The State of Cyber Security Talent in North Carolina
By Meredith Metsker (Emsi) and Bob Folley (Cyber Intellect Group)
In January, labor market analytics firm Emsi released “Five Things You Need to Know About Cyber Security," which looked at job growth, top industries, most in-demand skills, top MSAs, and top schools within cyber security in the United States.
Now, Emsi has partnered with Cyber Intellect Group, a North Carolina-based information security staffing firm, to look at the state of cyber security talent in North Carolina.
Since our last report, there have been many large data breaches (especially in the healthcare industry), compromising tens of millions of customers’ personal and financial data. It’s no secret that healthcare data is more valuable to hackers due to the financial and personal information that can be accessed.
With the constant barrage of data breaches, cyber security is gaining more attention among C-suites nationwide. After all, each breach yields a significant financial impact and tarnishes a company’s brand.
On the national scale, one of the main challenges in cyber security right now is a shortage in cyber security talent. In fact, according to ISACA’s State of Cyber security 2019 Survey, 69% of respondents said their cyber security teams are understaffed. Adding to the challenge is the fact that 32% of companies said it takes them about six months to fill a cyber security role.
In this article, we’ll look at the talent landscape for the state of North Carolina.
Job postings have increased by 279% since September 2016
Since cyber security is more of an emerging job (and doesn’t show up in the government taxonomies as much as we would hope), we decided to consult our job postings analytics to get a better sense of demand. This step helps us get beyond limited taxonomies to provide a more up-to-date look at what’s happening in the labor market right now.
According to this data, postings in North Carolina that mention cyber security as a skill have increased 279% since September 2016 (from 644 postings in September 2016 to 2,440 in September 2019).
Below, you can see the top 10 job titles most frequently associated with cyber security. This doesn’t necessarily mean that “cyber security” will appear in the title. Rather, it means job postings for these titles also include cyber security as a desired skill.
Information security analysts
Cyber security engineers
Cyber security analysts
Information security specialists
Information security managers
Cloud engineer architects
For the purpose of this article, we’ll refer to these 10 job titles as “cyber security positions.”
The demand for cyber security positions has been steadily increasing over the last three years. Between September 2016 and September 2019, North Carolina employers posted over 73,000 job advertisements for those positions.
This doesn’t necessarily mean that companies are going to hire this many people. Instead, it shows a huge demand in the market and how much these companies need to fill cyber security positions.
Cyber security jobs aren’t just for tech companies
Turns out, cyber security is not just relevant in information technology---although that is a major industry in North Carolina and IBM is one of the top companies posting. Cyber security is also in high demand across a wide variety of other industries in North Carolina, including finance, manufacturing, healthcare, retail, and more.
Financial institutions, in general, are investing heavily in cyber security to combat a rise in cyber-attacks. According to Forbes, “while the typical American business is attacked 4 million times per year, the typical American financial services firm is attacked a staggering 1 billion times per year.” In North Carolina, Wells Fargo and Bank of America are two of the top 10 companies posting for cybersecurity jobs.
Other top companies include Oracle, Accenture, and Lowe’s. Oracle falls under the information industry at No. 1, while Accenture fall under the top industry: professional, scientific, and technical services. This sector includes accounting, engineering, computer services, advertising, scientific research, and more. Lowe’s, at No. 8, falls under retail.
Note: The median posting duration is not the same at time to fill (TTF) for cyber security positions.
It’s also important to note the posting intensity in the chart above, which can indicate how hard companies are working to fill these open positions. For example, the finance and insurance industry in North Carolina has a posting intensity ratio of 9:1. This means that for every one open cybersecurity job, companies are posting in nine different places to advertise it. When compared to the national average of 6:1 for this industry, this indicates high demand and a struggle to fill those jobs.
Employers want hard skills AND human skills
When we think about cyber security, we immediately think about tech skills and sub-categories within cyber security like incident response, vulnerability, risk management, network security, and Splunk, just to name a few.
But those aren’t the only skills employers want. According to our 2018 report, Robot-Ready: Human+ Skills for the Future of Work, human (or soft) skills like communications, leadership, and problem-solving are among the most in-demand in the labor market right now. That appears to be the case for cyber security, as well.
In the chart below, we can compare the supply and demand of those human skills in cyber security. To find these skills, we searched our job postings data for all postings in North Carolina that mention “cyber security” as a skill. Over 21,000 postings showed up.
On the left side of the chart, we see our demand-side data (job postings). On the right is the supply-side data (social and professional profiles). This helps us get a feel for what employers are looking for vs. what’s already in the market. For example, it appears that there is currently far more demand for innovation than there is supply.
Employers value certifications
North Carolina cyber security employers know that in addition to degrees and skills, certifications are also critical. For the 10 cyber security-related positions analyzed in this paper, the top two certifications (by a long shot) listed in job postings are Certified Information Systems Security Professional (CISSP) and Project Management Professional Certification (PMP).
Over 4,700 North Carolina employers require a CISSP for a cyber security-related position. But according to Emsi’s profile analytics, only about 2,500 people in North Carolina have a CISSP listed on their resume.
Employers (both in HR and hiring managers) need to make sure they align the required certifications and experience levels in their job postings. For example, some certifications require a certain amount of professional experience before attempting to take the exam.
In the chart above, you may notice that PMP and Project Management Institute (PMI) are both included; PMP is a certification from the PMI. This just means that some employers might be listing a more general “PMI Certified” requirement in their postings, while others ask for more specific requirements like the PMP. It’s like how one job posting might say “Software Engineer” while another says “Java Engineer.” Java Engineer is a subset of Software Engineer, but if the posting doesn’t specify what kind of Software Engineer it is, it’s difficult to provide more information.
NC cyber security professionals come from a wide variety of schools
To find out which schools North Carolina cyber security professionals went to, we explored our vast set of social profiles and resumes.
After sampling nearly 12,000 resumes and profiles for our cyber security-related job titles, we created a list of the top schools mentioned.
Unsurprisingly, most of North Carolina’s cyber security professionals went to school in North Carolina, with the overwhelming majority attending North Carolina State University.
It’s no surprise that cyber security continues to be a major concern for governments and corporations around the world. In fact, many CEOs now view it as the biggest threat to the world economy. So finding qualified cyber security talent is even more of a priority---and easier said than done.
To be more effective at hiring and retaining cyber security talent, North Carolina companies should take a multi-pronged approach. With the right combination of cyber security technology, people, culture, training, flexibility, and more, businesses can create an environment people want to be a part of.
In addition, by working with universities, workforce and economic planners, and labor market analytics companies like Emsi, companies can further enhance a long-term plan on how to solve the cyber security talent shortage.