Career Analysis into Cyber Security: New & Evolving Occupations

Alderbridge Specialists in Info Security Specialist Recruitment Knowledge for e-skills UK s Cyber Security Learning Pathways Programme Career Analysis into Cyber Security: New & Evolving Occupations

e-skills UK is the Sector Skills Council for Business and Information Technology; an employer led organisation rated as outstanding in the re-licensing of the Sector Skills Councils. e-skills UK s mission is to ensure the UK has the technology skills it needs to compete in the global economy, working on behalf of employers to develop the software, internet, computer gaming, IT services and business change expertise necessary to thrive. Focused on making the biggest contribution to enterprise, jobs and growth across the economy, e-skills UK s three strategic objectives are to: inspire future talent, support IT professionals, increase digital capability. Delivery on these strategic objectives is underpinned by employer engagement across the sector, authoritative research, a continually developing sector qualifications and learning strategy and effective strategic partnerships. 2013 Reserved, e-skills UK All rights reserved. No part of this material protected by this copyright may be reproduced or utilised in any form, or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system without prior authorisation and credit to e-skills UK. An e-skills UK publication, supported by Alderbridge Consulting Ltd. For further information please contact: e-skills UK 1 Castle Lane London SW1E 6DR Tel: 020 7963 8920 Fax: 020 7592 9138 info@e-skills.com www.e-skills.com Proprietor: e-skills UK Sector Skills Council Ltd Registered in England no. 4019051 The National Skills Academy for IT 1 Castle Lane London SW1E 6DR Tel: 020 7963 0420 info@itskillsacademy.ac.uk www.itskillsacademy.ac.uk The National Skills Academy for IT Registered in England no. 7223753 Registered office: Victoria House, 39 Winchester Street, Basingstoke, Hampshire RG21 7EQ The National Skills Academy for IT is wholly owned by e-skills UK Copyright e-skills UK Sector Skills Council Ltd 2000-2013

Contents Executive Summary... 1 Summary of Findings... 1 Introduction... 3 Scope... 3 Scope Limitations... 4 Section 1 Overview... 5 1.1 Pathways to Target Job Roles... 5 1.2 Non-Commercial roles... 6 1.3 Commercial roles... 8 1.4 Qualifications... 9 1.5 Demographic Profiles... 13 Section 2 Pathways to Target Job Roles... 17 2.1 Manager... 17 2.2 Consultant... 19 2.3 IT Security Consultant... 21 2.4 Account Manager... 23 2.5 Pathways to Other Roles... 25 Section 3 Qualifications and Degrees by Job Role... 27 3.1 Qualifications... 27 3.2 Degrees... 30 Section 4 Demographic Profiles by Job Role... 33 4.1 Location... 33 4.2 Age Distribution... 34 4.3 Gender... 35 Summary of Key Findings... 37 Summary of Section 1 Overview... 37 Summary of Section 2 Pathways to Target Job Roles... 37 Summary of Section 3 Qualifications and Degrees by Job Role... 38 Summary of Section 4 - Demographic Profiles by Job Role... 38 Copyright e-skills UK Sector Skills Council Ltd 2000-2013

Copyright e-skills UK Sector Skills Council Ltd 2000-2013

Executive Summa ry Executive Summary e-skills UK engaged Alderbridge Consulting Ltd, specialists in recruitment and consultancy, to undertake an analysis of their intelligence covering the current recruitment landscape within Cyber Security. This analysis contributed to the e-skills UK s Cyber Security Learning Pathways Programme. This report documents the output of this analysis and seeks to draw conclusions surrounding the demographic and academic profile of the UK Cyber Security sector, as well as highlighting potential educational and professional pathways to target job roles. The analysis, data and results are presented in this document within the following key reporting areas for Cyber Security in the UK: Age profiles Gender profiles Geographic profiles Job Title progressions Qualifications - learning & training pathways Pathways to target Job Title by Education, Qualifications & Experience Data is presented in tables, charts and graphical representations together with Alderbridge s summary analysis. Summary of Findings The most common pathway to non-commercial Cyber Security roles has been via other roles within IT. 46% of all professionals currently in non-commercial Cyber Security entered the profession in this way from their 3 rd previous role of their career history. As the overall body of professionals has grown, data collected over a period of 10 years suggests that now only 28% can enter the profession from a more general role in IT and 4% from a role outside of IT. Current non-commercial Cyber Security roles are being filled by seasoned and highly qualified professionals who are progressing within this relatively new profession. The most popular specialised routes within the profession are as an Consultant, IT Security Consultant and Manager. The two most common pathways into commercial/sales roles within Cyber Security are via non-it or general IT sales roles. 42% of professionals currently in Cyber Security sales began in more general IT roles and 21% started out in other industries. Overall, CISSP (Certified Information Systems Security Professional) is the most common professional certification, held by 54% of those in non-commercial roles. Around half of Cyber Security professionals have an undergraduate degree, with more of these being in non-commercial roles than commercial positions. The most common degree type is IT. The majority (over 6) of Cyber Security professionals across all job roles are located in the South East. The age profile across most roles was widespread, though for commercial roles it was slightly younger than for non-commercial roles. The gender profile was shown to be predominantly male across all job roles with a slightly higher proportion of females in the commercial roles compared to the other positions (19% compared to 1). Copyright e-skills UK Sector Skills Council Ltd 2000-2013 1

2 Copyright e-skills UK Sector Skills Council Ltd 2000-2013

Introduction Introduction On completion of Cyber Security recruitment data analysis conducted for e-skills UK, Alderbridge Consulting Ltd ( Alderbridge ) is pleased to present the findings in this report, which draws conclusions surrounding the demographic and academic profile of the UK Cyber Security sector, and to highlight potential educational and professional pathways to target job roles. Scope The scope of the work was to analyse Alderbridge s Cyber Security recruitment industry knowledge to produce data in three main areas:- Pathways to target job roles Professional qualifications Demographic information: o Geographic profiles o Age profiles o Gender profiles CYBER SECURITY ROLE Demographics Role History Qualifications Education Copyright e-skills UK Sector Skills Council Ltd 2000-2013 3

