Career Analysis into Cyber Security: New & Evolving Occupations

Transcription

1 Alderbridge Specialists in Info Security Specialist Recruitment Knowledge for e-skills UK s Cyber Security Learning Pathways Programme Career Analysis into Cyber Security: New & Evolving Occupations

2 e-skills UK is the Sector Skills Council for Business and Information Technology; an employer led organisation rated as outstanding in the re-licensing of the Sector Skills Councils. e-skills UK s mission is to ensure the UK has the technology skills it needs to compete in the global economy, working on behalf of employers to develop the software, internet, computer gaming, IT services and business change expertise necessary to thrive. Focused on making the biggest contribution to enterprise, jobs and growth across the economy, e-skills UK s three strategic objectives are to: inspire future talent, support IT professionals, increase digital capability. Delivery on these strategic objectives is underpinned by employer engagement across the sector, authoritative research, a continually developing sector qualifications and learning strategy and effective strategic partnerships Reserved, e-skills UK All rights reserved. No part of this material protected by this copyright may be reproduced or utilised in any form, or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system without prior authorisation and credit to e-skills UK. An e-skills UK publication, supported by Alderbridge Consulting Ltd. For further information please contact: e-skills UK 1 Castle Lane London SW1E 6DR Tel: Fax: info@e-skills.com Proprietor: e-skills UK Sector Skills Council Ltd Registered in England no The National Skills Academy for IT 1 Castle Lane London SW1E 6DR Tel: info@itskillsacademy.ac.uk The National Skills Academy for IT Registered in England no Registered office: Victoria House, 39 Winchester Street, Basingstoke, Hampshire RG21 7EQ The National Skills Academy for IT is wholly owned by e-skills UK Copyright e-skills UK Sector Skills Council Ltd

3 Contents Executive Summary... 1 Summary of Findings... 1 Introduction... 3 Scope... 3 Scope Limitations... 4 Section 1 Overview Pathways to Target Job Roles Non-Commercial roles Commercial roles Qualifications Demographic Profiles Section 2 Pathways to Target Job Roles Manager Consultant IT Security Consultant Account Manager Pathways to Other Roles Section 3 Qualifications and Degrees by Job Role Qualifications Degrees Section 4 Demographic Profiles by Job Role Location Age Distribution Gender Summary of Key Findings Summary of Section 1 Overview Summary of Section 2 Pathways to Target Job Roles Summary of Section 3 Qualifications and Degrees by Job Role Summary of Section 4 - Demographic Profiles by Job Role Copyright e-skills UK Sector Skills Council Ltd

4 Copyright e-skills UK Sector Skills Council Ltd

5 Executive Summa ry Executive Summary e-skills UK engaged Alderbridge Consulting Ltd, specialists in recruitment and consultancy, to undertake an analysis of their intelligence covering the current recruitment landscape within Cyber Security. This analysis contributed to the e-skills UK s Cyber Security Learning Pathways Programme. This report documents the output of this analysis and seeks to draw conclusions surrounding the demographic and academic profile of the UK Cyber Security sector, as well as highlighting potential educational and professional pathways to target job roles. The analysis, data and results are presented in this document within the following key reporting areas for Cyber Security in the UK: Age profiles Gender profiles Geographic profiles Job Title progressions Qualifications - learning & training pathways Pathways to target Job Title by Education, Qualifications & Experience Data is presented in tables, charts and graphical representations together with Alderbridge s summary analysis. Summary of Findings The most common pathway to non-commercial Cyber Security roles has been via other roles within IT. 46% of all professionals currently in non-commercial Cyber Security entered the profession in this way from their 3 rd previous role of their career history. As the overall body of professionals has grown, data collected over a period of 10 years suggests that now only 28% can enter the profession from a more general role in IT and 4% from a role outside of IT. Current non-commercial Cyber Security roles are being filled by seasoned and highly qualified professionals who are progressing within this relatively new profession. The most popular specialised routes within the profession are as an Consultant, IT Security Consultant and Manager. The two most common pathways into commercial/sales roles within Cyber Security are via non-it or general IT sales roles. 42% of professionals currently in Cyber Security sales began in more general IT roles and 21% started out in other industries. Overall, CISSP (Certified Information Systems Security Professional) is the most common professional certification, held by 54% of those in non-commercial roles. Around half of Cyber Security professionals have an undergraduate degree, with more of these being in non-commercial roles than commercial positions. The most common degree type is IT. The majority (over 6) of Cyber Security professionals across all job roles are located in the South East. The age profile across most roles was widespread, though for commercial roles it was slightly younger than for non-commercial roles. The gender profile was shown to be predominantly male across all job roles with a slightly higher proportion of females in the commercial roles compared to the other positions (19% compared to 1). Copyright e-skills UK Sector Skills Council Ltd

