Not enough information security analysts, despite higher wages

Results from the ISACA global State of Cybersecurity survey, conducted in October 2017, indicated few signs of the effects of security automation on the security workforce, a strategy that some companies are employing to lessen the burden on information security analysts.

Almost 60% of the enterprises surveyed had open security positions. In this year's survey, the workforce shortage was primarily attributed to lack of skills, rather than budgetary constraints: 64% of the 2,366 security professionals surveyed expected their security budgets to increase in 2018. The majority, or 97%, were members of ISACA, an international nonprofit for IT governance professionals, formerly known as the Information Systems Audit and Control Association.

The ISACA "State of Cybersecurity 2018" report found that staffing demands were greatest at the individual level -- technicians such as security engineers and information security analysts -- rather than at the security management or executive level. The report noted that investment in security automation to make execution of technical tasks more efficient for security teams could add value to enterprises. On average, it took three months to fill security jobs, according to 25% of those surveyed, while 26% reported timeframes of at least 6 months or longer to hire for open security positions.

Those numbers mirrored the findings of Cyberseek, which indicated an average of 96 days to fill security positions that require in-demand cloud skills. Cyberseek is an an interactive mapping tool designed to highlight the supply and demand of cybersecurity professionals in the United States; partners in the Cyberseek project include Burning Glass Technologies, CompTIA and the National Initiative for Cybersecurity Education, a National Institute of Standards and Technology program focused on training and security workforce development. Cyberseek reported 109,000 open information security analyst jobs between April 2017 and March 2018, as well as 200,000 additional unfilled cybersecurity-related positions. Data showed 105,000 employed information security analysts during the same period.

Shortages in the United States exist, even as information security analysts continued to have a higher median annual wage than other computer occupations, according to the U.S. Bureau of Labor Statistics. States with the highest employment levels of security analysts include Virginia, California, Texas, New York, and Florida.