Q4 Cybersecurity talent market report

Tis the season for breaches // high paying remote jobs

Author

Brad Rager
December 21, 2023

Hello friends,

Happy holidays! I hope your holiday season has been fantastic and that you are finding moments of joy and tranquility as we wind down the year.

We have a special treat for this year’s final issue of The Human Element. As you know, at Crux we host the largest hand-curated cybersecurity job board on the internet, and we combine this data with our tracking of candidate movements to synthesize what’s happening in the cybersecurity job market.

Each quarter we combine this analysis with a deep dive on a topic of market relevance.

In Q4, we saw unusually depressed figures for turnover and promotion, down from an already slow Q1-Q3 2023. Yet, through our conversations, we see an unusual amount of readiness in the talent pool for the next move. We think that this is going to lead to a significant uptick in turnover in 2024, assuming we have a reasonably healthy broader economic picture.

Security leaders have historically highlighted turnover as one of their toughest challenges. And just because it was easier in 2023, doesn’t mean its gone away.

If you are a security leader, and thinking about 2024 priorities, now’s the time to take a fresh look at how you are doing, and what can be tuned up.

Additionally, as always, you’ll find the latest stats on in demand skills, compensation, and where growth is happening.

A PDF version of the report is available here if you would prefer to read that way.

Enjoy, and have a wonderful close to your year. Wishing you and your families all the best.

Regards,

Brad

Q4 2023 Cybersecurity Talent Market Report

Focus area: Retention

Turnover: A very real vulnerability

While this has been a slower than average year for people leaving their jobs, in security, turnover rates typically average 20-25% per year- high relative to most sectors of the economy.

The loss of team members, particularly experienced ones, is often accompanied by loss of institutional knowledge, productivity, and coverage.

In short, it’s a major risk and perennial frustration.

It is also largely an addressable one.

High rates of turnover are an outcome and a symptom of deeper issues. The root causes can vary significantly company to company and team to team but usually have common themes.

To understand why people leave their jobs, you first have to start with the basics of what most people want:

  • To learn and grow, and have an appropriate degree of challenge

  • To feel that their contributions are valued and having an impact

  • To be fairly compensated for their efforts and their skills

  • To feel that their work has meaning

  • To be able to have a balanced life

  • To be trusted and respect the people that they work with

Usually, when people leave, one or more of these is lacking.

Specifically within cybersecurity at the staff level, these are the issues we often hear:

  • They feel stuck and don’t see a path beyond their current role

  • Expectations of their role and performance aren’t clear or aligned

  • They don’t feel that their voice is heard

  • Burnout from too many tasks and expectations that don’t align with reality

  • This year in particular, we have seen a lot of frustration with return to office policies/ end of WFH

We expect to see a return in 2024 to historical (or higher) levels of turnover

Operating under a base assumption that the global economy will return to something more normal in ‘24 (1-2% GDP growth, lower inflation), we see pent up desire for movement. This has been a year of reduced promotions and budget headwinds and we speak with many candidates that are ready to hop to their next step, when the opportunity arises.

Now is the time for leaders to get ahead of it.

It’s not the compensation. Repeat, it’s not the compensation.

If you just went by exit interview data (when it exits) or conversations with hiring managers, you’d believe that everyone leaves to get higher compensation.

That’s not true. 

In our experience, that’s a cover for deeper issues. Don’t accept the common scapegoats of compensation and company cultural issues. While lower than market comp certain increases risk, people will accept that if they feel a strong sense of connection to the institution and the mission.

As with so many things in cybersecurity, the fundamentals really do matter.

There is no magic wand that will make turnover challenges go away. Mostly it comes down the fundamentals: managing people well. So while reductions in unwanted attrition are a benefit, there are good reasons to implement these practices because, fundamentally, they will lead to a better talent pipeline, more productive teams, a more cohesive culture and, ultimately, a stronger security posture.

1) Construct explicit career paths

This is the single most important lever. It’s also stunningly uncommon. Don’t take the easy path of just slapping together job descriptions whenever someone leaves. Design a structure that gives a framework for promotion, visibility into future compensation potential, and an avenue for mobility.