6 2 Copyright e-skills UK Sector Skills Council Ltd

7 Introduction Introduction On completion of Cyber Security recruitment data analysis conducted for e-skills UK, Alderbridge Consulting Ltd ( Alderbridge ) is pleased to present the findings in this report, which draws conclusions surrounding the demographic and academic profile of the UK Cyber Security sector, and to highlight potential educational and professional pathways to target job roles. Scope The scope of the work was to analyse Alderbridge s Cyber Security recruitment industry knowledge to produce data in three main areas:- Pathways to target job roles Professional qualifications Demographic information: o Geographic profiles o Age profiles o Gender profiles CYBER SECURITY ROLE Demographics Role History Qualifications Education Copyright e-skills UK Sector Skills Council Ltd

8 Demographics Education Qualifications Job History Age Location Gender Higher Education Information Qualifications - Current and Historic Job Title - Current Job Title - Historic Pathways to specific target jobs Cyber Security Role The analysis focused on the following 28 target job roles within Cyber Security:- Analyst Manager Consultant Officer IT Security Analyst IT Security Manager IT Security Consultant IT Security Officer Engineer Consultant Analyst Security Engineer Security Administrator CISO/Chief Officer/Head of Security Architect (variants of) Security Auditor PCI Consultant/QSA Consultants Computer/Digital Forensics Analyst/Investigator (variants of) Penetration Tester/Pen Tester Application Security Specialist (variants of) Sales Engineer Pre-sales Consultant Technical Account Manager Account Manager (with security) Business Development Manager (with security) Sales Executive (with security) Sales Manager (with security) Sales Director (with security) Scope Limitations The geographical scope of the analysis was across the whole of the UK. In order to present current information, only data produced from 1 st January 2007 onwards was used in all analysis except pathways to target job roles, for which data from 1 st January 2002 onwards was used when analysing previous roles. This amounted to 1750 data samples. Across these data samples, not all categories of data were available for analysis in some reports. 4 Copyright e-skills UK Sector Skills Council Ltd

9 Section 1 Overv iew Section 1 Overview 1.1 Pathways to Target Job Roles The target job roles can be categorised into two main areas: Non-commercial roles Analyst Manager Consultant Officer IT Security Analyst IT Security Manager IT Security Consultant IT Security Officer Engineer Consultant Analyst Security Engineer Security Administrator CISO/Chief Officer/Head of Security Architect (variants of) Security Auditor PCI Consultant/QSA Consultants Computer/Digital Forensics Analyst/Investigator (variants of) Penetration Tester/Pen Tester Application Security Specialist (variants of) Commercial (sales roles) Sales Engineer Pre-sales Consultant Technical Account Manager Account Manager (with security) Business Development Manager (with security) Sales Executive (with security) Sales Manager (with security) Sales Director (with security) The pathways to roles were determined by analysing the job history of Cyber Security Professionals whose current job titles are in the above list. The last three roles prior to the current role were noted to build up a picture of the most common pathways to roles within Cyber Security. Two additional occupations and Non-IT were also added to account for roles outside of the Cyber Security industry. The next section discusses the aggregated pathways across all roles within the noncommercial and commercial categories. Copyright e-skills UK Sector Skills Council Ltd

