united kingdom

Careers

Learn more about jobs and careers in cyber security

Career Trends

A growing body of research demonstrates that the opportunities in information security are advancing at a phenomenal pace as businesses, government and public services alike embrace fast-developing technologies to make them more effective. There are great opportunities to support core business objectives and make a rewarding contribution. This page will tell you more about market changes, skills shortages and opportunities.

 

Sans Institute Survey

Introduction

The UK has a problem. We are already having difficulty recruiting to cyber security jobs, professionals believe that the number of jobs will increase and work done by e-skills UK shows that the number of people applying to the IT sector as a whole is decreasing.

In a Sans Institute Survey

  • Over 90% of responses have difficulty in recruiting to cyber security jobs.
  • Nearly 60% of responses indicated that the number of cyber security jobs will increase
  • The increase is expected to be over all 8 of the job categories defined by the Institute of Information Security Professionals
  • The survey sample comprised a significant number of experienced professionals well equipped to make accurate judgements
  • Cyber security professionals enjoy their work for reasons that are as varied as the jobs. The fact that no two days are the same, the challenge and the interest of the work and a sense of doing something worthwhile were repeated themes. Those that commented on pay thought it was not so bad!

Background

Cyber Security Challenge UK Limited was set up in March 2010, as a not for profit company to address reported problems in the UK about:

  • The difficulty of recruitment to cyber security jobs
  • Predictions about an increase in the number of cyber security jobs
  • A decrease in the number of people applying to fill cyber security jobs

Sans Institute, a founder sponsor of Cyber Security Challenge UK, funded a survey which has tested these assumptions and also obtained information for a Sans booklet on the very best cyber security jobs, the ones that we might all aspire to fill. The results of this work can be obtained from Sans www.sans.org

The Institute of Information Security Professionals (IISP), a key member of the Cyber Security Challenge Management Consortium, shared its research categorising the types of jobs in the world of cyber security. This very valuable work has enabled much useful analysis and more in depth work will feature on www.instisp.org

The data collected will wherever possible (given the confidentiality clauses in the survey) be shared to help raise awareness of the varied and exciting opportunities for work in cyber security and to drive forward the work on the professionalism of cyber security, skills and training and development paths that IISP, Sans, Cyber Security Challenge UK and many others are progressing.

The data was insufficient to give us an actual number for expected new jobs but we assess that it will be about 7,800. This number is derived from Microsoft’s prediction of a need for 78,000 new jobs in the IT sector in the UK in the next 5 years and professionals’ views that the gearing between the number of cyber security jobs and IT jobs

Who Was Surveyed?

The 255 people who responded:

Are a relatively senior group of professionals.

Practitioner Junior 5.1%, Senior Practitioner 29.8%, Subject matter expert 27.84%, Head of specialism 17.25%, Director 15.29%, Other 4.71%

Are largely experienced, having worked in cyber security for some years.

less than 2 year 8.34%, 2-5 years 17.65%, 5-10 years 29.8%, 10-20 years 38.82%, more than 20 years 5.49%

Work in all of the 8 job categories defined by the Institute of Cyber Security Professionals.

Are employed by the range of public and private sector organisations.

Difficulty in Recruiting

Over 90% of those surveyed indicated that it is difficult to recruit to cyber security jobs. The most problematic were those in incident response and threat assessment (job category 3) but policy, strategy and governance jobs came a close second.

This graph shows the percentage of respondents who found difficulty in recruiting to each of
the 8 job categories.

Expected Growth

Nearly 60% thought there would be a need for more jobs in cyber security in all 8 job categories. The biggest increase was predicted to be in jobs in architecture, engineering and design but incident and threat management came a close second.

This graph shows the percentage of respondents who expected an increase in the number of jobs in the next 5 years by job categories.

What do People in Cyber Security Jobs Do?

Some commentary is captured below to give a bit more flesh to the jobs people described.

For the detailed definition of job categories defined through research carried out by the Institute for Information Security Professionals (IISP) click here for job categories.