Demographics Education Qualifications Job History Age Location Gender Higher Education Information Qualifications - Current and Historic Job Title - Current Job Title - Historic Pathways to specific target jobs Cyber Security Role The analysis focused on the following 28 target job roles within Cyber Security:- Analyst Manager Consultant Officer IT Security Analyst IT Security Manager IT Security Consultant IT Security Officer Engineer Consultant Analyst Security Engineer Security Administrator CISO/Chief Officer/Head of Security Architect (variants of) Security Auditor PCI Consultant/QSA Consultants Computer/Digital Forensics Analyst/Investigator (variants of) Penetration Tester/Pen Tester Application Security Specialist (variants of) Sales Engineer Pre-sales Consultant Technical Account Manager Account Manager (with security) Business Development Manager (with security) Sales Executive (with security) Sales Manager (with security) Sales Director (with security) Scope Limitations The geographical scope of the analysis was across the whole of the UK. In order to present current information, only data produced from 1 st January 2007 onwards was used in all analysis except pathways to target job roles, for which data from 1 st January 2002 onwards was used when analysing previous roles. This amounted to 1750 data samples. Across these data samples, not all categories of data were available for analysis in some reports. 4 Copyright e-skills UK Sector Skills Council Ltd 2000-2013

Section 1 Overv iew Section 1 Overview 1.1 Pathways to Target Job Roles The target job roles can be categorised into two main areas: Non-commercial roles Analyst Manager Consultant Officer IT Security Analyst IT Security Manager IT Security Consultant IT Security Officer Engineer Consultant Analyst Security Engineer Security Administrator CISO/Chief Officer/Head of Security Architect (variants of) Security Auditor PCI Consultant/QSA Consultants Computer/Digital Forensics Analyst/Investigator (variants of) Penetration Tester/Pen Tester Application Security Specialist (variants of) Commercial (sales roles) Sales Engineer Pre-sales Consultant Technical Account Manager Account Manager (with security) Business Development Manager (with security) Sales Executive (with security) Sales Manager (with security) Sales Director (with security) The pathways to roles were determined by analysing the job history of Cyber Security Professionals whose current job titles are in the above list. The last three roles prior to the current role were noted to build up a picture of the most common pathways to roles within Cyber Security. Two additional occupations and Non-IT were also added to account for roles outside of the Cyber Security industry. The next section discusses the aggregated pathways across all roles within the noncommercial and commercial categories. Copyright e-skills UK Sector Skills Council Ltd 2000-2013 5

1.2 Non-Commercial Roles As can be seen from Figure 1, 46% of all professionals currently in non-commercial Cyber Security entered the profession in their 3 rd previous role from other general roles in IT. This figure reduces to 39% across all 2 nd previous roles. Figure 1 Aggregated pathways across all Non-Commercial roles 3rd Previous Role 2nd Previous Role 1st Previous Role 46% 39% 28% Consultant 7% Consultant 9% Consultant 13% IT Security Consultant IT Security Consultant IT Security Consultant 6% 5% 7% Manager 5% Manager 3% Manager 6% IT Security Analyst IT Security Analyst IT Security Analyst 4% 6% 5% Non-IT Non-IT Non-IT 9% 8% 4% Security Architect Security Architect Security Architect (variants of: 3% (variants of: 4% (variants of: 4% Security Engineer Security Engineer Security Engineer 3% 3% 4% Analyst 3% Analyst 2% Analyst 4% Engineer 2% Engineer 2% Engineer 3% IT Security Manager IT Security Manager IT Security Manager 2% 3% 3% Penetration Tester/Pen Penetration Tester/Pen Penetration Tester/Pen Tester 1% Tester 1% Tester 3% Officer 1% Officer 2% Officer 3% Consultant 1% Consultant 1% Consultant 2% Computer/Digital Computer/Digital Computer/Digital Forensics 1% Forensics 1% Forensics 2% Security Administrator Security Administrator Security Administrator 1% 3% 2% CISO/Head of CISO/Head of CISO/Head of 1% 1% 2% Analyst 1% Analyst 2% Analyst 2% Security Auditor Security Auditor Security Auditor 1% 2% 1% PCI Consultant (variants PCI Consultant (variants PCI Consultant (variants of)/qsa Consultants 1% of)/qsa Consultants 1% of)/qsa Consultants 1% IT Security Officer IT Security Officer IT Security Officer 1% 1% Application / Systems Application / Systems Application / Systems Security Specialist 1% Security Specialist 1% Security Specialist 01 January 2002 20 August 2012 As the overall body of professionals has grown, this data illustrates that now only 28% can enter the profession from a more general role in IT and 4% from a role outside of IT. Current non-commercial Cyber Security roles are being filled by experienced professionals who are progressing and moving roles within the profession. 6 Copyright e-skills UK Sector Skills Council Ltd 2000-2013

Figure 2 Chart illustrating the split of the top three categories of roles that lead to a non-commercial role in Cyber Security, displayed in 3 rd previous, 2 nd previous and 1 st previous (most recent) position 45% 53% 68% Specialist within Cyber Security 9% 8% Non-IT 46% 39% 4% 28% 3rd Previous Role 2nd Previous Role 1st Previous Role The most popular specialised routes are as an Consultant, IT Security Consultant and Manager. The pathways to these roles are explained in more detail in section 2 of this report. Copyright e-skills UK Sector Skills Council Ltd 2000-2013 7

