Cybersecurity GRC Job Data

Economic Reasons to Consider this Underrated but Awesome, Unseen Path

Author

Steve McMichael
April 15, 2024

Table of Contents

Information Security Analyst is the 5th Fastest Growing Occupation in America

Bureau of Labour and Statistics

The economic allure of cybersecurity is undeniable, despite current headwinds. Information Security Analyst is the fifth fastest growing occupation in America according to bls.gov, with median pay of $112k USD and a 32% growth rate expected from 2022 to 2032.

This growth rate is 10x higher than the 3% average.

So in addition to:

  1. Having the most compelling mission in business: to fight crime, espionage and war in the fifth domain of cyberspace

  2. Being full of meaningful work and relationships for people aligned to that mission

  3. Opening up remote and work possibilities, if desired

There’s a strong economic reason to consider a career in Cybersecurity, including the underrated but awesome, “unseen path” of GRC.

ISC2 Cybersecurity Workforce Study

According to ISC2 the global cybersecurity workforce reached 5.5 million filled and unfilled jobs in 2023, which represented 8.7% YoY growth.

Cybersecurity Workforce Study

How the Economy, Skills Gap and Artificial Intelligence are Challenging the Global Cybersecurity Workforce

www.isc2.org/research

Source: ISC2

Of these jobs needed to secure companies, 1.3M were in the United States (+11% YoY growth) and 157k in Canada (which grew 13% YoY).

2023 Cybersecurity Workforce Estimate, ISC2

Not all of these jobs are filled together, and demand is outpacing supply, especially in Canada with 53% growth, according to ISC2.

2023 Cybersecurity Workforce Gap, ISC2

It’s important to note what this year’s workforce gap represents. The workforce gap calculates the difference between the number of cybersecurity professionals that organizations require to properly secure themselves and the number of cybersecurity professionals available for hire. The workforce gap does not aim to estimate the actual current job market for cybersecurity professionals. During times of economic uncertainty, many organizations have made cutbacks involving hiring freezes and layoffs, which we discuss in more detail throughout this paper. This, however, does not affect the workforce gap because organizations’ need for cybersecurity workers remains the same regardless of whether or not those organizations currently have the funds to actually hire and employ sufficient staff.

ISC2 2023 Cybersecurity Workforce Study

82% US National Supply/Demand Ratio: Cyberseek.org

Only 82% of jobs are filled in 2024, leaving 448k openings, +67% growth in openings since 2010

Cybersecurity Job Supply And Demand

A granular snapshot of demand and supply data for cybersecurity jobs at the state and metro area levels

www.cyberseek.org/heatmap.html

Canadian Job Openings

Canadian Cybersecurity Jobs

Search thousands of jobs from the many different job boards, classifieds and company websites on canadiancybersecurityjobs.com which connects top talent with the best jobs in Canada.

canadiancybersecurityjobs.com

What Drives the Job Growth?

Gartner Forecasts Global Security and Risk Management Spending to Grow 14% in 2024, to $215B

Worldwide end-user spending on security and risk management is projected to total $215 billion in 2024, an increase of 14.3% from 2023. Drivers: continuous adoption of cloud, continuous hybrid workforce, rapid emergence and use of generative AI (GenAI), and the evolving regulatory environment.

www.gartner.com/en/newsroom/press-releases/2023-09-28-gartner-forecasts-global-security-and-risk-management-spending-to-grow-14-percent-in-2024

$200B+ Industry Growing Double Digits:

The role of cybersecurity has only become more important for the modern enterprise, driven by the need for organizations to keep up with the evolving threat landscape.

This number will only continue to grow because, fundamentally, the cost of performing an attack against an adversary has been significantly lowered with more breakthroughs in technology. For example, Ransomware-as-a-Service (RaaS) uses affiliates to deploy already-developed ransomware software, making it incredibly easy (as little as $40/month) for new attackers to infiltrate harm to a victim. A threat actor doesn’t need every attack to be successful in order to become rich.

But What About Tech Layoffs?

Tech Layoffs Tracker

So far in 2024, there have been 460 layoffs at tech companies with 82,368 people impacted (800 people per day). In 2023, there were 1,535 layoffs at tech companies with 241,176 people impacted.

www.trueup.io/layoffs

“It Will Be a Great Industry For Years To Come: Consider the Future Payoff”

Despite the tech industry's notorious layoffs, expect a long-term expansion driven by the fundamental need for digital protection.

