Embattled by hactivists, cybercriminals and foreign rivals seeking to steal proprietary information, U.S. corporations are ramping up their hiring of cybersecurity experts, with open jobs reaching an all-time high in April.
The need for cybersecurity experts spans all industries, from financial services, manufacturing and utilities to healthcare and retail. Among the major U.S. companies trying to fill cybersecurity-related positions are Boeing, Baylor Health Care System, Verisign and Office Depot.
Cybersecurity jobs also are plentiful in the U.S. federal government market. For example, the Energy Department's Idaho National Lab is seeking a senior cybersecurity researcher to support its lead nuclear research and development facility.
The number of cybersecurity-related job openings listed on the Dice.com Web site for IT professionals rose significantly in April 2012 compared to a year ago. The biggest increase was for cybersecurity specialists, which rose 74% with 920 open job listings. U.S. companies also are hiring thousands of network security, information security and application security experts.
"Every year, threats go up, so every year companies increase investment in security,'' says Tom Silver, senior vice president of North America for Dice. "On Dice, information security jobs reached an all-time high last month ... Companies want security professionals to counter breaches and also anticipate gaps, suggesting measures to fill them. Protection is key.''
Several trends are driving the demand for cybersecurity experts. Companies have increasingly complex networks, more transactions to process, and more data than ever. They're using cloud applications such as Salesforce and Taleo, which extends their need for information security outside the perimeter of their networks. Additionally, they're dealing with a flood of user-owned mobile devices such as smartphones and tablets.
The cybersecurity skills needed three years ago compared to now "is a whole different ballgame," says Sudhir Verma, vice president of consulting services and project management at Force 3, a Crofton, Md., government contractor that is hiring several senior engineers, solutions architects and analysts for its security team.
"Three years ago, the iPad was not in play. Now we're hiring experts in our practice who understand the bring-your-own-device and consumerization trends,'' Verma says. ``Everything is in flux with the move to the cloud and mobile devices. It's no longer about managing firewalls for IT security. It's beyond that. It's about how to protect information in the enterprise in an environment that includes cloud applications and tablets.''
All of these trends are prompting CIOs and CISOs to hire experienced security professionals to safeguard their sensitive information. They are particularly concerned about protecting intellectual property from theft by government-sponsored hackers from countries such as China.
"There's certainly a great need in the market, with cybersecurity breaches costing U.S. companies upwards of $400 billion annually in intellectual property theft alone," says Don Hanson, senior vice president with Yoh, an IT staffing agency.
Hanson sees demand for developers who can build secure applications, network engineers with security certifications, and architects who understand how to secure systems and processes. He says there is also a need for IT professionals to be involved with security monitoring, information assurance and regulatory compliance.
"The biggest need is for folks that are working in security with cutting-edge technologies,'' Hanson says. "There are so many mobile devices out there, it's important to add the layer of mobile device management and to understand how that additional layer works."
Hanson says companies are looking to hire IT professionals with experience in security information event management, intrusion detection, data loss prevention and logging systems, as well as those with certifications related to ethical hacking and digital forensics. However, they prefer to hire IT professionals with a big-picture perspective on security issues rather than expertise in only one type of security device.
"It's not so much about any one technology or any one point product," Hanson says. "It's more about a holistic approach to security that companies are taking that includes their policies and assets across their entire information architecture."
The titles for open cybersecurity jobs vary, with the most popular being security engineers, security analysts and security architects. Other organizations favor the terms cybersecurity analysts and information assurance analyst.
"We're looking now for cybersecurity intelligence analysts and information assurance analysts who understand how to look at information not only from a technical and logical security standpoint, but who can relate that back to risk management and business process risk," says Jacob Braun, president and COO of Waka Digital Media Corp., a Boston-based IT security consulting firm. "We're looking for people who can look at attacks in progress and can find occurrences that are symptomatic of attacks and...can help mitigate potential for future attacks."
Most of these high-paying cybersecurity jobs are not for recent computer science graduates; instead companies are looking to hire IT professionals with five to 15 years of experience with security systems and processes as well as related certifications. [See sidebar with tips for landing a cybersecurity job.]
"A cybersecurity analyst is someone who has nine to 15 years of professional experience, preferably has a master's degree and possesses a variety of information security certifications," Braun says. "Salary depends on geography and industry. It can range anywhere from $80,000 to $150,000. If an individual has a unique set of experience, it can be significantly higher, especially for consultants."
Last year, Unisys hired an IT security director and expanded its IT security staff. Now the company is looking for knowledge of security principals in all of its ongoing IT hires, including application developers and network engineers, says Unisys CISO Dave Frymier.
"The reason that senior application architects and senior network engineers have got to have security knowledge is because we want to bake security into the early parts of the development process," Frymier says. "I've interviewed several application architects who had sterling-looking resumes and when I asked them to describe an SQL injection attack, they couldn't do it. Needless to say, we didn't hire them."
Unisys has 15 cybersecurity professionals on staff out of an overall group of 150 IT professionals. Frymier said Unisys needs cybersecurity expertise in its IT architecture and IT operations.
"The breaches that are occurring are problems on the operational side," he explained. "Somebody who runs a security information and event management system has to have a lot of experience...so they can deal with the false positives. Those systems throw out literally gigabytes worth of data. You have to be able to filter through that and find the stuff that really shouldn't be there."
Demand for cybersecurity experts is expected to remain strong.
For example, Department of Homeland Security Secretary Janet Napolitano told a Senate committee in April that cyberattacks are her No.1 concern. She said there is a shortage of cybersecurity experts to help federal agencies thwart cyberattacks, which exceeded 106,000 last year.
Cybersecurity jobs will likely continue increasing as organizations continue to expand their online businesses.
"There's a huge non-profit in New York City, a $700 million organization, that wants to double in size -- all through marketing on the Internet," Hanson says. "They need cybersecurity expertise on the architectural level and the programming level. They're going to certainly encounter new threats as they open up their network to a whole new function."
Additionally, companies are unlikely to outsource or offshore cybersecurity jobs, Frymier says.
"There has to be a braintrust inside the company who understands what information is important for the company to safeguard and who operates in the best interest of the company," Frymier says. "What you can't get from a consulting firm is an ongoing risk management perspective of: What information do I need to protect, who is trying to steal it from me, and what is the risk of a breach."