1.3 Commercial Roles The two most common pathways into commercial/sales roles within Cyber Security are via non-it or general IT sales roles. 42% of professionals currently in Cyber Security Sales began in more general IT roles and 21% started out in other industries. Many commercial Cyber Security professionals progress through Account Management into their current roles. The pathway to an Account Manager role is discussed further in Section 2. A relatively small number of professionals progress to commercial roles via technical routes such as Security Engineer and IT Security Consultant. Figure 3 Aggregated pathways across all Commercial roles Non-IT 3rd Previous Role 2nd Previous Role 1st Previous Role 42% 21% Account Manager (with security) 11% Sales Executive (with security) 7% Sales Manager (with security) 5% Business Development 5% Sales Director (with security) 2% Sales Engineer Security Engineer 2% 2% Pre-sales Consultant 1% Technical Account Manager 1% IT Security Consultant 1% Security Architect (variants of) Non-IT 38% 18% Account Manager (with security) 13% Sales Executive (with security) 5% Sales Manager (with security) 6% Business Development 6% Sales Director (with security) 3% Sales Engineer Security Engineer 1% 2% Pre-sales Consultant 3% Technical Account Manager 2% IT Security Consultant 2% Security Architect (variants of) 1% Non-IT 32% 12% Account Manager (with security) 16% Sales Executive (with security) 7% Sales Manager (with security) 7% Business Development 8% Sales Director (with security) 5% Sales Engineer Security Engineer 1% 3% Pre-sales Consultant 6% Technical Account Manager 2% IT Security Consultant 1% Security Architect (variants of) 01 January 2002 20 August 2012 8 Copyright e-skills UK Sector Skills Council Ltd 2000-2013

Figure 4 - Chart illustrating the split of the categories of roles that lead to a Commercial role in Cyber Security, displayed as 3 rd previous, 2 nd previous and 1 st previous (most recent) position 37% 21% 44% 18% 56% Within Cyber Security 12% Non-IT 42% 38% 32% 3rd Previous Role 2nd Previous Role 1st Previous Role 1.4 Qualifications Two categories of qualifications were analysed - professional qualifications and degree types. The list of professional qualifications is shown below and mostly relate to the Cyber Security industry specifically. The CCNA certification is a more general IT qualification and is included to complement the above data on pathways. This illustrates that general IT is a common pathway into a Cyber Security role. The MSc is a specialist post-graduate academic qualification for Cyber Security professionals. The MBA (Masters of Business Administration) may be of more relevance to those in commercial roles. The table below shows the percentage of professionals who have gained particular professional qualifications (NC = non-commercial roles, Com = commercial roles). Copyright e-skills UK Sector Skills Council Ltd 2000-2013 9

Table 1 Overall qualification data with top 10 highlighted for non-commercial roles Qualification All NC Com MSc Infosec 5% 9% MBA 4% 4% 5% CISSP 34% 54% 5% CISA 9% 15% 1% CISM 9% 15% QSA 4% 6% 1% CLAS 4% 6% 1% GIAC 3% 5% CEH 9% 14% 1% CREST 1% 2% 1% CHECK 1% 2% Tiger 1% LPT 1% CCNA 21% 31% 6% ISO 27001 LA 4% 7% CompTIA Security+ 3% 4% 1% It is interesting to note that 54% of non-commercial Cyber Security professionals hold a CISSP certification. The CISSP is a general certification covering a broad range of topics and it is widely accepted as the leading specialist cyber security qualification. The charts below highlight some other areas of interest within this data. 10 Copyright e-skills UK Sector Skills Council Ltd 2000-2013

MSc Infosec MBA CISSP CISA CISM QSA CLAS GIAC CEH CREST CHECK Tiger LPT CCNA ISO 27001 LA CompTIA Security+ MSc Infosec MBA CISSP CISA CISM QSA CLAS GIAC CEH CREST CHECK Tiger LPT CCNA ISO 27001 LA CompTIA Security+ Figure 5 Overall qualifications 35% 3 25% 2 15% 1 5% Figure 6 Qualifications breakdown in commercial and non-commercial roles 6 5 4 3 2 1 Com NC Copyright e-skills UK Sector Skills Council Ltd 2000-2013 11

The table below illustrates the percentage of professionals who have an undergraduate degree and the type of degree: IT (including computing and computer science), Technical (including physics, mathematics and engineering) and Other (such as law, geography, social sciences etc). Almost 5 of Cyber Security professionals possess a degree and a higher proportion of noncommercial professionals have a degree compared to those in commercial roles. Perhaps unsurprisingly, the most common degree type overall and in non-commercial roles is IT, however many have entered the Cyber Security profession having studied other disciplines. Table 2 Degree types overall and by job type IT Technical Other No Degree Overall 22% 11% 15% 52% NC 29% 14% 11% 46% Com 11% 7% 21% 61% Figure 7 Comparison of degree types in commercial and non-commercial job roles 12 10 8 6 61% Com NC 4 2 11% 46% 29% 7% 21% 14% 11% IT Technical Other No Degree 12 Copyright e-skills UK Sector Skills Council Ltd 2000-2013

1.5 Demographic Profiles Demographic information was taken from a sample of the entire data. Three types of information were analysed Region (Geographical), Age and Gender, in order to produce a demographic profile of the Cyber Security profession in general and per specific job role. The following table displays the overall demographic information for the sample as a whole. These figures are broken down by job role in Section 4. Table 3 Demographic profile overall for non-commercial and commercial roles Region NW NE SW SE Mids Scot Wales N. Ire Non-Commercial 6% 8% 7% 59% 14% 2% 3% 1% Commercial 7% 11% 6% 66% 8% 1% 1% Age 20-29 30-39 40-49 50+ No Data Non-Commercial 7% 31% 21% 8% 33% Commercial 7% 34% 25% 12% 22% Gender M F No data Non-Commercial 86% 1 4% Commercial 8 19% 1% Copyright e-skills UK Sector Skills Council Ltd 2000-2013 13

