As cyber threats develop and reverberate around the world, businesses are boosting their investment in cyber personnel to handle the risk. But currently, supply can’t keep up with demand. Cybersecurity Ventures reported that unfilled cybersecurity jobs grew by 350% between 2013 and 2021 – leaving 3.5 million jobs available for the taking worldwide.
Compare that to the almost 4.2 million already working in cybersecurity and you can start to imagine the scale of the advanced cyber security skills shortage. For all vacancies to be satisfied, the global workforce has to almost double!
It’s a great time to have top cyber skills though. It’s estimated that cybersecurity experts enjoy a 0% unemployment rate due to that incredible level of demand. Because it’s such a “seller’s market”, it’s fairly safe to say that a job in cybersecurity – especially in middle to top management – is a pretty secure one.
But before we get to the top cyber roles we think will dominate throughout the rest of the 2020s, let’s investigate the job market a little more closely.
The UK’s cyber skills shortage rocketed by more than a third during 2021, making advanced cybersecurity skills the most sought-after in the UK. The UK has a particular shortage of cyber security specialists, IT systems designers, and software development professionals – so much so that those roles are all listed on the UK’s shortage occupations list.
Though 36% of employers struggle to secure junior talent, over half of employers (55%) struggle to secure middle management specialists (Source: Robert Walters Group).
Which brings us on to the second major pressure that the cyber employers are facing. Even pre-Covid, many organisations were in dire need of a digital overhaul. The resulting lockdowns acted as a catalyst for many organisations to embrace digital transformation – whether they liked it or not! In their rush to digitalise, many organisations learnt the hard way that it’s not enough to simply build systems and applications that work – they need to be cyber secure too.
So with that context in mind, let’s explore the top 5 most in-demand cybersecurity roles and what we feel the future holds for each specialism.
What Does a CISO Do?
As a C-Suite role, the CISO champions the cause of cyber-, data, and information security at the C-Suite boardroom table. CISOs are generally responsible for forming and leading a company’s security posture and can span all aspects of security – from technical practicalities all the way through to policies and regulatory compliance.
CISOs can rise through the ranks as security technologists; however, their ability to convey technical messages in the language of business risk is paramount. It is also therefore possible for CISOs to come from a non-technical security background, like GRC (Governance, Risk & Compliance).
Why are CISOs so In-Demand?
Nowadays, if you want to be in business, you need to be cyber secure. It’s as simple as that. Whether it’s a smaller scale-up that is growing to incorporate a C-Suite or an established organisation who recognises the importance of leading information security “from the top down”, CISOs are well and truly sought-after.
The Wall Street Journal makes a great point here: the levels of expertise required to fill a CISO role are so incredibly difficult to find that salaries are naturally being pushed higher. CISOs in the UK can easily make in excess of £250,000 – 350,000 a year when taking into account bonus and other cash benefits. US based CISO’s can make significantly more.
What Does the Future Hold for CISOs?
Though many CISOs will ideally have a technical background, there is an increasing need for tech leaders to have a strong background in managing risk and compliance. As “CISO” becomes more of a widely accepted C-Suite role, they will need to hold their own as a leader and advocate for security company-wide, whether that’s technically, behaviourally, or from a risk perspective.
However, those with CISO skills don’t necessarily have to go down the permanent employment route (tempting though that £350k a year may be!). Smaller companies need competent tech leadership too, and an outsourced “virtual” CISO is an ideal solution for those who need executive-level security input, but not enough to warrant a full-time position.
What Does a DevSecOps Engineer Do?
DevSecOps is an expansion of the established DevOps lifecycle that seamlessly embeds cybersecurity into its continuous integration and development processes. This approach helps to create applications with security inseparably built in throughout rather than tacking it on later as an afterthought.
By smoothly integrating security into the usual agile development cycle, developers are better able to maintain high levels of app security whilst also keeping up with the demands of continuous production and rolling releases.
Why Are DevSecOps Engineers so In-Demand?
The demand for DevOps specialists is hardly new. Experts have been lamenting the shortage of this highly specialised skill set since the mid-2010s.
IBM makes a great point about DevSecOps:
“When software is developed in a non-DevSecOps environment, security problems can lead to huge time delays [and] can be time-consuming and expensive. The rapid, secure delivery of DevSecOps saves time and reduces costs by minimising the need to […] address security issues after the fact.”
So, rather than simply improving a system’s security, a DevSecOps approach can save time and money too. A tempting prospect for any organisation I think you’ll agree!
What Does The Future Hold for DevSecOps Engineers?
In January 2022, DevOps.com reported “fewer than 5,000 people on LinkedIn currently have ‘DevSecOps’ in their job title, yet there are over 20,000 current openings for DevSecOps roles”. That’s quite the shortfall.
It will be interesting to see how existing DevOps and security talent further blends into DevSecOps in future. Like the experts at DevOps.com , we’re interested to see how the blurring of the lines between cloud-native infrastructure and applications will shape the field. Likewise, as supply chain threats continue to rise, it will be key to note the role that DevSecOps plays on that particular battlefront. In short: businesses need to invest in DevSecOps (with the “Sec”) or get left behind.
