Cloud Security Jobs Outlook – April 2018
Looking at the cloud security jobs listed on both Dice and Indeed tells a very interesting story about the current demand for cloud security professionals in the United States. It appears that employers have begun to see cloud security as a dedicated role and not a bolt-on to a generic security position as they did in the past.
To me, this makes complete sense. As more and more companies move increasingly sensitive data to public cloud, they are understanding the importance of having team members that are trained and aware of the security issues that are unique in a cloud environment.
- Nearly 30,000 open security positions that involve cloud services in some manner
- Over 2000 open positions for dedicated cloud security professionals
- Twice as many companies looking to fill all AWS positions compared to Azure
- “AWS Security” has 3.5x more job listings than “Azure Security”
- Cloud aware risk professionals are highly sought after with nearly 14,000 job openings
- Big demand for cloud compliance. Over 11,000 open positions list compliance and cloud.
Experience vs Degree
Across the board, it appears that a 4 year degree is not a hard requirement for the vast majority of positions that were viewed. In many cases, any degree listed was listed as preferred and accompanied by “or equivalent experience”, even for senior technical positions such as cloud security architect. Experience is king for tactical positions. It would appear that most firms have a business or computer science degree as an absolute requirement for executive positions such as Chief Information Security Officer, Vice President and other leading strategic positions. Experience is the single most important items employers are looking for.
Cloud Security Certifications
Both the CCSK and CCSP are in demand by employers. Indeed lists 136 open positions with CCSK as being a desirable or preferable certification to have. The CCSP comes in with 538 open positions stating the same. Of interest, the majority of positions with either certification listed were listed as mid-level to senior positions. Although not certain if this finding happens to be an outlier or not, but the CCSK seems to have a more diverse geographical awareness than the CCSP. CCSP appears to have most job listings in and around the Washington DC area whereas the CCSK has a stronger presence in the west coast.
Show Me The Money
I must admit, this finding struck me as a bit odd. Indeed offers a salary estimator tool that shows the job postings that list CCSK as a qualification start at the $105,000 mark, rising up to $135,000. The job listings that had CCSP as a qualification started at $65,000, going up to $130,000.
I want to stress the importance of experience here before anything else. Nobody is starting their career with a single certification under their belt and earn a 6-figure salary. On the surface, it appears the CCSK is listed more often with higher-level positions and the CCSP is listed in positions that aren’t 100% dedicated to cloud services. There is also a naming conflict that may be happening here. Cisco did have a certification called the CCSP in the past for their security professionals. They retired it quite some time ago, but I did notice some listings still calling for it.
Also, the CCSK demand does appear to be somewhat stronger in San Francisco and San Jose areas. With cost of living what it is, this too may explain the higher salary for CCSK compared to CCSP.
I think it’s fair to say that both cloud security certifications are demanding pretty strong salaries right now and I personally believe market demand will only get stronger as more companies seek cloud-centric security professionals.
Where are the Cloud Security Jobs?
Indeed lists 14 top locations when searching for “cloud security”. Of the 14 cities listed, San Francisco (1) and San Jose (3) account for 2 of the top 3 cities looking for cloud security professionals (New York City comes in 2nd. Half of all major centers listed are on the west coast with a total of 357 open positions. East coast comes in 2nd with 4 cities listed and a total of 269 open positions. Finally, the middle of the country has 3 cities listed and a total of 141 positions available. Here’s the list from Indeed:
San Francisco, CA (99)
New York, NY (82)
San Jose, CA (75)
Boston, MA (70)
Washington, DC (65)
Seattle, WA (64)
Chicago, IL (60)
Atlanta, GA (52)
Austin, TX (49)
Santa Clara, CA (32)
Dallas, TX (32)
Sunnyvale, CA (31)
Mountain View, CA (29)
Redmond, WA (27)
The Canadian market does not look promising for security professionals in or out of cloud services. Generally, one could expect to see 1/10th of the available listings because Canada is roughly 10% the population of the USA. Some quick examples of how Information Security is falling further and further behind the USA using the following searches on Indeed Canada searches vs Indeed USA:
“Information Security”: 883 open jobs vs 17,175 in USA
“Cloud Security”: 143 vs 2073
AWS: 2,410 vs 28,701
“AWS Security”: 9 vs 263
Cloud AND Risk: 1,174 vs 13,919
Note: When looking at these numbers I wanted to eliminate the possibility that Canadian employers used Monster and not Indeed for job postings. Monster Canada was researched as well and numbers there are lower than Indeed Canada searches. That to say, I believe it’s as close to and apple to apple comparison as possible.
The future for Information security professionals who understand cloud services is very bright. Many companies (in the USA) are looking for dedicated cloud professionals. This implies that companies are gaining maturity of security processes in cloud and realizing that cloud security is a full-time activity, not merely another place workloads are run like they are internally.
There are a significant amount of employers that are becoming aware of cloud security certifications. It would appear this is an excellent time to explore both CCSK and CCSP certification training offerings. You can find out more about the CCSK here and more about the CCSP here. You can also check out an opinion piece on the difference between the two certifications here.
Companies are also looking for Information risk management professionals who are cloud aware and understand the differences between cloud and traditional IT service delivery. If you are a risk management professional looking to advance your career, you should strongly consider investing in a general cloud security course such as the CCSK or CCSP. Adding a vendor specific certification such as AWS or Azure may not be the best use of time and money for risk management professionals.
Note About The Searches
When doing these searches on both Indeed and Dice, the use of quotation marks had a dramatic impact on the search results. Our findings are that searches without quotes found jobs that did not have a dedicated role assigned to them, unlike the jobs that came back when quotes were used. For example, when looking up cloud security (no quotes), jobs came back that may have wanted some experience in cloud and some experience in security. This included findings for application security professionals that would analyze application security for traditional and cloud based applications. On the other hand, when quotation marks were used, the jobs listed had the role of cloud security in the job title and the employer is looking for dedicated cloud security professionals.
Job Posting Results
The following are the raw numbers that were collected when this cloud security jobs research was performed. The numbers are obviously going to change very quickly and will likely not be the same if you perform the same search yourself right now. This paper was written in April 2018, so you can issue the same query now and see if demand is going up or down.
140,514 listings for search of “information security” (without quotes)
17,175 listings for search of “information security” (with quotes)
4,029 listings for search of “information security” AND cloud
13,919 listings for search of cloud AND risk
11,434 listings for search of cloud AND compliance
29,909 listings for search of cloud security (without quotes)
2,073 listings for search of “cloud security” (with quotes)
2,925 listings for search of “AWS security” (without quotes)
263 listings for search of “AWS security” (with quotes)
2,323 listings for “Azure security” (without quotes)
74 listings for “Azure security” (with quotes)
28,701 listings for AWS
14,766 listings for Azure
136 listings for “CCSK”
538 listings for “CCSP”
40,928 listings for search of “information security” (without quotes)
3,497 listings for search of “information security” (with quotes)
4,029 listings for search of “information security” AND cloud
1,723 listings for search of Cloud AND risk
2,122 listings for search of cloud AND compliance
31,662 listings for search of “cloud security” (without quotes)
378 listings for search of “cloud security” (with quotes)
27,219 listings for search of “AWS security” (without quotes)
32 listings for search of “AWS security” (with quotes)
25,257 listings for “Azure security” (without quotes)
15 listings for “Azure security” (with quotes)
11 listings for “CCSK”
87 listings for “CCSP”