Figure 8 Chart highlighting the geographical profile of cyber security professionals (for non-commercial roles) N. Ire Wales Scot Mids SE SW NE NW 1 2 3 4 5 6 Figure 9 Chart displaying the age distribution across Cyber Security professionals (for non-commercial roles where age information was available) 35% 3 25% 2 31% 15% 21% 1 5% 7% 8% 20-29 30-39 40-49 50+ 14 Copyright e-skills UK Sector Skills Council Ltd 2000-2013

Figure 10 Pie chart displaying the gender profile of Cyber Security professionals (for non-commercial roles) M 86% F 1 No data 4% Copyright e-skills UK Sector Skills Council Ltd 2000-2013 15

16 Copyright e-skills UK Sector Skills Council Ltd 2000-2013

Section 2 Pa thways to Ta rget Job Role s Section 2 Pathways to Target Job Roles As discussed in section 1.1, the most common pathways to a target non-commercial cyber security role are via a general IT route and a specialised route. The top three specialised route pathways are via roles as an Manager, Consultant or IT Security Consultant. The specific pathways to these three roles are discussed in more detail below. 2.1 Manager Figure 11 Chart displaying job history leading to a role as an Manager 3rd Previous 2nd Previous 1st Previous 8% 15% 26% Manager Manager Manager 49% 44% 24% Information Security Manager 7% 14% 22% Consultant Consultant Consultant 4% 4% 6% Analyst Analyst Analyst 3% 5% 6% Officer Officer Officer Non-IT 11% Non-IT 6% Non-IT 5% IT Security Analyst 3% IT Security Analyst IT Security Analyst 2% IT Security Consultant 5% IT Security Consultant 1% IT Security Consultant 2% IT Security Manager 5% IT Security Manager 3% IT Security Manager 1% IT Security Specialist IT Security Specialist IT Security Specialist 1% 3% 1% Consultant Consultant Consultant Security Administrator Security Administrator Security Administrator 1% Security Architect Security Architect 1% Security Architect 1% (variants of: (variants of: (variants of: Security Auditor Security Auditor 1% Security Auditor 1% Security Engineer 1% Security Engineer 1% Security Engineer 1% Application Security Application Security 4% Application Security Specialist Specialist Specialist IT Security Officer 1% IT Security Officer 1% IT Security Officer Engineer Engineer Engineer Copyright e-skills UK Sector Skills Council Ltd 2000-2013 17

Figure 12 Chart showing the top three roles at each stage on the path to a role as an Information Security Manager 8% 15% 26% Manager 49% 44% 24% 7% 14% 22% Consultant 3rd Previous Role 2nd Previous Role 1st Previous Role These figures illustrate that many Managers begin in other IT roles (49% in their 3 rd previous role and 44% in their 2 rd previous role). These percentages are greater than all aggregated non-commercial Cyber Security roles, demonstrating that general management skills are more in demand than specialised technical skills. Figure 13 Illustrates the most common roles that lead to a role as an Manager Manager Consultant Manager 18 Copyright e-skills UK Sector Skills Council Ltd 2000-2013

2.2 Consultant Figure 14 - Chart displaying job history leading to a role as an Consultant 3rd Previous Role 2nd Previous Role 1st Previous Role Consultant 24% Consultant 24% Consultant 41% 38% 3 18% Manager 7% Manager 1 Manager 11% IT Security Consultant 7% IT Security Consultant 5% IT Security Consultant 4% Analyst 3% Analyst 2% Analyst 4% Security Engineer 4% Security Engineer 7% Security Engineer 3% IT Security Analyst 3% IT Security Analyst 4% IT Security Analyst 3% Non-IT 3% Non-IT 5% Non-IT 3% Officer 1% Officer 5% Officer 3% IT Security Manager 1% IT Security Manager 2% IT Security Manager 3% Penetration Tester/Pen Tester 1% Penetration Tester/Pen Tester Penetration Tester/Pen Tester 2% Security Administrator Security Administrator 2% Security Administrator 2% Consultant 3% Consultant Consultant 1% Pre-sales Consultant 1% Pre-sales Consultant Pre-sales Consultant 1% Computer/Digital Forensics Computer/Digital Forensics 1% Computer/Digital Forensics 1% Security Auditor 1% Security Auditor 2% Security Auditor Security Architect (variants of) Security Architect (variants of) 1% Security Architect (variants of) Analyst 3% Analyst Analyst Information Security Consultant Copyright e-skills UK Sector Skills Council Ltd 2000-2013 19

Figure 15 - Chart showing the top three roles at each stage on the path to a role as an Information Security Consultant 7% 1 11% 24% 24% 41% Manager Consultant 38% 3 18% 3rd Previous Role 2nd Previous Role 1st Previous Role These figures show that many Cyber Security professionals remained as Consultants throughout the last 10 years of their career. Those who moved into the profession initially came through a general IT route or from an Manager role. It is interesting to note that the ability to move into this role from other IT roles has considerably reduced in recent years, more so than all aggregated non-commercial Cyber Security roles. Figure 16 Illustrating the most common roles that lead to a role as an Consultant Consultant Manager Consultant 20 Copyright e-skills UK Sector Skills Council Ltd 2000-2013

2.3 IT Security Consultant Figure 17 - Chart displaying job history leading to a role as an IT Security Consultant 3rd Previous Role 2nd Previous Role 1st Previous Role 44% 29% 9% Non-IT Non-IT Non-IT 16% 1 7% IT Security Analyst IT Security Analyst IT Security Analyst 12% 8% 7% IT Security Consultant 8% IT Security Consultant 14% IT Security Consultant 17% Consultant 8% Consultant 5% Consultant 4% Security Engineer 4% Security Engineer 5% Security Engineer 11% Consultant 4% Consultant 3% Consultant 9% Penetration Tester/Pen Tester 4% Penetration Tester/Pen Tester Penetration Tester/Pen Tester 7% Security Administrator Security Administrator 5% Security Administrator 2% IT Security Manager IT Security Manager 3% IT Security Manager 9% IT Security Officer IT Security Officer 3% IT Security Officer 4% Analyst Analyst 3% Analyst 2% Engineer Engineer 3% Engineer 2% Analyst Analyst 3% Analyst Pre-sales Consultant Pre-sales Consultant 3% Pre-sales Consultant Account Manager (with security) Account Manager (with security) 3% Account Manager (with security) Manager Manager Manager 4% Security Architect (variants of) Security Architect (variants of) Security Architect (variants of) 2% Security Auditor Security Auditor Security Auditor 2% PCI Consultant (variants of)/qsa PCI Consultant (variants of)/qsa PCI Consultant (variants of)/qsa 2% IT Security Consultant Copyright e-skills UK Sector Skills Council Ltd 2000-2013 21