10 1.2 Non-Commercial Roles As can be seen from Figure 1, 46% of all professionals currently in non-commercial Cyber Security entered the profession in their 3 rd previous role from other general roles in IT. This figure reduces to 39% across all 2 nd previous roles. Figure 1 Aggregated pathways across all Non-Commercial roles 3rd Previous Role 2nd Previous Role 1st Previous Role 46% 39% 28% Consultant 7% Consultant 9% Consultant 13% IT Security Consultant IT Security Consultant IT Security Consultant 6% 5% 7% Manager 5% Manager 3% Manager 6% IT Security Analyst IT Security Analyst IT Security Analyst 4% 6% 5% Non-IT Non-IT Non-IT 9% 8% 4% Security Architect Security Architect Security Architect (variants of: 3% (variants of: 4% (variants of: 4% Security Engineer Security Engineer Security Engineer 3% 3% 4% Analyst 3% Analyst 2% Analyst 4% Engineer 2% Engineer 2% Engineer 3% IT Security Manager IT Security Manager IT Security Manager 2% 3% 3% Penetration Tester/Pen Penetration Tester/Pen Penetration Tester/Pen Tester 1% Tester 1% Tester 3% Officer 1% Officer 2% Officer 3% Consultant 1% Consultant 1% Consultant 2% Computer/Digital Computer/Digital Computer/Digital Forensics 1% Forensics 1% Forensics 2% Security Administrator Security Administrator Security Administrator 1% 3% 2% CISO/Head of CISO/Head of CISO/Head of 1% 1% 2% Analyst 1% Analyst 2% Analyst 2% Security Auditor Security Auditor Security Auditor 1% 2% 1% PCI Consultant (variants PCI Consultant (variants PCI Consultant (variants of)/qsa Consultants 1% of)/qsa Consultants 1% of)/qsa Consultants 1% IT Security Officer IT Security Officer IT Security Officer 1% 1% Application / Systems Application / Systems Application / Systems Security Specialist 1% Security Specialist 1% Security Specialist 01 January August 2012 As the overall body of professionals has grown, this data illustrates that now only 28% can enter the profession from a more general role in IT and 4% from a role outside of IT. Current non-commercial Cyber Security roles are being filled by experienced professionals who are progressing and moving roles within the profession. 6 Copyright e-skills UK Sector Skills Council Ltd

11 Figure 2 Chart illustrating the split of the top three categories of roles that lead to a non-commercial role in Cyber Security, displayed in 3 rd previous, 2 nd previous and 1 st previous (most recent) position 45% 53% 68% Specialist within Cyber Security 9% 8% Non-IT 46% 39% 4% 28% 3rd Previous Role 2nd Previous Role 1st Previous Role The most popular specialised routes are as an Consultant, IT Security Consultant and Manager. The pathways to these roles are explained in more detail in section 2 of this report. Copyright e-skills UK Sector Skills Council Ltd

12 1.3 Commercial Roles The two most common pathways into commercial/sales roles within Cyber Security are via non-it or general IT sales roles. 42% of professionals currently in Cyber Security Sales began in more general IT roles and 21% started out in other industries. Many commercial Cyber Security professionals progress through Account Management into their current roles. The pathway to an Account Manager role is discussed further in Section 2. A relatively small number of professionals progress to commercial roles via technical routes such as Security Engineer and IT Security Consultant. Figure 3 Aggregated pathways across all Commercial roles Non-IT 3rd Previous Role 2nd Previous Role 1st Previous Role 42% 21% Account Manager (with security) 11% Sales Executive (with security) 7% Sales Manager (with security) 5% Business Development 5% Sales Director (with security) 2% Sales Engineer Security Engineer 2% 2% Pre-sales Consultant 1% Technical Account Manager 1% IT Security Consultant 1% Security Architect (variants of) Non-IT 38% 18% Account Manager (with security) 13% Sales Executive (with security) 5% Sales Manager (with security) 6% Business Development 6% Sales Director (with security) 3% Sales Engineer Security Engineer 1% 2% Pre-sales Consultant 3% Technical Account Manager 2% IT Security Consultant 2% Security Architect (variants of) 1% Non-IT 32% 12% Account Manager (with security) 16% Sales Executive (with security) 7% Sales Manager (with security) 7% Business Development 8% Sales Director (with security) 5% Sales Engineer Security Engineer 1% 3% Pre-sales Consultant 6% Technical Account Manager 2% IT Security Consultant 1% Security Architect (variants of) 01 January August Copyright e-skills UK Sector Skills Council Ltd

13 Figure 4 - Chart illustrating the split of the categories of roles that lead to a Commercial role in Cyber Security, displayed as 3 rd previous, 2 nd previous and 1 st previous (most recent) position 37% 21% 44% 18% 56% Within Cyber Security 12% Non-IT 42% 38% 32% 3rd Previous Role 2nd Previous Role 1st Previous Role 1.4 Qualifications Two categories of qualifications were analysed - professional qualifications and degree types. The list of professional qualifications is shown below and mostly relate to the Cyber Security industry specifically. The CCNA certification is a more general IT qualification and is included to complement the above data on pathways. This illustrates that general IT is a common pathway into a Cyber Security role. The MSc is a specialist post-graduate academic qualification for Cyber Security professionals. The MBA (Masters of Business Administration) may be of more relevance to those in commercial roles. The table below shows the percentage of professionals who have gained particular professional qualifications (NC = non-commercial roles, Com = commercial roles). Copyright e-skills UK Sector Skills Council Ltd

