Here's the slide deck we presented at the Black Hat CISO Summit 2015 on "Exploring the Information Security Talent Pool".

1. Exploring the Security Talent Pool
Cory Scott, Director - House Security, LinkedIn | @cory_scott

2. Introductions and Agenda
• Exploring the Information Security Talent Pool
• Survey the field
• Evaluate demand by geography
• Examine talent flows
• Onramps to Security
• Security Survival Rates
• A peek into the CISO Suite

3. Surveying the Field
Information Security Talent Pool Insights

4. Methodology
• Using public profile data of LinkedIn’s member base, we extracted attributes such as:
• Location
• Education and Field of Study
• Position attributes, such as:
• Employer
• Title (standardized)
• Length of employment
• Skills
• Not survey data
• Only as good as LinkedIn’s penetration into a given region
• Some results are US, Canada, UK, India specific

5. How many InfoSec professionals are there? Where are they?
189,000 members in Information Security roles
20,000 are senior: director-level or above
Country
% of Global
Talent Pool
United States 47.32%
United Kingdom 7.57%
India 7.18%
Canada 3.15%
Australia 2.26%
France 1.98%
Italy 1.77%
Netherlands 1.71%
Spain 1.57%
Germany 1.48%
10 Countries make up 75% of the talent pool

6. Top Regions Worldwide for InfoSec Talent
1. Washington D.C. Metro Area - 6%
2. Greater New York City Area - 3%
3. San Francisco Bay Area - 2.2%
4. London, United Kingdom - 1.7%
5. Greater Boston Area - 1.5%
6. Dallas/Fort Worth Area - 1.5%
7. Bengaluru Area, India - 1.4%
8. Greater Chicago Area - 1.4%
9. Greater Atlanta Area - 1.4%
10. Baltimore, Maryland Area - 1.2%

7. Top 10 InfoSec Regions in US compared to general population
1. Washington D.C. Metro Area (7th)
2. Greater New York City Area (1st)
3. San Francisco Bay Area (11th)
4. Greater Boston Area (10th)
5. Dallas/Fort Worth Area (4th)
6. Greater Chicago Area (3rd)
7. Greater Atlanta Area (9th)
8. Baltimore, Maryland Area (combined with DC - 7th)
9. Greater Seattle Area (15th)
10. Greater Los Angeles Area (2nd)
Missing:
● Houston (5th)
● Philadelphia (6th)
● Miami (8th)

8. Evaluating Demand

9. Existing Talent Pool : New Demand Ratio
:
already employed in an infosec
position in 2014 for a given
country or region
new job posting for infosec
position in the given country or
region for 2014

10. Employer Demand in relation to Country Talent Pool: 2014
High Demand
United States - 4:3
Canada - 3:2
New Zealand - 3:1
Australia - 3:1
China - 4:1
United Kingdom - 5:1
Ireland - 5:1
Hong Kong - 5:1
India - 5:1
Singapore - 5:1
Low Demand
Spain - 20:1
Mexico - 20:1
France - 25:1
South Africa - 25:1
Brazil - 33:1
UAE - 33:1
Italy - 50:1
Ratio is number of Information Security staff already employed in country
compared to number of Information Security job postings in 2014.

11. Regions with High Demand in 2014
2:1
Greater Atlanta Area
Dallas/Fort Worth Area
Greater Los Angeles Area
Ontario, Canada
Greater Boston Area
Greater Seattle Area
Washington D.C. Metro Area
Greater Chicago Area
1:1
San Francisco Bay Area
British Columbia, Canada
6:5
Baltimore, Maryland Area
3:2
Greater New York City Area
Ratio is number of Information Security staff already employed in region compared to number of Information Security job postings in 2014.

12. Regions with Low Demand in 2014
Ahmedabad Area, India - 100:1
Ottawa, Canada Area - 50:1
Montreal, Canada Area - 33:1
Pune Area, India - 20:1
Toronto, Canada Area - 14:1
Kitchener, Canada Area - 13:1
Milton Keynes, United Kingdom - 11:1
New Delhi Area, India - 11:1
Oxford, United Kingdom -10:1

13. Talent Flows

14. US Talent Migration 2013 -> 2015 Region Growth %
Tampa/St. Petersburg, Florida 10.90%
San Francisco Bay Area 7.50%
Portland, Oregon 7.50%
Houston, Texas 7.20%
Austin, Texas 6.00%
Charlotte, North Carolina 5.30%
San Antonio, Texas 5.10%
Greater Denver Area 4.70%
Phoenix, Arizona 4.60%
Dallas/Fort Worth, Texas 4.20%
These regions managed not only to retain their existing
information security staff, but attract talent from other
regions in meaningful numbers.
Miami is also on a good path to growth at 3.7%.