Figure 18 - Chart showing the top four roles at each stage on the path to a role as an IT Security Consultant 8% 12% 16% 14% 8% 1 17% 7% IT Security Consultant IT Security Analyst 44% 29% 7% 9% Non-IT 3rd Previous Role 2nd Previous Role 1st Previous Role The most common path to a role as IT Security Consultant is through general IT roles or through other industries. Another common path is via a role as an IT Security Analyst. Figure 19 Chart showing the main three roles that lead to the position of IT Security Consultant Non-IT IT Security Analyst IT SECURITY CONSULTANT 22 Copyright e-skills UK Sector Skills Council Ltd 2000-2013

2.4 Account Manager Section 1 discussed the general pathways to commercial/sales roles within Cyber Security. The most common routes were through other industries, general IT and via a role as an Account Manager. Many of those who came up through other industries or general IT were in sales roles. Relatively few have come from non-commercial security roles. The pathways into a role as an Account Manager in Cyber Security are explained further below. Figure 20 Chart displaying job history leading to a role as an Account Manager within Cyber Security 3rd Previous 2nd Previous 1st Previous 45% 43% 37% Non-IT Non-IT Non-IT 31% 24% 16% Account Manager (with security) 8% Account Manager (with security) 15% Account Manager (with security) 24% Sales Executive (with security) 8% Sales Executive (with security) 7% Sales Executive (with security) 11% Business Development 2% Business Development 5% Business Development 7% Sales Manager (with security) 2% Sales Manager (with security) 4% Sales Manager (with security) 2% Security Engineer 1% Security Engineer Security Engineer Technical Account Manager 1% Technical Account Manager 1% Technical Account Manager 1% Analyst 1% Analyst Analyst Sales Engineer 1% Sales Engineer Sales Engineer Pre-sales Consultant Pre-sales Consultant 1% Pre-sales Consultant 2% Account Manager The figures suggest that the predominant route into an Account Manager role within Cyber Security is via roles. The general IT roles that Account Managers come from tend to be within sales, as did the non-it roles. Within Cyber Security, many progressed into the Account Manager role from the same role or from a Sales Executive position. Copyright e-skills UK Sector Skills Council Ltd 2000-2013 23

Figure 21 Displaying the most common four roles in the job history of Cyber Security Account Managers 5 45% 4 35% 3 25% 2 15% 1 Non-IT Account Manager (with security) Sales Executive (with security) 5% 3rd Previous 2nd Previous 1st Previous This figure illustrates that there has been an increased demand from the Cyber Security industry in recent times to hire more specialised Cyber Security experienced Account Managers. Figure 22 Displaying the most popular roles at each stage in the pathway to an Account Manager position in Cyber Security 3rd Previous Non-IT Account Manager Sales Executive 2nd Previous Non-IT Account Manager Sales Executive 1st Previous Account Manager Non-IT Sales Executive 24 Copyright e-skills UK Sector Skills Council Ltd 2000-2013

2.5 Pathways to Other Roles The charts below show the top three roles at each stage in the path towards 23 other roles. Figure 23 - Non-Commercial Roles 3rd Previous Role 2nd Previous Role 1st Previous role Current Role Non-IT Non-IT Analyst Analyst Analyst Analyst Consultant Manager Officer Manager Officer IT Security Analyst Consultant Analyst Non-IT Non-IT IT Security Analyst IT Security Analyst IT Security Analyst IT Security Analyst IT Security Consultant IT Security Manager Security Architect IT Security Analyst IT Security Officer Non-IT Non-IT IT Security Manager IT Security Manager IT Security Analyst IT Security Manager IT Security Manager IT Security Consultant IT Security Analyst IT Security Analyst Analyst Engineer Analyst Engineer IT Security Analyst Consultant Consultant Consultant Consultant Consultant IT Security Consultant IT Security Analyst Engineer Engineer Engineer Engineer Engineer Security Engineer IT Security Analyst Analyst Non-IT IT Security Analyst Security Engineer Security Engineer Security Engineer Engineer IT Security Consultant Non-IT Security Administrator Security Administrator Security Administrator Security Administrator Non-IT IT Security Analyst Security Architect Security Architect Security Architect q Consultant Security Architect IT Security Consultant IT Security Consultant IT Security Consultant Security Auditor Security Auditor Security Auditor Manager Security Auditor Analyst Analyst IT Security Officer PCI Consultant Manager PCI DSS Consultant PCI DSS Consultant/ QSA IT Security Consultant IT Security Consultant Manager Computer Forensics Specialist Computer Forensics Specialist Computer Forensics Specialist Non-IT Computer Forensics Specialist Non-IT Non-IT Other Penetration Tester Penetration Tester Penetration Tester Computer Forensics Specialist IT Security Analyst Consultant Application/ System Security Security Administrator Consultant Consultant Application/ System Security Application/ System Security IT Security Analyst IT Security Consultant Copyright e-skills UK Sector Skills Council Ltd 2000-2013 25