Incident and Threat Managers, Forensics Experts

One way or another, your job is right at the coal face. You might manage the security of your organisation’s network and keep attackers out. You may work for a company which tests other’s networks to assess their security and advise how to make them less vulnerable to attack. No-one is able to avoid all incidents, so you may also be an incident manager, able to respond quickly in a crisis and manage the impact. There may be difficult choices for the business to make. You will need to work with other managers who may not have your technical understanding of what has happened or what needs to be done to get systems back working but will know about the impact on the business if certain functions are stopped. You might need to do forensic analysis – to see how the attacker got in and what he did. Planning what to do to respond to different incidents, balancing all the different demands will be important to managing a crisis well and you are likely to be an important member of the business continuity planning team. There are some very technical jobs in this area examining new malware, working out countermeasures and much more. And of course it is not all on networks now mobile devices are increasingly holding more data and carrying out functions previously only possible on a computer.

Risk Analysts and Managers

To do this you need to understand how different threats will impact on a business and advise about which risks to cover off and which to take. The Board will be listening to your advice and you will need to be able to explain the risks in non-technical language that shows the impact on business clearly. Some risk managers are non-technical and have come up through the business, others come from the technical side of the business. Some people are involved in the audit of networks and ensuring that compliance issues are understood and dealt with. One reply to our survey said that these people “go and speak to our clients about risk and compliance, explaining the law, any changes in legislation and identifying weakness and helping clients to comply”. You will need to work very closely with:

Policy Makers and Strategists

These are the people who devise the security policies that will define how a company deals with lots of different security risks. Getting the policy right is a must for an organisation to meet its legal obligations. Getting people to implement policies means showing people why they matter and raising awareness of the potential consequences of not following advice. In the private sector you have CISOs (Chief Information Security Officers) leading this work often supported by a team. In Government there are ITSOs (IT Security Officers) and DSOs (Departmental Security Officers). The latter are responsible for physical, personnel and information security issues and the IT Security Officer usually reports to them.

Operations and Security Management

You may be responsible for protecting your organisations data on its networks, laptops or mobile devices. As we all chose different ways to work and the development of new technologies is creating new possibilities daily you will have to keep up to date. You may manage encryption and other protective measures like the rules on Firewalls, security logs and incident reporting.

Engineering, Architecture and Design

If you can get the design of a system right then you can make it tough for attackers to get in. But the situation changes daily and if you are to keep up you will need to run fast. You may be dealing with hardware or software, design and development or secure applications. You may be talented secure software writer – too many of our coders in the past have been driven by the pressure of being first to market and have had insufficient awareness of security. You may design security tools or sell them. Sales and marketing is an essential part of the business.

Education, Training and Awareness

Training is an ongoing need for most of us in business nowadays. As new technologies come on line staff need to understand how to use them effectively to enable the business and also securely so new risks are managed. And the experts need to be kept up to date too so they understand new attack vectors, new ways of managing security, new ways of assessing and communicating risk. Some sales jobs are closely aligned to this work as they educate customers about what they need in their business. There are a number of training companies that deal with all levels of training and the best work hard to keep their material up to date. One of the respondents in our survey described his job as: To raise awareness in Cyber Security related matters both internally and as a service to other organisations. To produce, accredit and provide Cyber Security training courses internally and to other organisations as a service.

Research

There are many areas of research some highly technical and others much more policy orientated. Some create complex models to help us understand situations that are changing faster than we can comprehend without technical help. Others are thinking about the technologies of the future and how they may help us manage security better. Respondents to the survey described the jobs as “To investigate new technologies to manage risk and to learn to manage risk with new technologies. Most people in security research concentrate on the former, crypto, firewalls, etc yet the latter, securing Internet 2.0 is far more important”; “Looking for the next ‘big thing’”; “Researching the way attacks are conducted in the real world. Tracking of various types of malware and how they change thereby making it possible to prevent major strikes against customers. Invent new products based on what is seen in the real world and work with developers to produce these products.”