15. Region Growth %
Little Rock, Arkansas -8.00%
Albany, New York -7.30%
Norfolk, Virginia -4.60%
Rochester, New York -3.80%
Albuquerque, New Mexico -2.50%
Louisville, Kentucky -2.50%
Providence, Rhode Island -1.80%
Tucson, Arizona -1.40%
Minneapolis-St. Paul, MN -1.10%
Detroit, Michigan -1.00%
US Talent Migration 2013 -> 2015
These regions are losing information security staff
and failing to attract talent from other regions in
meaningful numbers.
There’s also stagnation in these regions:
● Chicago
● Philadelphia
● New York

16. Company Size / Title flows: 2013 -> 2015
• InfoSec talent is leaving larger companies to work for smaller ones.
• Companies larger than 5000 employees have had net losses.
• Smaller companies have had net gains.
• Lots of people are becoming CISOs and managers!
• There are 10.6% more CISOs in the past 2 years alone.
• 6.3% more infosec managers
• 8.2% shift to senior security consultants
• Lots of people are leaving the network security track: 7% loss of network
security engineers

17. Onramps to Security

18. InfoSec Higher Education
22,000 members have fields of study related to information security
Where did they go after they got their degree?
• 21% Infosec
• 20% Development and QA
• 19% Consulting
• 15% IT and Operations
• 11% Management (non-InfoSec or unspecified)
• 5% Academia
• 5% Internships
• 4% Unknown

19. People with experience in technology are coming into InfoSec
Engineering / Development
2000: 12.2%
2005: 16.4%
2010: 18.1%
2015: 24.7%
Admin / Analyst / Operations
2000: 13.7%
2005: 16.2%
2010: 17.5%
2015: 23.3%

20. Where to find your next InfoSec hire
Most common titles for members prior to entering InfoSec
• network engineer
• system administrator
• system engineer
• network administrator
• information technology
• senior network engineer
• software engineer
• information technology manager
• senior system engineer
• engineer

21. Field Survival

22. The average InfoSec position lasts 3.1 years.
Greater than average
• security manager
• director information security
• network security manager
• information system security manager
• information technology security officer
• information technology security manager
• chief information security officer
• senior security manager
• director information technology security
• vice president information security
Less than average
• identity management consultant
• security researcher
• information assurance analyst
• security consultant
• network security consultant
• security auditor
• information security consultant
• information assurance consultant
• senior information assurance engineer
• information assurance engineer

23. InfoSec Position Tenure by Industry
Top 10 industries for longevity
(between 3.6 and 4.2 years)
• aviation and aerospace
• military
• primary/secondary education
• wholesale
• semiconductors
• paper & forest products
• printing
• food production
• chemicals
• law enforcement
Top 10 industries for lack of longevity
(between 1.5 and 2.6 years)
• staffing and recruiting
• computer games
• sports
• internet
• government relations
• management consulting
• computer & network security
• maritime
• wireless
• civil engineering
• computer software
Other popular industries
Below average
• information technology & services
Average or slightly above average
• telecommunications
• banking
• financial services
• defense & space
• military

24. What about leaving the field altogether?
Top 10 jobs most likely to be “last” InfoSec job
• network security administrator
• network security consultant
• information assurance consultant
• system security administrator
• chief security
• information risk manager
• security administrator
• security project manager
• identity management consultant
• security team lead
Top 10 jobs least likely to leave InfoSec
• penetration tester
• senior information security engineer
• information security architect
• senior information technology security analyst
• senior information security analyst
• information security engineer
• enterprise security architect
• information security advisor
• senior manager information security
• information technology security architect

25. An analysis of Senior InfoSec talent
Ascending the ranks

26. Background of Senior InfoSec Talent
~48% come from a technical background (eng / IT / ops / dev)
Some popular non-technical fields that senior InfoSec talent come from:
• Program and Project Management
• Consulting
• Sales
• Research
• Military and Protective Services
• Finance
• Education
• Legal
• Non-technical Operations
• Business Support Roles

27. Want to be a senior infosec person? Pick up these skill clusters!
Skill Clusters on LinkedIn and the % of Senior Information Security staff that have them
● Business - 77%
● IT Infrastructure and System Management -75%
● Finance - 26%
● Process and Project Management - 20%
● Management and Leadership - 19%
● Computer Network and Network Administration - 15%
● Medical - 11%
● Healthcare Management - 11%
● Law - 11%
● Risk Management - 9%
● Microsoft Windows Systems - 8%

28. CISO-specific data
A CISO lasts, on average, 3.94 years in
their position. Tenure varies significantly
based on company size and industry.
Company SIze Avg CISO Tenure
11-50 3.2
51-200 3.6
1001-5000 3.7
10001+ 4.4
It takes, on average, 13 years of work
experience to become a CISO.
To get a CISO position in a larger
company, you need another year or two
of experience on average.

29. CISO Tenure By Industry
Industry Avg Tenure
financial services
accounting 4.3
insurance 4.3
financial services 4.2
investment management 4.1
banking 4.0
investment banking 3.2
medical and healthcare
pharmaceuticals 4.0
hospital & health care 3.8
cosmetics 1.8
energy
utilities 5.5
oil & energy 3.7
Industry Avg Tenure
consumer
retail 4.3
food & beverages 3.9
consumer goods 3.7
technology
information technology and services 3.8
computer and network security 3.4
internet 3.0
computer software 2.8
Average tenure: 3.97 years