The state of US security hiring: Jobs, skills, and salaries

It is probably fair to say that times have always been good for information security job candidates. But as American companies emerge from the restrictions of COVID-19 and face a new workplace ‘normal,’ times are especially good for job seekers, with high demand, growing salaries, and lots of work-from-anywhere opportunities.

As to which jobs are in highest demand and where the job opportunities are most plentiful, the answer is pretty much across the board on both counts, says Terrell “TJ” Jackson, cyber security recruiting strategist at ConsultNet and deputy board director at the North Texas Information Systems Security Association (ISSA).

Still, it is clear that the impacts of the COVID-19 pandemic are largely the driving force behind the dramatic increase in the infosec job market.

“The shift to remote work doubled the size of the remote workforce from the pre pandemic figures, and will have lasting implications,” says Peter Tsai, head of technology insights at Spiceworks, a professional network for IT pros based in Austin, TX. “The majority of IT professionals, including security professional, say that remote work makes it harder to secure devices and data, not to mention the issue of people who are connecting to their home networks with their devices. So it has created a lot more work for security professionals with just trying to secure all of these devices. There is a much larger attack surface now.”

“Also, ransomware has been in the headlines for several years, but attacks seem to be escalating. The demanded ransoms are getting bigger and the targets are getting more important. So that’s probably the best advertisement you could have for the need for security professionals,” Tsai says.

Most in-demand security jobs and skills

With the threat landscape growing dramatically, it should come as no surprise that the most in-demand job in information security (based on job postings) continues to be the security analyst position. Not far behind is the vulnerability analyst or penetration tester.

According to Burning Glass Technologies, the tech jobs with the highest percentage of job postings requesting cybersecurity skills in the past 12 months are: 

1. Cybersecurity analyst – 83.5%
2. Cybersecurity manager/Administrator – 80.1%
3. Vulnerability analyst/Penetration tester – 68.5%
4. Cybersecurity engineer – 66.5%
5. Cybersecurity consultant – 42.3%

Almost all of the most in-demand security skills fall into five different skills buckets, according to Tim Herbert, executive vice president, research and market intelligence at CompTIA, a computer industry professional association.

“The first one is what we would consider to be attacks, threats and vulnerabilities—specifically, just understanding the threat landscape,” Herbert says. “The second one is the skill set around architecture and design. These tend to be security architecture and engineering roles that are actually designing the enterprise security system. The number three skills areas is around implementation. Number four is around operations and incident response. The fifth skills category is governance, risk management, and compliance.”

In terms of more advanced skills, what will certainly be needed in the near future are more infosec professionals that are trained in threat analysis, vulnerability assessment, and risk mitigation, says Robert K. Pittman Jr., CIO for the County of San Bernardino, CA.

County of San Bernardino

“My crystal ball is telling me that advanced technical skills specific to architecture (e.g., network, operating systems, and applications) will be mandatory,” Pittman says, with organizations moving to “an offensive versus defensive approach. This means switching from reactive to proactive mode as it relates to cyberattacks. Therefore, I see significant growth for jobs specific to threat hunting, bug bounty specialists and cybersecurity architects.”

What top cybersecurity jobs pay

Some recruiting experts say highly skilled infosec pros can demand salaries in the range once reserved for CIOs. And the larger remote workforce makes it possible for many job candidates to compete for job openings anywhere, potentially increasing the candidate pool for each job, but also making it possible for workers in lower-paying areas to compete in top-pay markets.

“The sentiment is that IT security professionals who are knowledgeable in the field are in high demand,” says Tsai. “It is pretty easy to find an IT security job right now. And because of the flexibility that remote work has opened up, I think a lot of these roles are more easily filled in a remote capacity. That is providing security professionals with additional opportunities that they wouldn’t have had before.”

For job seekers wondering if they’re being offered what they’re worth and hiring managers wanting to attract candidates with competitive pay, national average salary data offers some insight. The following list shows national average salaries for 8 top cybersecurity jobs, based on data from Glassdoor.

• Information security analyst: $99,101
• Information security specialist: $96,586
• Security consultant: $97,488
• Information security engineer: $105,927
• Information security manager: $131,725
• IT security architect: $106,078
• Information security director: $170,981
• CISO: $188,260

The above numbers represent national averages and pay varies widely based on a number of factors, including region and industry, as well things like certifications, experience, and seniority. Note, too, that job titles vary from company to company, so be sure to look closely at job descriptions.

