CYBER SECURITY TALENT SHORTAGE & INDUSTRY DYNAMICS WHITE PAPER January 2017 January 2017 1
THE PROBLEM PERSONNEL SHORTAGE The demand for skilled cyber security talent is outstripping supply. In 2014, there were 238,158 unfilled cyber security jobs in the United States. Cyber security job postings have grown 91% from 2010 to 2014, a growth rate that is 3.3x more than all other IT jobs. Cyber security jobs also take 24% longer to fill than all IT jobs and 36% longer than all jobs. Growth in Job Postings (2010-2014) Job Posting Duration (2013) 91% 45 days 36 days 33 days 28% Cyber Security All IT Cyber Security All IT All Jobs Source: Burning Glass Job Market Intelligence: Cyber Security Jobs, 2015. Source: Burning Glass Job Market Intelligence: Report on Growth of Cyber Security Jobs, 2014. As we can see, the supply of skilled security professionals is limited and only expected to worsen over the next five years. The demand for cyber security professionals is expected to reach 6 million (globally) by 2019 with a projected shortfall of 1.5 million. This imbalance will drive higher demand for Cloud security, Managed Security Service Provider Services ( MSSP ), Security Information and Event Management ( SIEM ) solutions, and integrated security adoption as organizations look to find ways to more efficiently manage their network security infrastructure by either offloading these responsibilities to third party MSSP s and/or find ways to manage security tools more efficiently. Evolve is focused on training and staffing individuals within these service lines to meet the eminent demand. Demand-Meeting Projections for Security Professionals (U.S. or Global) 5,963 5,424 3,972 3,568 379 168 3,400 3,593 4,416 620 3,796 4,908 901 4,007 1,197 4,227 1,507 4,456 2014 2015 2016 2017 2018 2019 Supply-Constrained Projections Skilled Labor Shortfall Source: Bank of America Merrill Lynch Cyber Security Primer (January 8, 2016). Information Security workforce study 2015. January 2017 2
UNSUSTAINABLE INCREASE IN SALARIES In 2014, employers posted 49,493 jobs requesting a CISSP certification, when there are only 65,362 CISSP holders nationwide, of which practically all are already employed. This example illustrates that employers have been forced to poach talent from other companies in order to satisfy their labor needs. In order to lure talent away from other organizations, exorbitant salaries must be offered. The average salary for information security analysts is $92k, which is 9% greater than all IT jobs. Average U.S. Salaries in Information Technology (2014) $68,670 $79,770 $82,690 $91,600 $83,839 $54,961 Help Desk Support Web Developers Network Administrator Computer Programmers Information Security Analyst All IT Select IT Occupations Feeders into Cyber Security Source: U.S. Bureau Labor Statistics (May 2014) for Computer Occupations (15-11000). INCREASED THREATS TO SMALL AND MEDIUM BUSINESSES Sixty-two percent (62%) of known security breaches were targeted at small to medium sized companies and 60% of those affected will go out of business within 6 months, according to the 2013 Verizon Cyber Crime Survey. The largest misconception of Small and Medium Businesses ( SMBs ) is that they are unaware of the risks. Cyber Streetwise reported that 66% of SMBs simply didn t believe they were at risk from a cyber-attack. The National Cyber Security Alliance has found shocking statistics showing the careless attitude towards security, with 45% of smaller companies providing no internet safety training to employees even though 69% handle sensitive information. IPSOS research found that 69% of the 6.5 million small companies in the U.S. are unaware of the risk and cost of data loss through cyber-attacks. The average cost of a security breach on a SMB is around $47,000, according to Kaspersky, an anti-virus software manufacturer, and Statistica shows that cybercrime cost SMBs over $781 million in the U.S. in 2013. January 2017 3
INDUSTRY DYNAMICS GROWTH IN INFORMATION SECURITY Enterprise security spending growth is expected to outpace total IT spending by more than 2x as the threat landscape continues to evolve and expand. An annual study performed by Verizon shows that since 2013, the number of Security Incidents and Data Breaches have increased 70% and 242%, respectively. Security Incidents (2013-2015) Data Breaches (2013-2015) 47,000 63,437 79,790 621 1,367 2,122 2013 2014 2015 2013 2014 2015 Source: Verizon Data Breach Investigation Reports. Source: Verizon Data Breach Investigation Reports. Note: A Security incident is defined as any event that compromises the confidentiality, integrity, or availability of an information asset. A Data Breach is defined as an incident that resulted in confirmed disclosure (not just exposure) to an unauthorized party. According to a study conducted by FireEye, a forensics and malware protection security company, 90% of companies have been breached, and the average breach goes undetected for 205 days. Once attackers pierce the perimeter, they have free reign to compromise sensitive data, especially since internal networking equipment (i.e. switches and routers) is generally not secure. Global spending on enterprise information security in 2015 was estimated at $79 billion and is expected to reach $110 billion by 2019. The recent surge in spending in 2014 and 2015 has been mostly reactionary due to the higher frequency of notorious sophisticated attacks. Organizations will prioritize security budgets on solutions that are focused on offering tools and services that help to improve manageability, such as SIEM and MSSP. Longer term spending will then be focused on solutions that provide detection and prevention using advanced threat intelligence. Each of these focus areas will require sophisticated cyber security professionals to manage the security programs, solutions, and technologies, which is where Evolve is focused. ($ in billions) Enterprise Information Security Spending $110 $90 $70 $62 $68 $79 $86 $93 $101 $110 $50 2013 2014 2015E 2016E 2017E 2018E 2019E Source: Gartner, Bank of America Merrill Lynch Cyber Security Primer (January 8, 2016). Information Security workforce study 2015. January 2017 4