Figure 24 - Commercial Roles 3rd Previous Role 2nd Previous Role 1st Previous role Current Role Sales Engineer Sales Engineer Sales Engineer Sales Engineer Non-IT Technical Account Manager Pre-Sales Consultant Other Pre-Sales Consultant Sales Engineer Pre-Sales Consultant Pre-Sales Consultant Account Manager IT Security Consultant Security Engineer IT Security Consultant IT Security Consultant IT Security Consultant Technical Account Manager Security Engineer Security Engineer Security Engineer Non-IT Non-IT Non-IT Account Manager Business Development Manager Account Manager Non-IT Non-IT Sales Executive Sales Executive Account Manager Account Manager Non-IT Account Manager Account Manager Sales Manager Sales Manager Non-IT Non-IT Account Manager Sales Director Sales Manager Sales Manager Sales Director Sales Director Sales Director Sales Manager Business Development Manager This section of the report has illustrated that there are many routes and pathways into jobs within Cyber Security. Generally, many professionals come through general IT and even other industries to join the Cyber Security profession. 26 Copyright e-skills UK Sector Skills Council Ltd 2000-2013

Section 3 Qualifica tions and Deg rees by Job Role Section 3 Qualifications and Degrees by Job Role 3.1 Qualifications Table 4 Table showing professional qualifications per job role Role Analyst Manager Consultant Officer IT Security Analyst IT Security Manager IT Security Consultant IT Security Officer Engineer Consultant Analyst Security Engineer Security Administrator CISO Security Architect Security Auditor QSA Consultants Computer Forensics Investigator Penetration Tester/Pen Tester Application Security Specialist Sales Engineer Pre-sales Consultant Technical Account Manager Account Manager Business Development Manager Sales Executive Sales Manager Sales Director Qualifications MSc Infosec MBA CISSP CISA CISM QSA CLAS GIAC CEH CREST CHECK Tiger LPT CCNA ISO27001 Lead Auditor Comp TIA Security+ 12% 4% 48% 19% 12% 1% 1% 7% 1 25% 6% 1 11% 7% 64% 19% 33% 4% 5% 5% 7% 1% 1% 17% 13% 5% 14% 7% 62% 24% 18% 1 7% 5% 13% 3% 1% 26% 17% 5% 11% 3% 55% 24% 31% 5% 3% 3% 9% 1% 23% 8% 3% 11% 2% 42% 17% 6% 4% 4% 17% 4% 2% 3 6% 12% 2% 73% 16% 35% 4% 4% 8% 35% 8% 4% 73% 24% 16% 1 6% 12% 35% 2% 2% 4% 35% 4% 4% 8% 5 4% 17% 4% 8% 8% 17% 8% 3% 15% 3% 3% 13% 5% 74% 8% 13% 4 7% 27% 7% 7% 67% 7% 6% 44% 6% 6% 11% 6% 72% 6% 6% 5% 56% 6% 4% 2% 2% 6% 2 1% 2% 7 2% 4% 4% 18% 4% 2% 2% 4% 4% 24% 4% 6% 17% 89% 33% 22% 11% 22% 11% 6% 17% 17% 6% 7% 5% 74% 1 12% 6% 22% 4% 15% 2% 1% 21% 1 4% 71% 86% 7% 7% 7% 36% 36% 14% 7% 1 41% 15% 2 46% 5% 5% 2% 17% 7% 14% 23% 9% 14% 3% 3% 3% 3% 14% 3% 1 3% 5 3% 3% 3% 3% 1 43% 18% 33% 3% 5% 33% 3% 5% 5 5% 14% 5% 14% 9% 9% 5% 18% 5% 2% 18% 2% 2% 2% 4% 24% 4% 2% 16% 2% 2% 2% 2 25% 3% 3% 3% 9% 6% 13% 3% 6% 4% 2% 1% 3% 1 1% 4% 1% 1% 1% 4% 5% 2% 2% 4% 5% 1% 1% 1% 1% 1% 3% 2% 11% 2% 2% Copyright e-skills UK Sector Skills Council Ltd 2000-2013 27

The above table highlights qualifications in order of popularity for each job role. CISSP is, as discussed in Section 1, the most common qualification overall and for most of the non-commercial roles. CCNA is also prevalent, more so in highly technical roles such as Security Engineer. Often, particular qualifications are more common in one role, such as CEH for Penetration Testers and Security Analysts. This is due to the fact that certain qualifications are focused towards a particular set of specialised skills that are required only in certain positions. Of the two post-graduate qualifications analysed, the MBA is most popular throughout the more commercial roles towards the bottom of the table. The MSc is more popular in non-commercial roles. It is worthy of note that, recently, CESG (Communications Electronics Security Group the National Technical Authority for Information Assurance) has produced a certification scheme for professionals working in HMG Information Assurance. As these certifications are relatively new they have not been included in this analysis. However the more generalised CLAS credential is included. Figure 25 Chart highlighting the distribution of CISSP certified professionals across all non-commercial job roles 9 8 7 6 5 4 3 2 1 28 Copyright e-skills UK Sector Skills Council Ltd 2000-2013

Figure 26 Chart comparing qualifications of four Cyber Security roles: Manager, Consultant and their IT security equivalents 8 7 6 5 4 3 2 1 Manager IT Security Manager Consultant IT Security Consultant Copyright e-skills UK Sector Skills Council Ltd 2000-2013 29