Lawyers specialising in advice and prosecution for Internet crime and data protection

Advice and prosecution of data security and Internet crime. It is not easy to prosecute the perpetrators of these crimes and companies need help to understand their responsibilities and to put evidence together. Since the data losses of recent years there have been some significant changes in the law. For example organisations which don’t sufficiently look after people data on their systems may be fined up to £0.5million so many want to have their security policies audited to ensure they are fit for purpose.

Next Steps

The Institute of Information Security Professionals plan to research this data further and others working on professionalism and related areas may also garner further results.

The Cyber Security Challenge hopes to assess changes further next year by repeating parts of this survey and attempting to get more data on the detail of skills needed so we can tailor our competitions to encourage interest in the skills that business and government need.

Job Categories

The specialisms, as defined by the Institute of Information Security Professionals (IISP), listed with some of the Roles are as follows:

Category 1

Strategy, Policy, Governance. Strategist, Policy Manager, ITSO, DSO, CISO.

Category 2:

Risk Management, Verification and Compliance. Risk Analyst, Risk Assessor, Business Information Security Officer, Reviewer, Auditor.

Category 3:

Incident and Threat Management and Response. Incident Manager, Threat Manager, Forensics – computer – mobile and network – analyst, CSIRT, Attack Investigator, Malware analyst, Penetration Tester, Disaster Recovery, Business Continuity.

Category 4:

Operations and Security Management. Network Security Officer, Systems Security Officer, Information Security Officer, Crypto custodians, Information Managers.

Category 5:

Engineering, Architecture & Design. Architect, Designer, Development, Secure coding, software design and development, applications development. Security tools, Implementation.

Category 6:

Education, Training and Awareness. Security Programme Manager.

Category 7:

Research. Security Researcher.

Category 8:

Lawyer for advice and prosecution re data protection and Internet crime.

Difficulty in Recruiting by Specialism

Job Category 1: Strategy, Policy, Governance. Strategist, Policy manager, ITSO, DSO.

Job Category 2: Risk Management, Verification and Compliance. Risk Analyst, Risk Assessor, Business.

Job Category 3: Incident and Threat Management and Response. Incident Manager, Threat Manager, Forensics – computer – mobile and network – analyst, CSIRT, Attack Investigator, Malware analyst, Penetration Tester, Disaster Recovery, Business Continuity.

Job Category 4: Operations and Security Management. Network Security Officer/Systems Security Officer, Information Security Officer, Crypto Custodians, Information Managers.

Job Category 5: Engineering, Architecture & Design. Architect, Designer, Development, Secure Coding, Software Design and Development, Applications Development, Security Tools, Implementation.

Job Category 6: Education, Training and Awareness.

Job Category 7: Research. Security Researcher.

Job Category 8: Lawyer for advice and prosecution re data protection and Internet crime.

Expected Growth by Specialism

Job Category 1: Strategy, Policy, Governance. Strategist, Policy manager, ITSO, DSO.

Job Category 2: Risk Management, Verification and Compliance. Risk Analyst, Risk Assessor, Business.

Job Category 3: Incident and Threat Management and Response. Incident Manager, Threat Manager, Forensics – computer – mobile and network – analyst, CSIRT, Attack Investigator, Malware analyst, Penetration Tester, Disaster Recovery, Business Continuity.

Job Category 4: Operations and Security Management. Network Security Officer/Systems Security Officer, Information Security Officer, Crypto Custodians, Information Managers.

Job Category 5: Engineering, Architecture & Design. Architect, Designer, Development, Secure Coding, Software Design and Development, Applications Development, Security Tools, Implementation.

Job Category 6: Education, Training and Awareness.

Job Category 7: Research. Security Researcher.

Job Category 8: Lawyer for advice and prosecution re data protection and Internet crime.

 

Cyber Security Whitepapers

Click here to sign up for our challenges now or email queries@cybersecuritychallenge.org.uk