CURRENT TRAINING MODEL IS BROKEN The most severe challenge to the information security profession relates to the education versus experience conundrum. Many companies hiring in the cyber security industry today have a personal preference to hire based on experience and are not concerned with what degree or certification one has. James Arlen, a Senior Consultant at Leviathan Security Group, adamantly believes that the industry needs to stop equating education with experience. Arlen stated that "it is too hard for the average organization to hire actual qualified people degrees, certifications and fudged resumes do not magically create qualified people." It is experience with attacks and perhaps even unsavory hacking hobbies that can make the difference between filling a job with a talented defender, or with a salesman who has a pedigree but no grasp of the devilin-the-details meat of cybersecurity. TRADITIONAL EDUCATION (COLLEGES AND UNIVERSITIES) Traditional schools are not equipping their graduates with the tools necessary to secure these high paying cyber security jobs. Traditional education (colleges/universities) curriculum focuses on theory and design versus providing real-life handson project experience. College courses are also very expensive and take a long time to complete. One year in an information security or computer science program at a college costs 2x-3x more than an immersive bootcamp program and takes 2x longer to complete. Many individuals are willing and capable of entering the industry but do not have the luxury to go back to college for a 4-year bachelor s program or even a 2-year master s program. Evolve provides an intense fully immersive alternative to acquiring the necessary skills to enter the cyber security industry in a timely fashion. Cost Comparison Time Comparison $10,000 $17,216 $18,990 $37,820 17 Weeks 36 Weeks Evolve UIC* Devry* DePaul* Evolve College (1-year) * Equivalent to one-year tuition in IT related program (15 credit hours per semester) Note: Evolve s 17 weeks includes 4 week of remote and 13 weeks of inperson. CERTIFICATIONS Currently, the most popular form of training in the cyber security industry involves obtaining various kinds of certifications (i.e. CISSP, CISA, CEH, CISM, etc.). Historically, certifications have been the industry standard to determine qualifications in the industry but this perspective has shifted in recent years as employers have realized that certifications alone do not guarantee quality talent. The chart on the next page shows that employers are not valuing the possession of certifications as much as they may have in the past. Individuals without a certification are earning more in the form of bonuses at times than their certified counterpart showing that employers place more value on work performance then they do on certifications. January 2017 5
10yr Change in Premium Pay for Certified vs. Non-Certified Individuals Premium Pay as % of Bsae Pay 9.0% 8.5% 8.0% 7.5% 7.0% 6.5% 6.0% Certified (357 IT Certifications) Non-Certified (392 noncertified IT skills) Source: Foote Partners, LLC February 26, 2015 News Release. The leading criticism for certifications involves the lack of experience that comes with obtaining a certification. Training for certifications are focused on teaching to the test and on specific areas or technologies and fails to provide applicable project experience in order to deliver a well-rounded cyber security educational experience. Amongst employers, the Certified Information Systems Security Professional ( CISSP ) certification holders are the highest in demand, mostly because the CISSP also requires five years of industry experience. Even though employers are requesting 49,493 CISSP certification holders, there are only 65,362 CISSP holders in the country, of which most are already employed. Certification Job Postings vs. Holders (2014) 49,493 65,362 Postings Holders 34,16733,640 15,831 10,730 11,750 5,882 5,436 1,413 3,942 4,920 8,400 3,733 2,202 3,600 CISSP CISA CISM GIAC GSEC SSCP CIPP GIAC GCIH GIAC GCIA Source: Burning Glass Job Market Intelligence: Cyber Security Jobs, 2015. Various forms of training for security certifications are also very expensive. The SANS Institute ( SANS ) is the leader in security certifications training and offer courses lasting 2-6 days that cost ~$850 per day. For example, SANS provides training for the CISSP exam that lasts for 6 days and costs $5,000 (not including travel, lodging, or cost of exam). This cost of training is 3.4x more expensive than Evolve and provides no hands-on experience, real-world project experience, or job placement services. SANS has been able to charge premium rates because they have been the only cyber security training company in the industry to date. $10,000 Evolve Cost Comparison $34,000 SANS Institute* * Equivalent of $850 a day for 8 weeks of training. January 2017 6
BOOTCAMPS ARE THE SOLUTION For the past 5-10 years, the technology industry has experienced an alarming labor shortage of programmers and developers. According to a U.S. jobs report from the Bureau of Labor Statistics, the U.S. was adding an estimated 136,620 jobs per year from 2010 to 2012, and graduating about 40,000 computer science degrees each year, creating a gap of roughly 100,000 jobs a year. Currently there are 607,708 open computing jobs nationwide, and still only 42,969 computer science students graduating each year. This gap is expected to continue to widen as our nation unrealistically attempts to solve the problem by attempting to fill the traditional pipeline by urging people to pursue computer science degrees. Various types of coding bootcamps emerged several years ago and have shown success in helping fill the open computer jobs and close the labor shortfall gap. In 2015, there were 16,056 graduates from 67 of the larger bootcamps in the country. 89% of these graduates were placed into a job within 120 days and experienced an average 38%, or $18,000, increase in their salaries. Graduates of Coding Bootcamps vs. Computer Science Graduate ~45,000 2,098 5,987 16,056 Est. computer science graduates per year Bootcamp Graduates 2013 2014 2015 Source: Course Report 2015 Coding Bootcamp Market Size Study. As seen from the success of the current coding bootcamps, obtaining practical and hands-on training has been proven effective in the marketplace. Employers are becoming much more focused on hiring individuals that have applicable experience and demonstrate competency in their craft, rather than just relying on degrees and certifications as a proof of ability. January 2017 7