14 Table 1 Overall qualification data with top 10 highlighted for non-commercial roles Qualification All NC Com MSc Infosec 5% 9% MBA 4% 4% 5% CISSP 34% 54% 5% CISA 9% 15% 1% CISM 9% 15% QSA 4% 6% 1% CLAS 4% 6% 1% GIAC 3% 5% CEH 9% 14% 1% CREST 1% 2% 1% CHECK 1% 2% Tiger 1% LPT 1% CCNA 21% 31% 6% ISO LA 4% 7% CompTIA Security+ 3% 4% 1% It is interesting to note that 54% of non-commercial Cyber Security professionals hold a CISSP certification. The CISSP is a general certification covering a broad range of topics and it is widely accepted as the leading specialist cyber security qualification. The charts below highlight some other areas of interest within this data. 10 Copyright e-skills UK Sector Skills Council Ltd

15 MSc Infosec MBA CISSP CISA CISM QSA CLAS GIAC CEH CREST CHECK Tiger LPT CCNA ISO LA CompTIA Security+ MSc Infosec MBA CISSP CISA CISM QSA CLAS GIAC CEH CREST CHECK Tiger LPT CCNA ISO LA CompTIA Security+ Figure 5 Overall qualifications 35% 3 25% 2 15% 1 5% Figure 6 Qualifications breakdown in commercial and non-commercial roles Com NC Copyright e-skills UK Sector Skills Council Ltd

16 The table below illustrates the percentage of professionals who have an undergraduate degree and the type of degree: IT (including computing and computer science), Technical (including physics, mathematics and engineering) and Other (such as law, geography, social sciences etc). Almost 5 of Cyber Security professionals possess a degree and a higher proportion of noncommercial professionals have a degree compared to those in commercial roles. Perhaps unsurprisingly, the most common degree type overall and in non-commercial roles is IT, however many have entered the Cyber Security profession having studied other disciplines. Table 2 Degree types overall and by job type IT Technical Other No Degree Overall 22% 11% 15% 52% NC 29% 14% 11% 46% Com 11% 7% 21% 61% Figure 7 Comparison of degree types in commercial and non-commercial job roles % Com NC % 46% 29% 7% 21% 14% 11% IT Technical Other No Degree 12 Copyright e-skills UK Sector Skills Council Ltd

17 1.5 Demographic Profiles Demographic information was taken from a sample of the entire data. Three types of information were analysed Region (Geographical), Age and Gender, in order to produce a demographic profile of the Cyber Security profession in general and per specific job role. The following table displays the overall demographic information for the sample as a whole. These figures are broken down by job role in Section 4. Table 3 Demographic profile overall for non-commercial and commercial roles Region NW NE SW SE Mids Scot Wales N. Ire Non-Commercial 6% 8% 7% 59% 14% 2% 3% 1% Commercial 7% 11% 6% 66% 8% 1% 1% Age No Data Non-Commercial 7% 31% 21% 8% 33% Commercial 7% 34% 25% 12% 22% Gender M F No data Non-Commercial 86% 1 4% Commercial 8 19% 1% Copyright e-skills UK Sector Skills Council Ltd

18 Figure 8 Chart highlighting the geographical profile of cyber security professionals (for non-commercial roles) N. Ire Wales Scot Mids SE SW NE NW Figure 9 Chart displaying the age distribution across Cyber Security professionals (for non-commercial roles where age information was available) 35% 3 25% 2 31% 15% 21% 1 5% 7% 8% Copyright e-skills UK Sector Skills Council Ltd

19 Figure 10 Pie chart displaying the gender profile of Cyber Security professionals (for non-commercial roles) M 86% F 1 No data 4% Copyright e-skills UK Sector Skills Council Ltd

20 16 Copyright e-skills UK Sector Skills Council Ltd

21 Section 2 Pa thways to Ta rget Job Role s Section 2 Pathways to Target Job Roles As discussed in section 1.1, the most common pathways to a target non-commercial cyber security role are via a general IT route and a specialised route. The top three specialised route pathways are via roles as an Manager, Consultant or IT Security Consultant. The specific pathways to these three roles are discussed in more detail below. 2.1 Manager Figure 11 Chart displaying job history leading to a role as an Manager 3rd Previous 2nd Previous 1st Previous 8% 15% 26% Manager Manager Manager 49% 44% 24% Information Security Manager 7% 14% 22% Consultant Consultant Consultant 4% 4% 6% Analyst Analyst Analyst 3% 5% 6% Officer Officer Officer Non-IT 11% Non-IT 6% Non-IT 5% IT Security Analyst 3% IT Security Analyst IT Security Analyst 2% IT Security Consultant 5% IT Security Consultant 1% IT Security Consultant 2% IT Security Manager 5% IT Security Manager 3% IT Security Manager 1% IT Security Specialist IT Security Specialist IT Security Specialist 1% 3% 1% Consultant Consultant Consultant Security Administrator Security Administrator Security Administrator 1% Security Architect Security Architect 1% Security Architect 1% (variants of: (variants of: (variants of: Security Auditor Security Auditor 1% Security Auditor 1% Security Engineer 1% Security Engineer 1% Security Engineer 1% Application Security Application Security 4% Application Security Specialist Specialist Specialist IT Security Officer 1% IT Security Officer 1% IT Security Officer Engineer Engineer Engineer Copyright e-skills UK Sector Skills Council Ltd

