Cyberpay, CyberBreaches, CyberRisk, Cyberskills shortage, and Economics

At the beginning of the month I found this very interesting report “2021 US Cybersecurity Salary & Employment Study” (https://www.comparitech.com/blog/vpn-privacy/cybersecurity-employment-study/). I had just read the commentary by Yuval Noah Hariri, author of “Sapiens” ( https://www.amazon.co.uk/Sapiens-Humankind-Yuval-Noah-Harari/dp/0099590085 ) showing that one of the top 4 trends over the last year, and one that helped us survive the events of COVID and lockdown, was the internet. So, my first thought was, based on simple economics, supply and demand, that this report would show a large increase in CyberSecurity jobs and salaries. Because, keeping a key global asset and your access to it secure should be everyone’s top priority.

I was disappointed. The average US-wide changes were from 2019 though to 2021:

• Average annual salary for cybersecurity roles: Increase of 2.37% from $92,789 (2018) to $94,984 (2019).

• # of people in cybersecurity roles: Increase of 16.15% from 108,440 (2018) to 125,950 (2019).

• Employment per 1,000 people: Increase of 12.4% from 0.72 (2018) to 0.81 (2019).

• # of job vacancies currently available: Increase of 5.64% from 44,362 (2019) to 46,866 (2021).

• 10-year growth projection for roles: Increase of 7.62% from 0.27% (2016-2026) to 0.29% (2018-2028).

Certainly a respectable increase, but on the bottom line of salary, not stellar.

It got me thinking. What is the basic economics around this? Given that I’m a physicist and not an economist, but I do read a fair amount of economics these days. One would expect the law of supply and demand to operate, i.e. demand is up, and supply of talent cannot expand as quickly as the hackers and other problems are hitting us. On the demand side, just a look at the breaches we’ve had this year so far is alarming (https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/):

This graphic is one that I look at a lot. The frequency and size of records lost is very well represented. The impact, probably not so good in that the “Solar Winds” hack is a small circle on the top right. Yet its impact is outsized relative to the number of records lost as what was lost was a potential backdoor into many global companies and governments.

Another way of looking at demand is the downside risk, i.e. penalties. They are up, way up. It used to be that the only real penalty, outside of the financial community, was reputational, which was written off with insurance and credit monitoring. However, as we’ve been seeing in the press, the fines and lawsuits that are being levied against those found to be at fault in their cybersecurity practices is rising. CSO last month published a very good roundup on the fines levied over the last few years (https://www.csoonline.com/article/3410278/the-biggest-data-breach-fines-penalties-and-settlements-so-far.html). They have gotten higher and higher. They promise to become a real hole in the bottom line of a company with the fines that the regulators in Europe can levy for GDPR. So far, UK GDPR and DPA 2018 set a maximum fine of £17.5 million or 4% of annual global turnover – whichever is greater – for infringements. The EU GDPR sets a maximum fine of €20 million (about £18 million) or 4% of annual global turnover – whichever is greater – for infringements. Ok, still relatively small, but infringements can add up.

The other side of the equation that is always mentioned is skills: we don’t have enough trained people to close the “skills gap”. This generally comes out of conferences and talking shops where a lot of influential people say this is true. As a point of reference as a practicing CISO: I’ve never had a problem finding skilled people who either had the skills.

I do read some economics and the Nobel prize winning economist, Paul Krugman, took this on squarely a few years ago (https://www.nytimes.com/2014/03/31/opinion/krugman-jobs-and-skills-and-zombies.html). If there were such a thing as a supply shortage/“skills gap” in a time of fast growing demand, you would expect to see CyberSecurity salaries going up to match the demand. In the famous phrase, “show us the money”. As we’ve seen above, that is not the case.

On the other side of the coin, you’d expect to see those without Cyberskills doing less well. Also not the case ( again, from 2014, but you can check if its changed: https://www.epi.org/publication/shortage-skilled-workers/). According to Dr. Krugman, you would also expect to see a short term rise in long term unemployment for those who don’t have Cyberskills. Again, that isn’t the case if you look at the Federal Reserver Economic Database (FRED.gov) or (https://www.brookings.edu/bpea-articles/are-the-long-term-unemployed-on-the-margins-of-the-labor-market/).

We can say, from above, the amount of people who are hired/working on CyberSecurity has gone up overall, but their compensation has not gone up a lot. What is going on here? Are we still not prioritizing CyberSecurity talent? Is it because we are doing a bad job of explaining the risk and how much we are worth and contribute in mitigating it?

What I would urge anyone reading this who is not a Cybersecurity professional, is to paraphrase Garth Brooks, “do not delay, call your Cybersecurity professional today.” Any cost you incur now will be small compared with the cost and risk you incur in the future. There are many capable professionals such as myself ready, willing and able to help.