3.2 Degrees Table 5 Table of degree types across all job roles Role IT Technical Other No Degree Analyst 32% 14% 19% 35% Manager 19% 16% 12% 53% Consultant 28% 17% 9% 46% Officer 36% 14% 12% 38% IT Security Analyst 21% 13% 11% 55% IT Security Manager 2 16% 1 54% IT Security Consultant 33% 16% 12% 39% IT Security Officer 17% 25% 4% 54% Engineer 31% 26% 3% 4 Consultant 33% 27% 4 Analyst 17% 22% 17% 44% Security Engineer 44% 9% 9% 38% Security Administrator 29% 7% 11% 53% CISO/Head of 45% 11% 44% Security Architect (variants of) 23% 14% 1 53% Security Auditor 43% 7% 5 PCI Consultant (variants of)/qsa Consultants 17% 15% 12% 56% Forensics Analyst/Investigator (variants of) 4 11% 2 29% Penetration Tester/Pen Tester 44% 5% 8% 43% Application Security Specialist (variants of) 45% 5% 18% 32% Sales Engineer 25% 8% 1 57% Pre-sales Consultant 22% 27% 12% 39% Technical Account Manager 22% 16% 62% Account Manager (with security) 9% 4% 24% 63% Business Development Manager (with security) 7% 1 15% 68% Sales Executive (with security) 16% 4% 25% 55% Sales Manager (with security) 8% 7% 26% 59% Sales Director (with security) 4% 5% 23% 68% Total 22% 11% 15% 52% In total across all roles, almost 5 of Cyber Security professionals have an undergraduate degree. In some cases, a higher proportion of those in more junior roles have a degree compared to their more senior counterparts, for example 65% of Analysts have a degree compared to 47% of Managers. Some sectors of the Cyber Security industry equally value professionals with senior military backgrounds and experience who may not be degree educated. This reflects the emphasis for managers with organisational, process and communication skills. Another consideration in these figures is that that those entering the profession more recently tend to be graduates. Some of the more specialised roles, such as Forensics Analyst and Application Security Specialist require more specific knowledge and skills that often can only be acquired via degree studies, which may explain why a higher proportion of professionals in roles such as these have a degree. 30 Copyright e-skills UK Sector Skills Council Ltd 2000-2013

Perhaps unsurprisingly, of those who have a degree, the most common category is IT. However, these figures show that many professionals enter the industry having studied other disciplines. Graduates with a degree in a non-it and non-technical subject tend to have more commercial roles that require less specific knowledge. Figure 27 Pie chart showing split of degree types across all roles IT 22% No Degree 52% Technical 11% Other 15% Figure 28 Displaying the degree categories of the four roles with the highest proportion of graduates 5 4 Analyst 3 Officer 2 1 Forensics Analyst/Investigator (variants of) IT Technical Other No Degree Application Security Specialist (variants of) Copyright e-skills UK Sector Skills Council Ltd 2000-2013 31

32 Copyright e-skills UK Sector Skills Council Ltd 2000-2013

Section 4 Demog raphic Profiles by Job Role Section 4 Demographic Profiles by Job Role 4.1 Location Table 6 Location data across all job roles Region Job Title NW NE SW SE Mids Scot Wales N. Ire Analyst 6% 81% 13% Manager 12% 4% 6 16% 8% Consultant 9% 23% 5 18% Officer 6% 29% 53% 6% 6% IT Security Analyst 8% 17% 8% 67% IT Security Manager 8% 59% 25% 8% IT Security Consultant 8% 59% 25% 8% IT Security Officer 4% 8% 43% 29% 4% 8% 4% Engineer 8% 13% 4% 62% 13% Consultant 14% 79% 7% Analyst 11% 77% 6% 6% Security Engineer 11% 26% 53% 5% 5% Security Administrator 15% 85% CISO 6% 17% 6% 71% Security Architect 4% 8% 15% 53% 12% 8% Security Auditor 36% 7% 7% 29% 21% QSA Consultants 8% 16% 4% 4 24% 8% Computer Forensics Investigator 1 5% 5 2 15% Penetration Tester/Pen Tester 13% 4% 54% 25% 4% Application Security Specialist 14% 72% 5% 9% Sales Engineer 17% 8% 5 25% Pre-sales Consultant 4% 16% 8% 72% Technical Account Manager 1 9 Account Manager 7% 11% 6% 63% 13% Business Development Manager 16% 16% 8% 48% 4% 4% 4% Sales Executive 8% 23% 54% 15% Sales Manager 1 1 3% 74% 3% Sales Director 8% 77% 15% The data clearly shows that the vast majority of Cyber Security professionals live in the South East, though there is a wide geographical distribution across many of the above roles. The roles that are the most dispersed throughout the UK are Consultant and QSA Consultant. Many professionals in consultancy roles work from home and so may be based elsewhere in the country whilst their employer is located in the South East. Copyright e-skills UK Sector Skills Council Ltd 2000-2013 33

4.2 Age Distribution Table 7 Age distribution data across all roles Age Job Title 20-29 30-39 40-49 50+ No Data Analyst 13% 25% 62% Manager 2 28% 8% 44% Consultant 41% 5% 5% 49% Officer 24% 41% 6% 29% IT Security Analyst 33% 25% 8% 34% IT Security Manager 8% 42% 8% 42% IT Security Consultant 8% 42% 8% 8% 34% IT Security Officer 17% 29% 21% 33% Engineer 13% 63% 13% 11% Consultant 21% 7% 72% Analyst 6% 28% 11% 11% 44% Security Engineer 5% 32% 16% 5% 42% Security Administrator 31% 8% 15% 46% CISO 6% 22% 6% 6% 6 Security Architect 42% 19% 12% 27% Security Auditor 7% 21% 7% 14% 51% QSA Consultants 4% 24% 56% 16% Computer Forensics Investigator 3 45% 1 15% Penetration Tester/Pen Tester 17% 42% 37% 4% Application Security Specialist 14% 27% 23% 5% 31% Sales Engineer 8% 42% 33% 8% 9% Pre-sales Consultant 8% 24% 16% 8% 44% Technical Account Manager 1 52% 24% 5% 9% Account Manager 6% 5 19% 13% 12% Business Development Manager 4% 16% 4 2 2 Sales Executive 15% 23% 15% 8% 39% Sales Manager 1 19% 35% 6% 3 Sales Director 31% 15% 38% 16% Age distribution clearly varies throughout the roles listed and encouragingly, the age profile of Cyber Security professionals appears to be quite wide. There is a comparatively younger age profile in Cyber Security consultancy positions, perhaps due to the lifestyle and amount of travel generally involved with these roles together with knowledge of new leading-edge Cyber Security technologies. 34 Copyright e-skills UK Sector Skills Council Ltd 2000-2013