22 Figure 12 Chart showing the top three roles at each stage on the path to a role as an Information Security Manager 8% 15% 26% Manager 49% 44% 24% 7% 14% 22% Consultant 3rd Previous Role 2nd Previous Role 1st Previous Role These figures illustrate that many Managers begin in other IT roles (49% in their 3 rd previous role and 44% in their 2 rd previous role). These percentages are greater than all aggregated non-commercial Cyber Security roles, demonstrating that general management skills are more in demand than specialised technical skills. Figure 13 Illustrates the most common roles that lead to a role as an Manager Manager Consultant Manager 18 Copyright e-skills UK Sector Skills Council Ltd

23 2.2 Consultant Figure 14 - Chart displaying job history leading to a role as an Consultant 3rd Previous Role 2nd Previous Role 1st Previous Role Consultant 24% Consultant 24% Consultant 41% 38% 3 18% Manager 7% Manager 1 Manager 11% IT Security Consultant 7% IT Security Consultant 5% IT Security Consultant 4% Analyst 3% Analyst 2% Analyst 4% Security Engineer 4% Security Engineer 7% Security Engineer 3% IT Security Analyst 3% IT Security Analyst 4% IT Security Analyst 3% Non-IT 3% Non-IT 5% Non-IT 3% Officer 1% Officer 5% Officer 3% IT Security Manager 1% IT Security Manager 2% IT Security Manager 3% Penetration Tester/Pen Tester 1% Penetration Tester/Pen Tester Penetration Tester/Pen Tester 2% Security Administrator Security Administrator 2% Security Administrator 2% Consultant 3% Consultant Consultant 1% Pre-sales Consultant 1% Pre-sales Consultant Pre-sales Consultant 1% Computer/Digital Forensics Computer/Digital Forensics 1% Computer/Digital Forensics 1% Security Auditor 1% Security Auditor 2% Security Auditor Security Architect (variants of) Security Architect (variants of) 1% Security Architect (variants of) Analyst 3% Analyst Analyst Information Security Consultant Copyright e-skills UK Sector Skills Council Ltd

24 Figure 15 - Chart showing the top three roles at each stage on the path to a role as an Information Security Consultant 7% 1 11% 24% 24% 41% Manager Consultant 38% 3 18% 3rd Previous Role 2nd Previous Role 1st Previous Role These figures show that many Cyber Security professionals remained as Consultants throughout the last 10 years of their career. Those who moved into the profession initially came through a general IT route or from an Manager role. It is interesting to note that the ability to move into this role from other IT roles has considerably reduced in recent years, more so than all aggregated non-commercial Cyber Security roles. Figure 16 Illustrating the most common roles that lead to a role as an Consultant Consultant Manager Consultant 20 Copyright e-skills UK Sector Skills Council Ltd

25 2.3 IT Security Consultant Figure 17 - Chart displaying job history leading to a role as an IT Security Consultant 3rd Previous Role 2nd Previous Role 1st Previous Role 44% 29% 9% Non-IT Non-IT Non-IT 16% 1 7% IT Security Analyst IT Security Analyst IT Security Analyst 12% 8% 7% IT Security Consultant 8% IT Security Consultant 14% IT Security Consultant 17% Consultant 8% Consultant 5% Consultant 4% Security Engineer 4% Security Engineer 5% Security Engineer 11% Consultant 4% Consultant 3% Consultant 9% Penetration Tester/Pen Tester 4% Penetration Tester/Pen Tester Penetration Tester/Pen Tester 7% Security Administrator Security Administrator 5% Security Administrator 2% IT Security Manager IT Security Manager 3% IT Security Manager 9% IT Security Officer IT Security Officer 3% IT Security Officer 4% Analyst Analyst 3% Analyst 2% Engineer Engineer 3% Engineer 2% Analyst Analyst 3% Analyst Pre-sales Consultant Pre-sales Consultant 3% Pre-sales Consultant Account Manager (with security) Account Manager (with security) 3% Account Manager (with security) Manager Manager Manager 4% Security Architect (variants of) Security Architect (variants of) Security Architect (variants of) 2% Security Auditor Security Auditor Security Auditor 2% PCI Consultant (variants of)/qsa PCI Consultant (variants of)/qsa PCI Consultant (variants of)/qsa 2% IT Security Consultant Copyright e-skills UK Sector Skills Council Ltd