Top job markets for infosec pros

As noted, virtually every job market is seeing increased demand for information security professionals. But some markets are especially hot.

“With the pandemic, the full year data for 2020 was off a bit, so it will not show an increase over 2019,” Herbert says. “In our analysis, hiring momentum picked up again earlier this year, so that is the more recent indicator of employer demand trending for cybersecurity.”

Based on CompTIA data, the percentages of job posting increases from the first quarter to the second quarter of 2021 for top states were: Florida (16%), Georgia (11%), Texas (11%), New York (10%), California (5%), Maryland (4%), and Virginia (2%).

“These are nearly always in the top 10 in hiring activity for cybersecurity,” Herbert explains. “Others also in the discussion are North Carolina, Colorado, Illinois, Massachusetts and Arizona. In some cases it’s a function of proximity to government or military facilities and the supporting ecosystem of defense/technology contractors, while in other locations it may be driven by start-up activity or the large base of technology firms headquartered there.”

Cambridge Health Alliance

The growth in remote work may shift some of the demand around going forward, notes Arthur F. Ream III, CISO at Cambridge Health Alliance in Berwick, ME. “This will drive the need for the security footprints of organizations to grow and be managed correctly. Corporate data will be moving in a much larger framework.”

Business skills and industry knowledge tied to higher pay 

Organizations are getting more demanding in the skills, experience and traits they want in hires, as many job candidates demand higher salaries. The larger remote workforce is having an impact here as well, as recruiters can now draw from a much wider field of candidates in the quest to separate the best from the rest.

“There is quite a bit of demand for cybersecurity experts who have good project management and even customer service skills,” explains Art Zeile, president and CEO at DHI Group Inc., a provider of AI-powered software products, online tools and talent acquisition services. “Companies want cybersecurity technologists who can also run projects and interact well with stakeholders and customers.”

DHI Group, Inc.

Pittman echoes that, saying there is a need “for business acumen, excellent presentation and communications skills to effectively communicate with all levels of personnel within an organization (from custodial services to legal to C-suite), the ability to clearly articulate complex concepts, and consistently practice all of the active listening skills and techniques.”

“A truly ideal job candidate would have various skillsets such as organizational acumen (e.g., political, business, audit and compliance); understanding of ethics and morals; passion; a holistic view when required; is analytical and has critical thinking skills; is experienced in various IT facets (e.g., network, help desk, operating systems, desktop and web development), possesses leadership skills; and has the energy and demeanor to continue to educate themselves,” Pittman says.

Notice that fully half of the qualities that Pittman cited are not technical skills at all. Still, technology is at the heart of it all, and the most successful infosec pros are the ones that stay abreast of the latest technologies.

“Top candidates are more proactive in learning about whatever’s new out there in the world,” Spiceworks’s Tsai says. “If you stagnate and you don’t learn about these new technologies, then you’re only half as effective as the other guy.”

Attracting and retaining security talent 

The recent work-from-home trend has had a profound effect on the American workforce, and that certainly includes information security professionals. Most staffing experts say that the majority of these employees did work from home over the past year-and-a-half, and many valued that experience.

“As we begin to look past the pandemic, it’s absolutely critical that organizations listen to technologists regarding their preferences around work structure,” Zeile says. “Our data tells us that the majority of technologists, including talent in the security field, are seeking flexibility—a hybrid approach—including working from home some days and in the office the others. That is now even more desirable for many than a full-time remote structure.”

As evidence, Zeile says the Dice 2021 Technologist Sentiment Report reveals that only 17% of technologists want to be in the office 100% of the time.

“Organizations that are able to offer a structure that’s flexible and takes the unique needs and wants of technologists into account can give themselves an advantage in a tech talent market that’s incredibly competitive,” Zeile says.

Another important step in the war for talent is to cast a wider net, looking at individuals who may lack a formal infosec background but have highly adaptable skills and traits. That is an approach being taken at the County of San Bernardino when it comes to internal infosec hires.

“I’ve labeled this the ‘internal osmosis hiring’ (IOH) methodology,” Pittman explains. “IOH is very satisfying because these individuals are already employed by the organization. The critical keys are identifying their level of preparedness for the position comprised of education, work experience, skillsets, mindsets, and attitude, and understanding their career aspirations.  IOH has provided a wealth of dividends on recruiting and hiring from other departments within the county, and growing their talents as an IT security professional under a CISO leadership style that promotes collaboration, communication, integrity, trust and being ethical, along with a participatory style of management.”