4.3 Gender Table 8 Gender profiles across all job roles Gender Job Title M F No data Analyst 68% 19% 13% Manager 76% 2 4% Consultant 95% 5% Officer 82% 18% IT Security Analyst 92% 8% IT Security Manager 75% 17% 8% IT Security Consultant 92% 8% IT Security Officer 83% 13% 4% Engineer 96% 4% Consultant 79% 21% Analyst 94% 6% Security Engineer 95% 5% Security Administrator 77% 23% CISO 88% 6% 6% Security Architect 88% 12% Security Auditor 72% 21% 7% QSA Consultants 92% 8% Computer Forensics Investigator 8 2 Penetration Tester/Pen Tester 96% 4% Application Security Specialist 86% 9% 5% Sales Engineer 92% 8% Pre-sales Consultant 8 2 Technical Account Manager 95% 5% Account Manager 74% 24% 2% Business Development Manager 84% 16% Sales Executive 69% 31% Sales Manager 71% 29% Sales Director 92% 8% It is apparent from this data that the gender profile across all of the job roles is predominantly male. The proportion of females is generally higher in less technical roles such as Security Administrators and Sales Executives. Copyright e-skills UK Sector Skills Council Ltd 2000-2013 35

36 Copyright e-skills UK Sector Skills Council Ltd 2000-2013

Summa ry of Key Finding s Summary of Key Findings Summary of Section 1 Overview In this section, aggregated data across all roles within the non-commercial and commercial categories was assessed. The trends highlighted include: Historically the most common pathways into non-commercial Cyber Security roles were via general IT roles or via other industries. As the overall body of professionals within Cyber Security has grown, this percentage has significantly reduced and these roles are now being filled by experienced professionals who are progressing and moving roles within the profession. From within Cyber Security, the most common specialised pathways were via roles as IT Security Consultant, Consultant or Manager. The pathways to these roles were analysed in more detail in Section 2. The most common pathways into commercial/sales roles within Cyber Security are via non-it and general IT sales roles. The pathway to a role as an Account Manager was discussed further in Section 2. Overall, CISSP is the most common professional certification. Around half of Cyber Security professionals have an undergraduate degree, with more of these being in non-commercial roles than commercial positions. The most common degree type was IT. Summary of Section 2 Pathways to Target Job Roles In this section, the pathways to the most common specialised specific job roles were analysed: Manager, Consultant, IT Security Consultant and Account Manager. Manager The analysis showed that many Managers come from general IT and Information Security Consultant roles. Consultant The figures showed that many of those in this role have held the same position for their last three roles also. Those entering from other roles generally came from general IT or an Manager position. IT Security Consultant Many professionals appeared to move into this role from general IT. Those who came from within the Cyber Security profession were mostly from an IT Security Analyst role. Account Manager The data suggested that many professionals in this role come from a general IT background or other industries, and within Cyber Security they had held the Account Manager role previously or progressed from a Sales Executive position. The general IT and non-it roles these professionals came from were generally within sales. Copyright e-skills UK Sector Skills Council Ltd 2000-2013 37

Summary of Section 3 Qualifications and Degrees by Job Role Qualifications CISSP is the most common professional qualification, covering a broad range of disciplines across information security. More specialised roles require more specific qualifications. Specialised Cyber Security qualifications feature highly in the non-commercial roles and are becoming increasingly focused on specific subject areas. Degrees The figures demonstrate that undergraduate degrees may be more important in some job roles than others. Those in highly technical or very specialist roles more commonly had a degree, most likely due to the specific knowledge required for these roles, which could only be gained through academic study. Significant numbers of professionals without degrees have moved into management roles, where experience and a proven track record is the primary consideration over academics. Summary of Section 4 - Demographic Profiles by Job Role Location With just a few exceptions, the majority of professionals in all of the job roles were located in the South East. Certain positions, such as consultancy roles, tend to be home-based and therefore have a wider geographical distribution. Age The age profile across most roles was widespread and did not tend to follow the trend of younger people in more junior roles and older people in management positions. Compared to other industries, there is a comparatively younger age profile in Cyber Security consultancy positions. This is perhaps due to the lifestyle and amount of travel generally involved with these roles together with knowledge of new leading-edge Cyber Security technologies. Gender The gender profile was shown to be predominantly male across all job roles. The roles with a higher proportion of female professionals were less technical positions such as Analyst, Officer, Manager and Security Administrator roles. Commercial roles also generally had a higher proportion of female professionals. 38 Copyright e-skills UK Sector Skills Council Ltd 2000-2013

About Alderbridge Providing professional recruitment services to the Cyber Security industry since 1997, Alderbridge has worked with over 35,000 professionals across the UK and Europe, in Cyber Security and closely related sectors. Alderbridge has supplied Cyber Security professionals to a wide range of prestigious organisations across the UK and Europe. Alderbridge team members are also practitioners in this field and lead industry bodies globally on information systems security. For more information on Alderbridge please contact: 01423 321900 recruitment@alderbridge.com www.alderbridge.com Copyright e-skills UK Sector Skills Council Ltd 2000-2013 39

Alderbridge Specialists in Info Security e-skills UK, the Sector Skills Council responsible for: Business and Information Technology, including Software, Internet & Web, Computer Games, IT Services, Telecommunications and Business Change. 2000-2013 Reserved, e-skills UK All rights reserved. No part of this material protected by this copyright may be reproduced or utilised in any form, or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system without prior authorisation and credit to e-skills UK. An e-skills UK publication For further information please contact: e-skills UK 1 Castle Lane London SW1E 6DR UK Tel: 020 7963 8920 info@e-skills.com www.e-skills.com