26 Figure 18 - Chart showing the top four roles at each stage on the path to a role as an IT Security Consultant 8% 12% 16% 14% 8% 1 17% 7% IT Security Consultant IT Security Analyst 44% 29% 7% 9% Non-IT 3rd Previous Role 2nd Previous Role 1st Previous Role The most common path to a role as IT Security Consultant is through general IT roles or through other industries. Another common path is via a role as an IT Security Analyst. Figure 19 Chart showing the main three roles that lead to the position of IT Security Consultant Non-IT IT Security Analyst IT SECURITY CONSULTANT 22 Copyright e-skills UK Sector Skills Council Ltd

27 2.4 Account Manager Section 1 discussed the general pathways to commercial/sales roles within Cyber Security. The most common routes were through other industries, general IT and via a role as an Account Manager. Many of those who came up through other industries or general IT were in sales roles. Relatively few have come from non-commercial security roles. The pathways into a role as an Account Manager in Cyber Security are explained further below. Figure 20 Chart displaying job history leading to a role as an Account Manager within Cyber Security 3rd Previous 2nd Previous 1st Previous 45% 43% 37% Non-IT Non-IT Non-IT 31% 24% 16% Account Manager (with security) 8% Account Manager (with security) 15% Account Manager (with security) 24% Sales Executive (with security) 8% Sales Executive (with security) 7% Sales Executive (with security) 11% Business Development 2% Business Development 5% Business Development 7% Sales Manager (with security) 2% Sales Manager (with security) 4% Sales Manager (with security) 2% Security Engineer 1% Security Engineer Security Engineer Technical Account Manager 1% Technical Account Manager 1% Technical Account Manager 1% Analyst 1% Analyst Analyst Sales Engineer 1% Sales Engineer Sales Engineer Pre-sales Consultant Pre-sales Consultant 1% Pre-sales Consultant 2% Account Manager The figures suggest that the predominant route into an Account Manager role within Cyber Security is via roles. The general IT roles that Account Managers come from tend to be within sales, as did the non-it roles. Within Cyber Security, many progressed into the Account Manager role from the same role or from a Sales Executive position. Copyright e-skills UK Sector Skills Council Ltd

28 Figure 21 Displaying the most common four roles in the job history of Cyber Security Account Managers 5 45% 4 35% 3 25% 2 15% 1 Non-IT Account Manager (with security) Sales Executive (with security) 5% 3rd Previous 2nd Previous 1st Previous This figure illustrates that there has been an increased demand from the Cyber Security industry in recent times to hire more specialised Cyber Security experienced Account Managers. Figure 22 Displaying the most popular roles at each stage in the pathway to an Account Manager position in Cyber Security 3rd Previous Non-IT Account Manager Sales Executive 2nd Previous Non-IT Account Manager Sales Executive 1st Previous Account Manager Non-IT Sales Executive 24 Copyright e-skills UK Sector Skills Council Ltd

29 2.5 Pathways to Other Roles The charts below show the top three roles at each stage in the path towards 23 other roles. Figure 23 - Non-Commercial Roles 3rd Previous Role 2nd Previous Role 1st Previous role Current Role Non-IT Non-IT Analyst Analyst Analyst Analyst Consultant Manager Officer Manager Officer IT Security Analyst Consultant Analyst Non-IT Non-IT IT Security Analyst IT Security Analyst IT Security Analyst IT Security Analyst IT Security Consultant IT Security Manager Security Architect IT Security Analyst IT Security Officer Non-IT Non-IT IT Security Manager IT Security Manager IT Security Analyst IT Security Manager IT Security Manager IT Security Consultant IT Security Analyst IT Security Analyst Analyst Engineer Analyst Engineer IT Security Analyst Consultant Consultant Consultant Consultant Consultant IT Security Consultant IT Security Analyst Engineer Engineer Engineer Engineer Engineer Security Engineer IT Security Analyst Analyst Non-IT IT Security Analyst Security Engineer Security Engineer Security Engineer Engineer IT Security Consultant Non-IT Security Administrator Security Administrator Security Administrator Security Administrator Non-IT IT Security Analyst Security Architect Security Architect Security Architect q Consultant Security Architect IT Security Consultant IT Security Consultant IT Security Consultant Security Auditor Security Auditor Security Auditor Manager Security Auditor Analyst Analyst IT Security Officer PCI Consultant Manager PCI DSS Consultant PCI DSS Consultant/ QSA IT Security Consultant IT Security Consultant Manager Computer Forensics Specialist Computer Forensics Specialist Computer Forensics Specialist Non-IT Computer Forensics Specialist Non-IT Non-IT Other Penetration Tester Penetration Tester Penetration Tester Computer Forensics Specialist IT Security Analyst Consultant Application/ System Security Security Administrator Consultant Consultant Application/ System Security Application/ System Security IT Security Analyst IT Security Consultant Copyright e-skills UK Sector Skills Council Ltd

