Angela Gunn is fried. With three cases going and a fourth just getting started, this is one of those frantic periods when it feels as if she works in an ER or at a fire station rather than holding a staff position with a computer security firm.
It’s people like Gunn that organizations large and small call if they’ve had a data breach or suspect they have. People in the industry — cybersecurity, if you’d like, though Gunn’s preference is information security, or “info-sec” for short — call this “incident response.” To my mind, though, they’re the online world’s firefighters: those who rush to put out the flames and then assess the damage.
As an incident response consultant for British security firm BAE Systems, Gunn is in charge of assembling a small crew for each case. Typically, that includes an analyst who can pore over computer logs, a malware specialist, and those she dubs “forensic workers, except without the formaldehyde smell and ripped-open chest cavities.” That is, if she can find any live bodies to do the work.
“Right now, I’d sell a right toe for a forensics guy,” Gunn says. “Like a lot of people in info-sec right now, we’re agonizingly understaffed.”
A 2015 report by job analytics firm Burning Glass Technologies found that postings for cybersecurity had grown more than three times faster than other information technology (IT) positions and roughly 12 times faster than all other jobs. The firm also reported that those working in cybersecurity on average earn nearly 10% more than others in IT.
There’s good reason behind the growth: Cybercrime caused an estimated $3 trillion in damages in 2015, according to research firm Cybersecurity Ventures. The company expects that figure to double to $6 trillion by 2021. Corporations face a “defender’s dilemma,” which Dave Weinstein, a security manager inside Google, summed up this way: “The defender has to be strong everywhere, every day. The attacker only has to win once.” For each set of bad guys, the defense side needs veritable armies, beefing up armaments and rushing to the rescue at the first sign of an attack.
“If someone has six months to a year of work and when they came in for an interview, they didn’t pee on the rug, they’re going to make in the neighborhood of $85,000.”
The march of technology, in other words, has created a huge demand for ethical hackers, or “white hats”: people skilled at using computers who can protect our systems and battle those with bad intentions. By now, any university offering a computer science degree invariably offers classes in security. The more forward-looking among them have created a dedicated computer security department and offer a bachelor’s degree in cybersecurity. Still, businesses are having a hard time finding people to work computer security.
At the end of 2018, for instance, there were more than 26,000 openings for cybersecurity analysts (average pay: $85,000 a year), according to CyberSeek, which is part of a program nested under the U.S. Department of Commerce. “If someone has six months to a year of work and when they came in for an interview, they didn’t pee on the rug, they’re going to make in the neighborhood of $85,000,” Angela Gunn says. “If they have a special skill — if they have experience doing database scanning or maybe they worked as a programmer before moving to security — then they’re going up to 110, 120, 125.” For those with five or more years of experience, she said, the salaries start at $150,000. “There was never a cybersecurity job that I took where I was like, ‘Man, I wish I could make more money,’” said Billy Rios, who worked for Microsoft and then Google before venturing off on his own.
How crazy is the demand for quality people in info-sec? A security reporter I know was wearing a free T-shirt he had picked up at an industry event while waiting for a table at a San Francisco restaurant. A stranger struck up a conversation: “My company is hiring security people. You have a résumé?” The on-the-spot recruiter worked for Square, a publicly traded mobile payments company worth in the tens of billions.
All told, according to CyberSeek, just over 700,000 people were working cybersecurity for U.S.-based businesses and other organizations in 2018, not including 300,000-plus unfilled positions. The data point in 2017 that had people inside the cybersecurity world buzzing was a prediction by Cybersecurity Ventures that by 2021, there will be roughly 3.5 million unfilled cybersecurity jobs across the globe.
“It’s a cool job,” security entrepreneur Allison Wong tells young women exploring options for their tech careers. “If you stay in it for four years and show you’re good, you’ll make in the six figures. And not just the low six figures.” Plus, one more advantage, she tells them: “It’s not a job you can get bored at. If you get bored, you’re doing something wrong.”