Skip navigation

Security Salary Dice Report Image-500x657.jpgA recent report from shows how tech security jobs are far outpacing their IT counterparts.  It is part of a bigger trend as we see demand outstrip supply for cybersecurity professionals.  The cost of hiring or retaining talent continues to climb as organizations struggle in a market with depleted quantities of quality resources.  In highest demand are the security leaders, managers, and skilled engineers.  These roles are the anchors to a healthy security organization and critical for success.  They provide the mentorship, direction, expert guidance, and skills necessary to deliver against challenging tech obstacles, meeting the expectations of concerned executives, and countering the acts of creative cyber opponents.

The rise in salaries should come as no surprise.  Security experts have been predicting this for some time and there is not likely any relief for at least a few years.  The increase in compensation is a result of a hiring pool which is basically dry and demand for security capabilities continues to rise quickly.  The need for cybersecurity is growing in almost all industries, as attacks, breaches, and regulations continue to rise.  Some estimates predict a deficit of over a million computer security jobs by the end of 2020.  This is effectively driving up the salaries.

It is great news for the professionals already in the field.  Job security is at an all-time high.  It is commonplace for top and even medium tier talent to be pursued with enticements to change employers.  They are being lured with bigger paychecks and companies are defensively responding with improved compensation to retain the talent they have.  Else they will be in the unfavorable position of themselves trying to attract resources in a very competitive environment.

Human Resource departments can help by staying on top of competitive salary reviews for current security professionals to insure compensation is at the right level to retain talent.  In a presentation to a Chief Human Resources organization last year, I outlined a number of different areas where HR can play an important role in cybersecurity, including overcoming the challenges of hiring of new talent.  HR should be prepared to have candid discussions with managers asking to hire new security staff, as the market price may be misaligned to budgets, compensation disparity could be disruptive to current staffing expectations, and it may take an unusually long time to successfully fill a role.

HR for Cybersecurity Hiring.jpg

2015 International Security Education Workshop.jpgThis is also a great opportunity for higher education institutions to retool and prepare the next generation of security pro's to fill the needs of the industry.  In May, I spoke at the International Cyber Education Workshop, hosted at Georgia Tech in Atlanta, where educators from top academic institutions were working together to figure out how to upgrade their programs to best prepare their cybersecurity graduates to take management and technical leadership roles in the industry.  Additionally, I see a great direction set by the Cyber Education Project (CEP) initiative, which is a diverse group of computing professionals representing academic institutions and professional societies developing undergraduate curriculum guidelines and a case for accreditation for educational programs in the “Cyber Sciences”.  Education programs are the key to increasing the capabilities and numbers of professionals entering the field.

Until the supply of security professionals can come close to meeting demands, the salaries will continue to rise.  Where deficits in hiring quality staff exist, the risks of loss will remain elevated, reinforcing even greater demand.  It is a vicious circle and the only way to break free is with more security talent in the field.

Matthew Rosenquist is a Cybersecurity Strategist at Intel, an Advisory Board Member of the Graduate Professional Studies for Brandis University, and contributor to the Industry Advisory Board of the Cyber Education Project organization

Twitter: @Matt_Rosenquist

IT Peer Network: My Previous Posts


HR and security? Don’t be surprised. Although a latecomer to the security party, HR organizations can play an important role in protecting assets and influencing good security behaviors. They are an influential force when managing risks of internal threats and excel at the human aspects which are generally snubbed in the technology heavy world of cybersecurity. At a recent presentation given to the CHO community, I discussed several overlapping areas of responsibilities which highlight the growing importance HR can influence to improve the security posture of an organization. 


The audience was lively and passionate in their desire to become more involved and apply their unique expertise to the common goal.  The biggest questions revolved around how best they could contribute to security.  Six areas were discussed.  HR leadership can strengthen hiring practices, tighten responses for disgruntled employees, spearhead effective employee security education, advocate regulatory compliance and exemplify good privacy practices, be a good custodian of HR data, and rise to the challenges of hiring good cybersecurity professionals.  Wake up security folks, the HR team might just be your next best partner and a welcomed advocate in the evolving world of cybersecurity


Pivotal-Role-of-HR-in-Cybersecurity from Matthew Rosenquist



Presentation available via


Twitter: @Matt_Rosenquist

IT Peer Network: My Previous Posts


My Blog: Information Security Strategy

Global Manipulations.jpgUS Office of Personnel Management (OPM) recently announced a massive data breach, containing very personal and private data of government and military personnel.  The stolen data was originally gathered to process security clearances and contains a plethora of background information, including criminal records, mental conditions, drug usage, veteran status, birthdates, social security numbers, pay histories and pension figures, insurance data, financial records, home addresses, contacts, and other profile data.  Millions of records in total were stolen, for current and previous government workers, contractors, and partners.  Investigators concluded the attack was conducted by another nation state. 


This leads to the question of why would another nation launch such an attack and how will they use such personal information to their advantage?  The answers might be shocking.