30 Figure 24 - Commercial Roles 3rd Previous Role 2nd Previous Role 1st Previous role Current Role Sales Engineer Sales Engineer Sales Engineer Sales Engineer Non-IT Technical Account Manager Pre-Sales Consultant Other Pre-Sales Consultant Sales Engineer Pre-Sales Consultant Pre-Sales Consultant Account Manager IT Security Consultant Security Engineer IT Security Consultant IT Security Consultant IT Security Consultant Technical Account Manager Security Engineer Security Engineer Security Engineer Non-IT Non-IT Non-IT Account Manager Business Development Manager Account Manager Non-IT Non-IT Sales Executive Sales Executive Account Manager Account Manager Non-IT Account Manager Account Manager Sales Manager Sales Manager Non-IT Non-IT Account Manager Sales Director Sales Manager Sales Manager Sales Director Sales Director Sales Director Sales Manager Business Development Manager This section of the report has illustrated that there are many routes and pathways into jobs within Cyber Security. Generally, many professionals come through general IT and even other industries to join the Cyber Security profession. 26 Copyright e-skills UK Sector Skills Council Ltd

31 Section 3 Qualifica tions and Deg rees by Job Role Section 3 Qualifications and Degrees by Job Role 3.1 Qualifications Table 4 Table showing professional qualifications per job role Role Analyst Manager Consultant Officer IT Security Analyst IT Security Manager IT Security Consultant IT Security Officer Engineer Consultant Analyst Security Engineer Security Administrator CISO Security Architect Security Auditor QSA Consultants Computer Forensics Investigator Penetration Tester/Pen Tester Application Security Specialist Sales Engineer Pre-sales Consultant Technical Account Manager Account Manager Business Development Manager Sales Executive Sales Manager Sales Director Qualifications MSc Infosec MBA CISSP CISA CISM QSA CLAS GIAC CEH CREST CHECK Tiger LPT CCNA ISO27001 Lead Auditor Comp TIA Security+ 12% 4% 48% 19% 12% 1% 1% 7% 1 25% 6% 1 11% 7% 64% 19% 33% 4% 5% 5% 7% 1% 1% 17% 13% 5% 14% 7% 62% 24% 18% 1 7% 5% 13% 3% 1% 26% 17% 5% 11% 3% 55% 24% 31% 5% 3% 3% 9% 1% 23% 8% 3% 11% 2% 42% 17% 6% 4% 4% 17% 4% 2% 3 6% 12% 2% 73% 16% 35% 4% 4% 8% 35% 8% 4% 73% 24% 16% 1 6% 12% 35% 2% 2% 4% 35% 4% 4% 8% 5 4% 17% 4% 8% 8% 17% 8% 3% 15% 3% 3% 13% 5% 74% 8% 13% 4 7% 27% 7% 7% 67% 7% 6% 44% 6% 6% 11% 6% 72% 6% 6% 5% 56% 6% 4% 2% 2% 6% 2 1% 2% 7 2% 4% 4% 18% 4% 2% 2% 4% 4% 24% 4% 6% 17% 89% 33% 22% 11% 22% 11% 6% 17% 17% 6% 7% 5% 74% 1 12% 6% 22% 4% 15% 2% 1% 21% 1 4% 71% 86% 7% 7% 7% 36% 36% 14% 7% 1 41% 15% 2 46% 5% 5% 2% 17% 7% 14% 23% 9% 14% 3% 3% 3% 3% 14% 3% 1 3% 5 3% 3% 3% 3% 1 43% 18% 33% 3% 5% 33% 3% 5% 5 5% 14% 5% 14% 9% 9% 5% 18% 5% 2% 18% 2% 2% 2% 4% 24% 4% 2% 16% 2% 2% 2% 2 25% 3% 3% 3% 9% 6% 13% 3% 6% 4% 2% 1% 3% 1 1% 4% 1% 1% 1% 4% 5% 2% 2% 4% 5% 1% 1% 1% 1% 1% 3% 2% 11% 2% 2% Copyright e-skills UK Sector Skills Council Ltd

