Analyzing the Information Security Job Market

Hello, everyone. I’m back with another article; this time, analyzing the state of the Information Security job market, as of Tuesday, May 30, 2017.

The previous article in this series, Diving into the Deep, Dark Waters of Information Security, ended up being quite the hit with a lot of folks. Even making its way onto Jayson E. Street‘s incredibly useful Information Security resource list site, iR0nin – which, FYI, is a must see if you’re new to Information Security. After I finished writing that article – a Security primer, for those of you that have not yet read it (do so!) – I sat down with a few of the young adult students that I mentor, and we discussed what each of them would like to see more of. This topic was the most mentioned.

In this article, we’ll take a look at the state of the Information Security job market – we’ll consider factors such as the necessity behind certifications and university degrees, a few different “career paths”, and the various job titles that exist within the field. Unlike the Security primer that I authored, the goal of this post will be focused more on understanding the market, and helping newcomers to the field decide on what type of path they want their careers to take.

Case Study – Job Posting Data Samples: Indeed.

The primary source of this data sampling is This data is accurate at the time of writing this, and can be publicly accessed on Indeed by querying “Information Security” in the “United States”. Or by clicking here. This data – number/type of job listings, salary data, etc. – may change by the time you stumble across this article. When data/statistics are sourced from outside of Indeed, a direct reference of the source will be made.

Indeed Case Study: “Information Security”

As of 5/30/2017 at 5:00pm, Indeed reports that within the United States:

  • There are 250,709 job postings called by querying “Information Security.”
  • 129,183 of these listings are marked as “Entry Level.”
  • 70,747 of these listings are marked as “Mid-Level.”
  • 20,759 of these listings are marked as “Senior Level.”
  • $114,230 per year is the average salary for “IT Security Specialist” based on 18,511 salaries, reported by Indeed.

Breaking it down further…

  • 1,437 listings are focused on Malware Analysis.
  • 1,258 listings are focused on Digital Forensics.
  • 568 listings are focused on Penetration Testing.
  • 48,327 listings are looking for “Security Engineers” (Mobile, network, product, data, etc.)

Higher Education Preference (as based off of Indeed’s advanced search API).

  • 3,988 listings required (or highly preferred) a minimum of an Associate’s degree, or higher.
  • 36,124 listings required (or highly preferred) a minimum of a Bachelor’s degree, or higher.
  • 11,783 listings required (or highly preferred) a minimum of a Master’s degree, or higher.
  • An additional 24,440 listings merely indicated that “some” college experience was highly preferred.

Certification Preference (as based off of Indeed’s advanced search API).

  • 10,103 listings referenced CISSP.
  • 2,095 listings referenced C|EH.
  • 3,323 listings referenced CompTIA’s Security+.
  • 3,303 listings referenced CISM.
  • 460 listings referenced OSCP.
  • 54,830 listings referenced “certifications” in general as being either required, or highly preferred.

Security Clearance Preference (as based off of Indeed’s advanced search API).

  • 10,458 listings required, or required the ability to obtain, a Secret Clearance.
  • 8,010 listings required, or required the ability to obtain, a Top Secret Clearance.
Breaking the Data Down

Based on the initial 250,709 postings queried for “Information Security”, as per the findings from using Indeed’s Advanced Search API, the following is true:

  • 30.4% (roughly 1 out of 3 jobs) of all Indeed listings require some form of college education, with the Bachelor’s degree being the most required level of higher education.
  • 21.8% (roughly 1 out of 5 jobs) of all Indeed listings required some form of certification.
  • 7.3% of all Indeed listings required either Secret or Top Secret security clearances.

It is important to remember, however, that these statistics will rapidly change going forward – and may not remain the same. Furthermore, it’s also important to remember that not all companies/positions are posted to Indeed, so these statistics only reflect that limitation. 