Good models include:

  • Levelling within each area of specialization that is linked to graduating responsibilities, compensation, and title (e.g. engineer -> principal -> staff)

  • Stock job descriptions that clearly lay out responsibilities and specific skills that are required (this can be used as requirements for internal promotions)

  • Discrete technical and managerial tracks- don’t make people management the only way to advance. Many great technical people can struggle as managers.

Building a program in that has clear career progression will lead to a more resilient organization and help attract better talent. And it builds people who know how to teach.

- Christophe Foulon, cybersecurity coach and vCISO
2) Build a genuine culture of feedback and clear expectations

If the only times you are giving or receiving feedback are during formal (mandated) sit-downs as a part of a performance management cadence, you are doing it wrong.

The best leaders are great at providing real time feedback - a meeting, a report, or some deliverable. They make sure that expectations are always clear and there are tangible examples of ‘what good looks like.’ At minimum, conversations should be happening quarterly.

Your team should always know:

  • What their strengths are

  • What areas they should be working on

  • What they need to demonstrate progress on

  • How their priorities line up to department and company priorities

  • What expectations and objectives are- what, by when, and what good looks like

Additionally, you should make space for the team to provide feedback to you. And you should take it to heart.

3) Make development and growth central to your team identity

People that are drawn to careers in cybersecurity tend to be highly curious, enjoy solving problems, and are attracted by the nature of an ever evolving field.

Growth and learning are central to their identities; they should be central to the identity of your team and program as well.

This goes beyond providing budget for certs. Companies that do this well also:

  • Allow time and budget for the team to participate in conferences, and, when possible, support for research and speaking opportunities

  • Provide stretch assignments and projects that stretch team members in new directions

  • Support lateral moves within and outside the security team

4) Cultivate trust

Trust is the single most important currency in any organization. It takes time to build and is quick to destroy. You can think about your actions as ones that add to your trust balance, or take away from it.

Trust is built through transparency, genuine positive intent, open communication, consistency (do what you say), and empathy.

People want to know that their leaders and peers have their back. This doesn’t mean that there isn’t performance management or that some people don’t make it. It means that along the way you are open, honest, and fair. It means that you nurture genuine connections with the team and don’t violate the trust they have in you.

People flee from environments in which they don’t trust their immediate manager, their peers, or senior leadership.

5) Hire, and fire, for fit

When hiring, you are looking for two things: 1) Do they have the technical skills to do the work and do it well, and 2) Will the way that they work support or detract from your culture?

In our experience, companies too often hang on for too long to the high performers that damage the culture (the brilliant jerk). Their visible delivery against some metric (sales, product, etc) outweighs the harder to quantify negative impact on everybody else.

Toxic people (particularly leaders) will push talent away. As a leader, it’s your responsibility to hire people that you believe will thrive in and contribute to your culture (so you have to know and define it), and to let go of those that don’t. People who profess a set of values and then fail to live by them lack credibility. The people that work for them are just there for the paycheck. And they’ll jump when they see one that is higher.

A deep dive into our data: what employers are looking for

Certifications in demand

This is what our data show across >5,000 job descriptions. The green lines indicate relative demand within an area.

Technologies/ domain expertise in demand

We’ve compiled the most frequently mentioned technologies and domains of expertise in the ‘qualifications’ and ‘responsibilities’ sections of job descriptions. Understandably, they vary significantly by discipline of cybersecurity. You can use this data if you are considering where to build expertise.

Individual contributor vs managerial roles

Generally, 60-80% of security jobs are individual contributor roles.

Highly technical roles tend to skew individual contributor, with ‘consultative’ roles having more managerial slots.

On average, a bit more than ~60% of security jobs are on site and this has stabilized in the back half of 2023.

Average salary by domain and level of seniority

In general, we are seeing high level architecture/ engineering roles, cloud security, and application security command the highest salaries.

Salary distribution by years of experience

The below chart shows the range of salary by year of required experience (in $K). The box represents the 25-75% percentiles.

On average, each year of security experience is worth $10,000.

A wide distribution exists at each increment of experience, suggesting that high pay is available for the best talent.

Crux Apex list

Each quarter we recognize a set of standout employers. This time we are highlighting several companies that have a demonstrated track record of hiring entry level employees.

If you are in looking to transition into cybersecurity, you should absolutely check these companies out.

Many of them offer internship programs in their cybersecurity department as well.