Unlike cybercriminals, who would be interested in opening lines of credit, filing fictions tax refunds, creating false identities, siphoning financial assets, and fraudulently charging on accounts, nation states have different motivations which drive their actions.  Nation states are interested in influencing policies in their favor across the globe, boosting national economic strength, military power projection, enhancing intelligence gathering capabilities, and protecting themselves from foreign attempts to do the same against them.


For centuries, one of the best ways to accomplish these goals has been by influencing, manipulating, or outright controlling important people in other countries.  Employing tactics to achieve such lofty goals requires two things.  First, key foreigners with the necessary power or access must be identified.  Secondly, the means to best influence them must be determined.  History has shown that with both pieces to the puzzle, governments can maneuver in advantageous ways to achieve nothing short of world change.  


Many nations have elaborate infrastructures and organizations dedicated to these goals.  They use a variety of Open Source Intelligence (OSINT), Human Intelligence (HUMINT), and Cyber Intelligence (CYBINT) methods to gather insights and data.  Nowadays, OSINT is very effective and with the meteoric rise in social media sharing and personal applications, has become a highly productive tool at providing personal details of a populace.  However, the deepest secrets and most private information is still difficult to come by.  CYBINT can fill the gaps and provide the hard to come by intelligence and personal connections which are highly valuable for these campaigns. 


Profile Intelligence
With the wealth of personal data fleeced from OPM, an attacker can begin building a database of interlocking profiles.  The result is a network showing people, connections, access, knowledge, and spheres of influence.  This information will be blended with any other high confidence data, garnered from other sources, to paint a better picture of individuals who may be of interest.  They will likely be looking for those who are active in local and national politics, drive or enforce inter-agency government policies, leaders and technical advisors to the military, those who possess influence in the decisions of others, have internal access to valuable data, are part of the offensive/defensive intelligence apparatus, and people who have earned the trust of those in power.


These people become targets of focus and opportunity for various types of influencing tactics, including bribery, blackmail, marketing, facilitation of revenge, social pressure, ethical conundrums, retribution of justice, and demonstrations of patriotism.   Professional manipulators can be very creative in how to position and push people in certain directions.


Methods of Influence
These profiles are also intended to give insights to how people can be motivated and controlled.  Building a collective social picture can show how key individuals are influenced.  It may highlight the respected close community around a target who offer advice and guidance.  Past indiscretions can provide an understanding of how someone is vulnerable to situations involving drugs, money, sex, ideology, or fame.  This can be exactly what is needed by manipulators. 


Personal and private information can be embarrassing or give the necessary signs of weakness.  Some people can be blackmailed, threatened, tricked, cheated, bribed, or flipped to provide information, access, or facilitate the influence of others.  A cascade effect can take place as people are linked.  In rare cases, some assets may be groomed to become direct action operatives, where the risks, impacts, and rewards can be much higher. 


Achieving success is no easy task for nation state orchestrators.  Private information is a highly prized chip in this game.  The more sensitive, revealing, and humiliating the data, the more valuable it is to those who plan to use it as leverage for their benefit.


Beyond the targeting of individuals, such data can be valuable in other ways.  To disrupt the operational effectiveness of an organization, key personnel can be affected with campaigns to publicly embarrass or undermine renewals for top clearances therefore causing gaps or delays in the work of important positions.  This can also provide advancement avenues for others who may be more conducive to support the attacker’s objectives.


Compromising computer systems becomes much easier.  In the cybersecurity realm, private information and a list of known contacts makes phishing attacks near impossible to defend against.  Emails, texts, attachments, and files can appear to be sent from friends, family, coworkers, academia, and professional colleagues with no good way for the average person to discern the difference between legitimate and malicious, until it is too late.  These phishing attacks can bypass system defenses and allow hackers to gain access to computers, networks, databases, and cloud environments.  Follow-on attacks in this manner should be expected, both at home and work.  Infecting and controlling devices of people with security clearances is an opportunity not likely passed-up by nation state attackers.


The data itself has value and can be sold, traded, or given to a variety of other groups.  Terrorists, allies, political rivals, in-country revolutionaries, radicals, or other nation state intelligence agencies would be likely interested parties. 


There are national economic advantages as well.  Discretely providing profile data to state-owned companies can greatly improve their business negotiations, bidding, pricing, employee recruiting activities, and overall competiveness abroad.  This can boost domestic economies while undermining foreign positions.  


Politically, in a bit of irony, such attacks may also drive the desire of attacked nations to establish international accords governing global cybersecurity practices with their attackers.  In essence, hacking can motivate governments to come to the negotiation table and put them at a disadvantage in the agreement of terms.   


With the loss of millions of highly personal records, the outlook is not a pretty picture.  Time will tell which of these tactics will be employed by those who took OPM data.  But keep in mind such spycraft has been around for thousands of years.  The intents and purposes are not new, just the scale, tactics, and tools have changed to include the information rich world of cyber. 


My heart goes out to those whose data was part of the recent breach, their families, friends, and associates.  In a very personal way, they are all now part of a larger geopolitical game.  Take all necessary precautions to protect your name, reputation, finances, history, and honor.  Although the attack cannot be undone, governments around the world can learn from these situations and institute better controls, data policies, and political responses to protect future generations.