Careers and Paths in the Information Security Field

Information Security is an umbrella term, but the field in general is rapidly expanding. ISACA, a “nonprofit, independent association that advocates for professionals involved in information security, assurance, risk management and governance,” has predicted that by 2019, there will be a universal shortage of 2,000,000 Information Security experts. But the most common questions I get are: Where do I begin? What path do I take to get to where I want to go? Quite frequently, I’m approached by individuals who see Information Security as this singular field of study, when it fact, it consists of many sub-disciplines, each with various paths leading to vastly different destinations.

Deciding your Fate

Before diving into Information Security, it is important to know what you want to do. Maybe you want to analyze malware? Perhaps you want to work with local law enforcement to strengthen court cases against cybercriminals? Or you might want to exploit vulnerabilities within a system, document your findings, and help the organization harden their attack surface? The following list is definitely far from exhaustive, but here are a few job titles you will find in the Information Security field:

  • Security Engineer
  • Malware Analyst
  • Digital Forensics Investigator
  • Penetration Tester
  • Network Security Engineer
  • Application Security Analyst
  • IT Auditor
  • Vulnerability Researcher
  • Information Security Manager
  • Chief Information Security Officer

My advice? Research each of these job titles (and also Google “Job Titles in Information Security”), to see if any of them sound like what you might ultimately want to do. It is important to know what you want out of your career, as many of the above positions require different areas of study – and many take a long time to master. Some positions are more technical, and complex, than others. Other positions are more bureaucratic and managerial.

“But how do I get there?”

Well, it certainly is possible to dive right in. But that isn’t the most common path. Information Security is often the “next step” in an IT/Computer Science professional’s career. For many of the technical disciplines (Forensics, Malware Analysis, Penetration Testing, etc), a firm foundation of basic, intermediate, and even advanced non-security related technical knowledge is required. Take network security, for instance; chances are, you’ll be coming from a professional background in networking, before stepping into the role of a Network Security Engineer. The most common stepping stones into Information Security often begin with one of the following positions:

  • System Administrator
  • Network Engineer
  • Database Administrator
  • Website Developer
  • Information Technology Technicians

The path to an Information Security position will be different for everyone, though; the list above is just the most common starting points. Some people may choose to do a Bachelor’s degree in Computer Science with a focus on Security, and be ready to step into an Application Security position straight out of college. What’s important is that you figure out what aspect of Security you love the most, and then sit down and develop a ten year plan, indicating milestones along the way that will help you achieve with you’re looking for in your career.

“What about marketable skills?”

Again, this will highly vary based on the position you’re looking for, but there are certain knowledge domains that are very hot for 2017:

  • Cloud Security
  • The Internet of Things
  • Mobile Security & Forensics
  • Malware (especially Ransomware)
  • Threat Intelligence
  • Vulnerability Research

At the core of your knowledge, however, there should be some fundamental soft skills that any Information Security professional should have:

  • Proficiency in at least one programming language.
    • Even if you never intend to be an Application Security specialist, or Software Engineer, every IT/CS/Security position can benefit from some form of programming or scripting. Whether that’s adding a new Metasploit module in Ruby, or EnCase data manipulation using EnScript and Python, having some fundamental knowledge of programming will make you far more efficient at what you do.
  • Intermediate Information Technology, or Computer Science, knowledge.
    • Whether your background is networking, software engineering, or even project management… have some fundamental and intermediate knowledge under your belt. If you don’t already know the systems you’re working with, why should you be securing them? Be familiar with your area of expertise – and not just from a security perspective.
  •  Strong written and oral communication skills.
    • Let’s face it: Writing reports, talking to people… these are things that most everyone will do. And if you suck at them, it damages your professional reputation.
  • Research your state laws.
    • Yes, I’m looking at you Digital Forensics people – but it never hurts to do so, regardless of your focus in Information Security. Certain states have laws and regulations dictating the means by which you can practice your trade. In Michigan, for instance, it is a felony to perform Digital Forensics without being licensed to do so. Make sure you know what is legal where you reside.

No matter what you choose, research, research, research. Start by figuring out what you want to do – typically, what you enjoy the most – then build your path to get there. And feel free to reach out if you have any questions along the way. I’m always around to help.

Written by Tyler