Why should aspiring cybersecurity professionals join the industry? | Rob Black | Fractional CISO

“Should aspiring Cybersecurity professionals join the industry? Yes. It is a great industry and will be for years to come. Evidently others do not agree… You should join an industry not only because what is going on today but what the payoff is in the future.”

Zooming into GRC

Within the Workforce Framework for Cybersecurity by the National Initiative for Cybersecurity Careers and Studies (NICCS), Risk Management is the one I pursued coming from an accounting and business administration background.

Here’s an overview of this area from NICCS:

Risk Management | NICCS

Oversees, evaluates, and supports the documentation, validation, assessment, and authorization processes necessary to assure that existing and new information technology (IT) systems meet the organization's cybersecurity and risk requirements. Ensures appropriate treatment of risk, compliance, and assurance from internal and external perspectives. Below are the roles for this Specialty Area.

niccs.cisa.gov/workforce-development/nice-framework/specialty-areas/risk-management

GRC Skills Are Sought by 26% of Hiring Managers

The ISC2 Workforce study highlighted Governance, Risk & Compliance (GRC) skills as being among the top in demand, among the diverse functions a Cybersecurity organization needs to be able to Govern, Identify, Protect, Detect, Respond and Recover.

Source: ISC2 2023 Workforce Study

GRC Salaries and Job Openings

Here are some interesting data points I found in today’s spreadsheet download of the Global InfoSec/Cybersecurity Salary Index:

GRC Role Salary Data

Filtering for GRC job titles, 9/10 have average salaries that are 6 digits

US Job Opening Count

Most of the jobs are Mid and Senior-Level, but Entry Level openings exist

Legend

EN

Entry Level / Junior

MI

Mid-Level / Intermediate

SE

Senior-Level / Expert

EX

Executive-Level / Director

Entry Level GRC Role Salary Data

Salary ranges for the

The Global InfoSec / Cybersecurity Salary Index for 2024

An open database of salaries in the InfoSec / Cybersecurity space.

infosec-jobs.com/salaries

Open GRC Analyst Jobs on Linkedin

255 open in Canada

2,416 open in the US

But Nobody Likes Compliance/GRC?

I’ve you’ve spent 10,000 hours with hands on keyboard building and breaking IT systems, fine - I agree that’s cooler than GRC work. However,

  1. GRC might be a good temporary rotation for you on your path to become an executive

  2. People with diverse backgrounds (like accounting) that don’t have 10k hours of hands on keyboard experience, can bring boatloads of value to solving the cross-functional problem of protecting and enabling the business in cyberspace.

  3. I really enjoy working in GRC and find it to be a great fit for my background

  4. I list/rant about 7 specific reasons that GRC is awesome and underrated here:

What About Mid-Career and Non-Technical Backgrounds?

More professionals with no prior cybersecurity experience but with a more diverse technical background are applying to cybersecurity jobs. This contributes to a growing trend of experienced professionals from outside the field joining the cybersecurity industry midway through their careers, compared with a traditional wave of college graduates who have more education than on-the-job experience. This new trend helps normalize cybersecurity as a viable option for capable, experienced professionals from outside the industry looking to make a midcareer change.

ISC2 2023 Cybersecurity Workforce Study

51% of hiring managers are accepting more applications from applicants with non-cybersecurity backgrounds, and 41% are recruiting non-technical people within their organization to move to cybersecurity. I was one of them in 2020.

Pathways are changing. In 2023, new entrants into the cybersecurity profession are considerably older on average than they have been in the past, with 48% of new entrants joining at age 39 years or older. This is a significant difference from 2022 (24%) and shows a change in the pathways into cybersecurity (see figure 39).

ISC2 2023 Cybersecurity Workforce Study

Growth of new entrants into the cybersecurity profession aged 39+ is up year over year.

What’d I Miss?

Whether you're at the outset of your career or considering a mid-career transition like mine, the business case for Cybersecurity GRC looks strong for growth, challenge, and the chance to make a tangible impact in the fight against cyber threats.

I hope this data is helpful to advance your career goals. What do you think and what data sources did I miss? Let me know in a YouTube comment and good luck getting after it!