This quarter’s winners are:

We analyze the movements of ~100K cybersecurity professionals in the US to understand which sectors and geographies are growing.

Growth by state

This is a view of where security jobs are being created, by state.

Not surprisingly, the top quartile is led by high population states, suggesting a roughly even distribution of jobs relative to population.

Job growth by industry

Unsurprisingly the most new jobs are being created in the IT space, as well as large, regulated industries such as financial services and healthcare.

The lines show relative job creation.

Security leadership moves

Each quarter we track the big CISO jobs that were filled. Congratulations to all!

David Damato is now CISO at Citadel

Chris Betz is now CISO at AWS

Tim Williams is now VP, CISO at Insulet

Joe Marroquín is now CISO at Vestis

Ricardo Johnson is now VP, CISO at Dentsply Sirona

Troy Mattern is now CISO at StoneX

Karthik Swarnam is now Chief Security and Trust Officer at ArmorCode

Hadas Cassorla is now CISO at AssuredPartners

Brian Heemsoth is now EVP, CISO at FIS

Eric Herr is now VP, CISO at Ameren

Nicole Darden Ford is now CISO at Nordstrom

Eric Hussey is now CISO at Finastra

Julie Porro is now SVP & CISO at Anywhere Real Estate

Trina Ford is now CISO at iHeart Media

David Adler is now SVP, CISO at Banc of California

Shawn McGhee is now VP, CISO at Neiman Marcus Group

Tools, resources, and useful things from the internet

🌍NSA has published its 2023 cybersecurity year in review. It outlines their key activities on the defensive side of things and is worth a read to understand how your business or clients may benefit from some of their resources.

🐟Abnormal published a blog on trends in AI generated phishing. There are several real world examples to give you a sense of what threat actors are doing (Abnormal blog)

🔨OpenAI released a guide to prompt engineering.

🏢Kelly Shortridge published a good post on advice for cybersecurity teams to better integrate with and serve the business. She titles it ‘Cybersecurity isn’t special.’

🤖The robots are here. Thanks Elon (Tesla)

News

💥It’s been a busy week with news of major breaches:

Comcast had data from 36 million accounts compromised due to a Citrix vulnerability back in October. VF Corp disclosed that they are struggling to fulfill orders due to a breach. The news took ~8% off of VF’s market capitalization (WSJ).

Delta Dental disclosed that they had been hit by the MoveIt vulnerability (SC Mag).

Idaho National Lab, which does nuclear work, had information on 45K people in its Oracle HRIS system compromised (read: employees, contractors, ex-employees) stolen (Bleeping Computer).

🦹The Alphv/ BlackCat ransomware group was disrupted by the FBI, which released a free decryption tool and took down their network, saving $68M in ransomware demands (Hacker News).

🛡️OpenAI has outlined it’s risk model and governance plan, which appears robust on paper (OpenAI).

📱The largest cyberattack in the Ukraine war has occurred. Russians knocked out the Ukrainian mobile phone, internet and air-raid system (Wired)

Jobs

We’ve had a big drop recently on the Crux job board. Check it out! This week we are featuring well paying remote jobs.

💼Circle. Senior Director Security Ops ($250-350K)

💼Palo Alto Networks. Managing Director, Digital Forensics & Incident Response ($221-304K)

💼Human Interest. CISO ($200-275K)

💼zScaler. Principal Product Manager- Cybersecurity ($172-245K)

💼Crown Castle. Principal Cloud Platform Engineer, IAM ($170-200K)

💼Business Wire. Principal of Security Operations ($160-210K)

💼Dropbox. Security Engineer ($156-294K)

Events

One of the (awesome) features of our new website is a comprehensive list of upcoming conferences. It’s one of the largest collections of cybersecurity conferences available. Check it out!

🤝NetDiligence. Miami, FL. Feb 12-14.

🤝CactusCon. Phoenix, AZ. Feb 16-17.

🤝Rocky Mountain Cyberspace Symposium. Colorado Springs, CO. Feb 19-20.

🤝FS-ISAC Americas Spring Summit. San Diego, CA. March 3-6.

Thinking about your next move? Join our network

Looking for awesome talent? Post a need for free.

Crux is the talent platform for cybersecurity. Check us out.