What Does a Security Architect Do?
Here’s a great definition of a security architect from gov.uk:
“A security architect creates and designs security for a system or service, maintains security documentation and develops architecture patterns and security approaches to new technologies.”
In short, they strategically develop secure systems, software, or networks that ultimately protect data assets and support wider business objectives. Actual implementation is usually handed off to other parties, though architects are usually the ones who liaise with stakeholders.
They’re usually more senior than security engineers, setting the high-level vision and objectives for security within a system. This makes it quite a strategic, hands-off role that sometimes touches on risk and governance in places. They’re the generals in the war room, strategically defending the system from cyberattack. Security architects often come from a coding background and therefore innately know the practical possibilities and limitations of a system or language.
Why Are Security Architects So In-Demand?
The UK’s shortage occupations list specifically includes “IT business analysts, architects and systems designers”, highlighting that there’s simply not enough talent in Britain to go around. Considering how important a role it can be, this shortage could put businesses at a grave disadvantage.
What Does The Future Hold for Security Architects?
Security architects don’t just “design secure systems,” they use their skills to enact security strategies, potentially foreseeing dangers and system vulnerabilities on the horizon and taking action before they occur. This strategic focus will be needed more and more as companies transform older systems into robust, futureproof, and cyber-resilient solutions.
As cybersecurity moves from a thing that stakeholders see as “nice to have” and into the realms of “can’t do business without it,” demand will skyrocket for all of the cyber roles on this list.
What Does a Security Engineer Do?
Where security architects conceptualise and design security systems and strategies, security engineers are the ones who make it a reality. They build and maintain systems in line with the business’s operational and security needs, keeping data, networks, and digital assets secure. Coding skills are required when working in a DevSecOps environment!
Hierarchically, engineers usually sit just below architects. However that’s not to say they are complete automatons – good engineers need to be au fait with the company’s bigger picture in order to make savvy, independent decisions about what’s best for a piece of code or functionality.
They can also get involved with end user liaison to ensure that solutions are being used and implemented securely and in line with security strategy. They may also need some penetration testing skills to probe the limits of the solutions they create.
Why Are Security Engineers So In-Demand?
Though many of the positions on this list are strategic and managerial, those roles are all for nought without skilled individuals implementing that direction. The need for security engineers can be quite multi-varied too, with a need for talent across development, network security, credentialing, and more.
According to an Ipsos government report, “security engineer” was the most in demand cybersecurity role, making up 35% of cyber roles advertised between January and December 2021.
What Does The Future Hold for Security Engineers?
At the end of 2020, Burning Glass predicted that the need for skilled developers and engineers (including those with DevSecOps and AppSec skills) will rise by 164% over the following 5 years. Cybercrime isn’t going anywhere and as business reliance on IT goes from strength to strength, talented individuals will be needed to keep those systems ticking over securely.
What Do GRC Personnel Do?
GRC professionals handle all things relating to risk management, policy creation, and managing legislative compliance. These roles seek to ensure legal, regulatory, and cultural risks are kept to an absolute minimum. Workers may be expected to carry out periodic risk reassessments and identify new risks and threats on the horizon.
In a cybersecurity context, this can involve upholding both internal security policies and making sure the organisation stays in line with external regulations and frameworks like GDPR, ISO 27001, and so on. Outside of cybersecurity, GRC roles can also sometimes extend to general corporate GRC concerns like operational risk, compliance and navigating legal, financial, PR, and HR risks.
Why Are GRC Personnel So In-Demand?
With compliance and legislative responsibilities piling up at companies’ doors, it’s more important than ever to have someone with sound risk management, policy making, and legislative focus. There are just so many wide-reaching risks to juggle in business nowadays, including data security, talent acquisition, suppliers, ethics, and more.
Companies need a sound understanding of the risks lurking out there in order to build meaningful security programmes that are practical and tethered to legislative reality.
What Does The Future Hold for GRC?
It’s an interesting time to be in GRC. Legislation is becoming increasingly punitive and more wide-reaching than it has ever been, especially when it comes to complex issues like data privacy and supply chain risk. .
Though on the other hand, it’s a field that is becoming increasingly digitised, with software and tools like ERP, APS, and SAP security systems making many of the practicalities of the job more straightforward.
All in all, cybersecurity losses can be huge and absolutely crippling – especially when data breaches are concerned. IBM’s 2021 Cost of a Data Breach Report found that the average cost of a data breach rose to USD 4.24 million. That’s the highest ever average since they started measuring 17 years ago and the total has been climbing for the last 11 years.
It also takes organisations an average of 287 days – most of a year – to identify and contain a breach. The longer it goes on, the more costly it becomes to fix.
With so much at stake, it’s no wonder that cybersecurity talent will be in need for years – decades even – to come.