institute in the science of cyber security and awarded ‘Academic Centres of Excellence in Cyber Security Research' status to eight UK universities to boost research and to expand the UK's cyber skills base.
All these efforts will help to ensure an improved talent pipeline moving forward, but for the moment there is a significant cyber security skills gap and for the right person there are a wide range of interesting roles available both locally and internationally.
Pete Metzger is a vice chairman of CTPartners