Study: More Cyber Jobs Exist Than People to Fill Them

Study: More Cyber Jobs Exist Than People to Fill Them


Aliah D. Wright By Aliah D. Wright November 13, 2017

​Demand for cybersecurity talent "significantly outstrips the supply of available workers" in every U.S. state, experts say.

U.S. employers posted 285,681 cybersecurity jobs during the 12-month period that ended in September 2017. Nationwide, more than 746,000 people work in cybersecurity jobs.

Those figures come from a new study by CyberSeek, a project maintained by the National Initiative for Cybersecurity Education (NICE), a program of the National Institute of Standards and Technology in the U.S. Department of Commerce. The study was released at the recent NICE Conference & Expo in Dayton, Ohio.

To illustrate the gap, CyberSeek published an interactive heat map that provides a granular snapshot of the supply and demand for cybersecurity roles at the state and local level.

"Regarding cybersecurity jobs, we've made some incremental progress in closing the gap over the past year, but not nearly as much as needs to be done," said Todd Thibodeaux, president and CEO of CompTIA, a nonprofit trade organization based in Downers Grove, Ill., that certifies IT professionals.

​There just aren't enough people to fill the jobs—even though they pay well.

Glassdoor reports that the national average salary for a cybersecurity analyst is about $82,000; cybersecurity engineers average about $107,000.

The most in-demand cybersecurity positions range from those who operate and maintain security to those who manage workers and collect information to develop intelligence to thwart breaches.

"The range of job roles cited in CyberSeek reflects the multifaceted approach that's required to defend against an ever-expanding cybersecurity threat landscape," Thibodeaux added. 

East Coast Dominates Landscape

​Washington, D.C., New York and Chicago are the cities with the largest number of cybersecurity job openings. Data from CyberSeek also reveals that cybersecurity positions are concentrated most heavily in the Washington, D.C., Baltimore and San Jose, Calif., markets.

"While we are seeing an increase in open positions, the talent shortage is real and it is impacting public- and private-sector organizations across the country," Thibodeaux told SHRM Online.

Public-sector organizations are feeling the strain: they posted 12,100 job openings for cybersecurity workers and already employ 31,634 workers in cybersecurity-related jobs in 2016, the study shows.

What Can HR Do?

​"Organizations that are struggling to find these tech workers may need to do a thorough review of what their staffing needs are and how they are going about trying to fill them," Thibodeaux said, adding that the review should examine how HR is recruiting new tech talent. He recommends HR professionals ask themselves:

  • How are you developing your job descriptions?
  • Has someone with a background in technology reviewed the description to make sure it aligns with what the job really entails?
  • Are you asking for too much work experience for too little pay?
  • Are you holding out for the perfect candidate? "With tech workers, especially someone whose qualifications are 80 percent of the way toward meeting the expectations of the hiring company, [the worker] can very quickly close the remaining 20 percent gap through training, certification or on-the-job experience."

While more U.S. IT professionals are turning to cybersecurity roles, hiring additional cybersecurity workers is important if companies want to thwart cybersecurity attacks.


[SHRM members-only toolkit: IT Staffing]

Cyberattacks Increased in 2017

​The Identity Theft Resource Center estimates that 8,037 data breaches that compromised personally identifiable information records have occurred between Jan. 1, 2005, and Nov. 1, 2017.

The average cost for businesses for each lost or stolen record containing sensitive and confidential information is $141, according to the Ponemon Institute's 2017 Cost of Data Breach Study.

"That cost jumps for businesses in financial services ($245) and health care ($380). Those dollar amounts do not include the cost of notifying affected parties," Thibodeaux said. "They also don't account for damage to your reputation."

"Cyber-criminals and hackers are always going to be ahead of the cyber-defenders, at least for the foreseeable future. The goal is to keep that gap between the bad guys and good guys as small as possible," he said. "But if the shortage of cybersecurity workers persists, the cyber professionals who are on the front lines will spend more time on the defensive, leaving less time for them to take proactive precautionary measures to thwart attacks before they happen."


Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.



Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect