Key Insights from the Q3 Cybersecurity Talent Market Report: Compensation, Job Trends, and Skills in Demand

If you’d rather review the report in PDF / ebook format, you can find it here.

‍

Focus area: required experience

This is the cybersecurity ‘diamond.’

It is visual illustration of the required years of experience cited across thousands of cybersecurity job postings.

Only ~10% of job postings require 2 years of experience or less. There are almost no truly entry level positions.

By far the most prevalent experience requirement is 5 years. Why? Well, it’s nice and round.

When you ask hiring managers why they put x years of experience in their job descriptions, they will usually say something like, ‘I need someone who is experienced enough to be a strong Sailpoint developer’, or ’I need someone who has seen enough incidents to be able to quickly recognize when something is serious and apply our playbooks.’

In other words, experience requirements are used as a proxy for skills. There is are an assumption that if you don’t hit that experience threshold, you don’t have those skills. Or that you can’t learn them fast enough.

Why is this?

1. Experience is easy to observe (right there on the resume), so it’s easy to screen.
2. It’s also easier write an experience (or undergraduate degree) requirement down in a job description than it is to forensically think through the specific skills required.
3. Most hiring processes do a lousy job assessing skills anyway, so the error rate on this as a proxy is no worse than the error rate of a poor interview process.

In other words, it’s an easy button.

Collectively, this is incredibly detrimental to our industry, because it limits opportunities for people who have less traditional backgrounds, and people that have high potential but haven’t cleared the experience bar.

It is individually rational but collectively detrimental.

The talent shortage in cybersecurity will not ease until we find ways to expand the bottom of this diamond.

We need to move beyond hiring practices that demand arbitrary experience requirements and to a skill-based view of hiring.

In a world of skill-based hiring, the hiring manager:

1. Clearly identifies the most critical technical and soft skills for success
2. Specifies the level of proficiency required (with a perspective on what must exist out of the gate vs. what can be learned)
3. Hires with a process that evaluates proficiency against those skills

You will be seeing additional content coming out from Crux on the topic of skill-based hiring, but for an early perspective on what we are talking about, check out these hiring guides for IAM program managers and engineers.

While it’s imperative that we change the way we hire, as an industry, we also need to build programs that take high potential talent and provide them with training and mentorship to accelerate their skill development.

I know of several forward-thinking CISOs who have built exactly these types of programs, and are reaping the benefits with loyal teams and overall lower cost structures.

If we can make these shifts, as an industry we’ll see:

• A significant reduction in the talent shortage
• Faster time to fill open roles
• Fewer ‘ghost’ jobs
• Higher job satisfaction
• Reduced turnover
• Reduced budgetary struggles (cost structure is more predictable and lower overall)

If you are interested in breaking into security, here’s a bit of advice for how to navigate around the cybersecurity diamond:

1. First build expertise and practice in a field that is adjacent to security (or that you are looking to secure). People with underlying technical skills that understand cloud infrastructure, coding, networks, etc can make natural pivots over into security- and often do so at senior levels.
2. Target one of the traditional entry points- being a SOC analyst, vulnerability manager, pen tester, or GRC analyst. While these jobs are highly competitive, they do offer the clearest progression ladders to move ‘into’ and ‘up’ within security.

Here’s the data on the mix of junior and senior roles by domain of security:

We will have deeper treatment on the topic of breaking into security in future issues. There’s a tremendous amount to be said on this topic.

What employers are looking for

Certifications in demand

• The CISSP is by far the most requested professional certification 
• Certifications are seen as ‘nice to haves’ in the vast majority of job descriptions
• Our advice: get certs to genuinely build your knowledge in domains that you are passionate about, not to pad your resume

Technologies/ domain expertise in demand

• We compile demand for both general infrastructure (e.g. network) and specific technology expertise (e.g. SailPoint)
• If in doubt, build a career in cloud security! AWS, Azure, ‘Cloud,’ and GCP expertise are all in demand
• Over time we will trend these results to show which areas of expertise are ‘spiking’

Individual contributor vs. managerial roles

• Generally, 60-80% of security jobs are individual contributor roles
• Highly technical roles tend to skew IC, with ‘consultative’ roles having more managerial slots

Remote work trends

• On average, a bit more than 50% of security jobs are on site
• Generally, we are seeing the number of purely remote jobs decrease slightly, but these trends seem less profound than what is happening in the economy generally

Compensation trends

Average salary by domain and level of seniority

Highly experienced architects remain in strong demand and able to command extremely high salaries. The comp levels in application security, cloud security, and product security all reflect the rising importance of these domains and the relative lack of highly skilled talent.

Salary distribution by years of experience

• On average, each year of security experience is worth $7,400
• A wide distribution exists at each increment of experience, suggesting that high pay is available for the best talent

Crux Apex list

We are thrilled to introduce the Crux Apex list- a recognition of enterprise employers that are exemplary with respect to security hiring.

If you are in the market, you should absolutely check these companies out.

Companies on the Apex list:

• Pay significantly above average
• Are actively hiring several roles for their security teams
• Offer a high proportion of hybrid or remote work
• Have well written job descriptions that do not have education requirements, and experience requirements that are in line with the job level and compensation

The inaugural companies we are recognizing:

Anthropic

Atlassian

Stripe

Fastly

Wells Fargo

Palantir

Congratulations to all of these companies! Click on the links above to check out their open roles.

Talent trends

Where are people getting jobs?

Growth by state

• This is a view of where cybersecurity jobs are being created, by state
• Not surprisingly, the top quartile is led by states that are large in population and/or booming in growth

Job growth by industry

• Unsurprisingly the most new jobs are being created in the security industry and IT space, as well as large, regulated industries such as financial services and healthcare

Where are people leaving jobs and finding other jobs?

Turnover by state

• This chart shows states that are seeing the most job switching happening (not necessarily growth)
• It is an indicator of both restlessness and opportunity

Turnover by industry

• This chart shows which industries cybersecurity professionals are leaving (though many will stay in the same industry). Since people leave jobs two ways- getting let go or quitting, it’s an indication of the state of health and investment in security across these spaces.
• While the construction industry remains relatively brisk in this economy (this is likely a function of data sampling more than economic indicators), marketing, consulting, and entertainment are all relatively down in this economy, so the results are not surprising.

Security leadership moves

There were some major CISO roles that got filled in the past couple of months at large financial institutions and healthcare companies. Congrats to all of these CISOs in their new roles- we wish them the best of luck!

Steven Martin is now CISO at UnitedHealth Group

John Asante is now SVP, Global Information Security at Bank of America

Jeff Simon is now CISO at T-Mobile

Jairo Orea is now Global CISO at Royal Caribbean

Chris Nims is now EVP & CISO at Capital One

Bryan Green is now CISO at Andreessen Horowitz

Jerich Beason is now CISO at Waste Management

Kevin Paige is now CISO & VP- Product Strategy at Uptycs

Scott Sykes is now CISO at Asurity

Courtney Totten is now CISO &, VP- Infrastructure & Security at Shutterstock

Shamoun Siddiqui is now VP, CISO at Upbound

Leslie Nielsen is now SVP, CISO at Klaviyo

Ronald Banks is now CISO at Toyota Financial Services

Julie Fitton is now CISO at Analog Devices

Yonesy Núñez is now CISO at Depository Trust & Clearing Corporation

Philip Propes is now VP, CISO at Danaher- EAS

Robert Burch is now CISO at Brown & Brown

John Flynn is now CISO of the consumer business at Amazon

Derek Hardy is now CISO at Marvell

Scott Roberts is now SVP, CISO at UiPath

Bryan Mitchell is now CISO at groups360

‍