32 The above table highlights qualifications in order of popularity for each job role. CISSP is, as discussed in Section 1, the most common qualification overall and for most of the non-commercial roles. CCNA is also prevalent, more so in highly technical roles such as Security Engineer. Often, particular qualifications are more common in one role, such as CEH for Penetration Testers and Security Analysts. This is due to the fact that certain qualifications are focused towards a particular set of specialised skills that are required only in certain positions. Of the two post-graduate qualifications analysed, the MBA is most popular throughout the more commercial roles towards the bottom of the table. The MSc is more popular in non-commercial roles. It is worthy of note that, recently, CESG (Communications Electronics Security Group the National Technical Authority for Information Assurance) has produced a certification scheme for professionals working in HMG Information Assurance. As these certifications are relatively new they have not been included in this analysis. However the more generalised CLAS credential is included. Figure 25 Chart highlighting the distribution of CISSP certified professionals across all non-commercial job roles Copyright e-skills UK Sector Skills Council Ltd

33 Figure 26 Chart comparing qualifications of four Cyber Security roles: Manager, Consultant and their IT security equivalents Manager IT Security Manager Consultant IT Security Consultant Copyright e-skills UK Sector Skills Council Ltd

34 3.2 Degrees Table 5 Table of degree types across all job roles Role IT Technical Other No Degree Analyst 32% 14% 19% 35% Manager 19% 16% 12% 53% Consultant 28% 17% 9% 46% Officer 36% 14% 12% 38% IT Security Analyst 21% 13% 11% 55% IT Security Manager 2 16% 1 54% IT Security Consultant 33% 16% 12% 39% IT Security Officer 17% 25% 4% 54% Engineer 31% 26% 3% 4 Consultant 33% 27% 4 Analyst 17% 22% 17% 44% Security Engineer 44% 9% 9% 38% Security Administrator 29% 7% 11% 53% CISO/Head of 45% 11% 44% Security Architect (variants of) 23% 14% 1 53% Security Auditor 43% 7% 5 PCI Consultant (variants of)/qsa Consultants 17% 15% 12% 56% Forensics Analyst/Investigator (variants of) 4 11% 2 29% Penetration Tester/Pen Tester 44% 5% 8% 43% Application Security Specialist (variants of) 45% 5% 18% 32% Sales Engineer 25% 8% 1 57% Pre-sales Consultant 22% 27% 12% 39% Technical Account Manager 22% 16% 62% Account Manager (with security) 9% 4% 24% 63% Business Development Manager (with security) 7% 1 15% 68% Sales Executive (with security) 16% 4% 25% 55% Sales Manager (with security) 8% 7% 26% 59% Sales Director (with security) 4% 5% 23% 68% Total 22% 11% 15% 52% In total across all roles, almost 5 of Cyber Security professionals have an undergraduate degree. In some cases, a higher proportion of those in more junior roles have a degree compared to their more senior counterparts, for example 65% of Analysts have a degree compared to 47% of Managers. Some sectors of the Cyber Security industry equally value professionals with senior military backgrounds and experience who may not be degree educated. This reflects the emphasis for managers with organisational, process and communication skills. Another consideration in these figures is that that those entering the profession more recently tend to be graduates. Some of the more specialised roles, such as Forensics Analyst and Application Security Specialist require more specific knowledge and skills that often can only be acquired via degree studies, which may explain why a higher proportion of professionals in roles such as these have a degree. 30 Copyright e-skills UK Sector Skills Council Ltd

35 Perhaps unsurprisingly, of those who have a degree, the most common category is IT. However, these figures show that many professionals enter the industry having studied other disciplines. Graduates with a degree in a non-it and non-technical subject tend to have more commercial roles that require less specific knowledge. Figure 27 Pie chart showing split of degree types across all roles IT 22% No Degree 52% Technical 11% Other 15% Figure 28 Displaying the degree categories of the four roles with the highest proportion of graduates 5 4 Analyst 3 Officer 2 1 Forensics Analyst/Investigator (variants of) IT Technical Other No Degree Application Security Specialist (variants of) Copyright e-skills UK Sector Skills Council Ltd