Exabeam has published its 2018 Cyber Security Professionals Salary and Job Report (registration required). While the survey pool was low at just 481 respondents, the results are interesting none the less.
Given the shortage of staff in this area, this 45 page report will interest HR and Talent Recruitment teams alike. As it also covers trends such as future technologies, it will appeal to those who are looking to enter cyber security or already employed in that role.
Some of the findings in this report will surprise nobody. For example:
- There is a lack of diversity
- The US pays more than other regions
- Despite high salaries, the majority feel they are worth more
- The majority would recommend cyber security as a career
- New technologies such as AI are beginning to be adopted
- The industry is still wedded to the need for a degree
Cyber Security salaries vary widely
The difference between regions when it comes to salaries is marked. The report found that salaries in the US are 50-100% greater than in Europe or Asia Pacific. With a lower cost of living in the US compared to Europe in particular, this means that the salary gap is even higher. With the majority of workers holding a degree and cyber security a key job market, there is ample opportunity for European workers to head to the US. If that happens, the shortage of cyber security staff in Europe will become critical.
Not surprisingly, the size of company influences salary. For those with less than 100 employees salaries range between $50,000-75,000. In larger companies the average is $75,000-100,000. This is nothing new and will only lead to smaller companies reducing the money spent on training staff. This is because they will worry that staff will take the training and leave. There is a need for larger organisations to do more when it comes to investing in increasing the talent pool rather than just taking from smaller companies.
More than 30% of respondents reported salaries in excess of $100,000 with a small number exceeding $200,000. However, it was not possible to access the underlying data to see if this was related to specific job roles such as the CISO at a large multinational organisation.
When it comes to industries, retail has a higher salary range (up to $125,000) than others. Worryingly, given recent attacks and warning from governments, critical national infrastructure pays the least. Manufacturing, energy, telecommunications and tech were among the worst payers.
As interest in autonomous vehicles grows automotive was the only industry to achieve a 100% rating of salary satisfaction. Airlines and Aerospace was worst (22%).
Job role influences salary
As expected, job role influences the size of salary package. The role of Chief Security Inspector pays up to $200,000 and achieves a 100% job satisfaction. The only other job to pay that much was security consultant. The latter is unsurprising given the demand in the industry. However, there was deep dissatisfaction with the majority believing they were underpaid.
Security analysts and security administrators both start at around $50,000. Security analysts believe that they are underpaid. However, security administrators were very happy with their salary.
The dissatisfaction of both security consultants and security analysts is likely to be tied to industry shortages. Both groups know that there are substantially more jobs than those to fill them. This means that the dissatisfaction rates will change over time as skills shortages ease.
A distinct lack of diversity
Cyber security is still one of the least diverse industries around. Too many cyber security teams are predominately white, middle class males. Despite attempts to attract more women, the industry is still struggling to make itself attractive. Part of the problem is that it is seen as being too geeky and about code. This is wrong. One of the key skills for a good cyber security researcher is problem solving and that is not just about understanding computer code.
The UK has seen growth in cyber security challenges targeting girls at school and young women in college and university. It is beginning to show promise at younger age groups but the industry seems to become unattractive to 16-20 year-old women. There is a need to look at this and understand why.
Skills diversity is also a problem. Soft skills are essential to understanding how attacks are successful. Attackers are becoming masters of social media. This means that there is an opportunity to appeal to graduates in psychology.
The survey didn’t touch on other areas such as neurodiversity and it will be interesting to see if it adds that in to next years survey.
One area that is just being looked at by cyber security vendors is socio-economic diversity. There is a generation that has grown up with access to technology. Cyber criminals are just as likely to be under 18 as they are to be 30+. In deprived areas, many of these potential recruits fall out of the school system and are often rejected by HR departments.
The survey delivered mixed messages here. On one hand it reported that those with no or little education were satisfied with their salaries. But those who had graduated from high school were often disappointed with what they received. It also showed that very few of the respondents admitted to a low or limited educational background. This is another area that should be looked at more in the next survey.
The impact of new technology on cyber security
Many cyber security vendors are looking at artificial intelligence (AI) and machine learning (ML) solutions. The report show that:
- Nearly half (46.4%) of respondents reported that they are not currently using artificial intelligence (AI) or machine learning in their jobs, but they are planning to utilise them in the future.
- Approximately 32% of respondents reported currently utilising AI and machine learning, while 21% of respondents reported not having any plans to use machine learning or AI in the future
- Nearly 75% of respondents agreed that machine learning and AI can make their job better or easier
One of the challenges for many cyber security analysts is dealing with the vast amount of information they get on a daily basis. This is where the current generation of AI and ML tools are being deployed. They are being used in two ways:
- To refine the threat data to allow security analysts to more effectively identify a threat.
- To provide automated responses to common attacks
The second point is something that most new entrants into the cyber security market claim to do. Much of the work is based on heuristics. However, the depth and breadth of the AI and ML knowledge is limited. New entrants into the market can struggle to get access to a wide enough pool of threat intelligence data in order to train their systems. As a result, they have a tendency to higher false positives and to misidentify some types of attacks.
The introduction of AI and ML solutions is not seen as a threat to job security by over 75% of respondents.
What does this mean
What makes this report interesting is the depth that it appears to have gone into. It would have been useful to see the raw data to understand how many respondents answered all or even the majority of the questions.
There are contradictions in the report, especially where it deals with diversity, salaries and education. At the same time it also reinforces the view that change in these areas, despite the efforts of some groups, is glacially slow. There is a need for more to be done to drive a more effective diversity agenda. At the moment, most cyber security vendors will admit they struggle to get women applicants for their SOCs.
One of the big risks to a lot of non-US companies is matching the salaries that US-based companies are paying. This is not just about the base salary but the difference in the cost of living.
With the current skills shortages predicted to last for much of the next decade, cyber security is a lucrative career.