The Cyber Gap Series — Part 5

Economic Factor

When examining the economic factors that have contributed to the cybersecurity employment gap, it is helpful to view jobs as commodities. And, like any other commodities market, the jobs market is subject to the same universal law of supply and demand. This law provides a foundation from which additional compounding factors can be examined, such as the wage factor, barriers to entry, and returns on investment. Before we examine the specific, let us first touch upon the most generic: supply and demand. To put it simply, supply (the quantity of an item that will be sold at a given price) and demand (the amount of said item buyers will purchase at a given price) are the chief economic forces of the market[1]. They, ideally, pull against each other to allow the market to find an equilibrium price, the point at which both buyer and seller may conduct business in an unrestricted and mutually beneficial manner.

In the context of the cybersecurity jobs market, this equilibrium existed roughly around 2007, as indicated by compensation averages being similar those of other industries[2]. However, the law of supply and demand is subject to a multitude of factors that disrupt price equilibrium. In the same vein, the cybersecurity jobs market is also subject to several disruptive factors. As previously discussed, the events in Estonia and between the Depart of Defense and China in 2007 would indeed be that disruption and create a rapid increase in demand that supply has yet to meet[3]. The divergence between supply and demand in the labor market has manifested itself in the noticeably higher rates of compensation for qualified individuals (~$99,730) as compared to the total average of all occupations in the US economy (~$39,810) and even within the computer science field (~$88,240)[4].

Now, in theory, with offers of significant compensation and a plethora of jobs seemingly available for the taking, one should expect the supply to slowly match pace with demand. Even with the expected multi-year delay of the education-pipeline, the succeeding thirteen-year gap should be sufficient to close the distance. Yet, each year more jobs go unfilled. This is where additional factors affect market supply. One such factor is the lack of a generally accepted model or set of investment principles that organizations can use to guide cybersecurity development[5]. Between 2013 and 2020, the total investment in cybersecurity grew from $15 billion to a forecasted $41.9 billion[6][7]. Despite this growth, a number of organizations struggle to determine which areas are worth investment and which are areas of acceptable risk. The lack of uniform investment strategies stems from a general lack of standards within the industry itself in defining, tracking, and reporting security incidents and attacks as well as job descriptions, roles, and responsibilities[8].

Inefficient cyber-investment models can exacerbate costs, allow organizations to develop a false sense of security and lead to employees being underemployed or overwhelmed due to inaccurate job descriptions. To further complicate the economics of the gap, organizations must consider the hiring costs of onboarding prospective applicants, downtime for training, and even firing costs of those who cannot fulfill position requirements[9]. With hiring costs estimated to be several times higher (even as much as 12x higher[10]) than other industries, managers have reason to give pause when entertaining an application. Combined with the low number of industry personnel who are considered qualified, the market value for said individuals increases, with the “Upper-Tier” (~Top 10%) commanding salaries more than $250,000[11].In essence, employers must ensure their investment in human capital makes a return on said investment. With competition for the seemingly rare, qualified professional, many organizations have elected to hire internally[12], further widening the employment gap.

The need for onboarding pre-qualified professionals may have yet another exacerbating factor: company lifespan. During the 1950’s the average lifespan of a S&P 500 company was sixty years.[13] Currently, the average lifespan is just under twenty and it is forecasted to be around fourteen by 2026. In fact, about 50% of all companies listed on the S&P 500 will be replaced within the next decade.[14] With major corporations struggling to maintain over long periods of time, it is not unreasonable to assume that smaller companies are also experiencing similar rates of dissolution as indicated by only half of small businesses making it to the five-year mark.[15] As the operational lifespan of a company continues to shrink, so too does the appeal of onboarding employees that require several months to several years of in-house training before they begin to provide an employer with a return-on-investment. Within this context, it may make better business sense to work with a known value (i.e. someone with demonstrable experience and skill) than an unknown value (i.e. an employee with greater hiring costs).

An important concept of supply and demand is the ability of one force to pull on the other. Over the long term, workforce availability will assist in decreasing barriers to entry as supply begins to level with demand. However, this can only occur if the perceived quality of the supply meets or exceeds the perceived quality of the demand, meaning the number of “qualified” individuals will have to increase. To establish how this increase can occur, we must first examine the state of the education pipeline for cybersecurity to determine why members of the industry are considered unqualified.

[1] Investopedia. (2019, September 29). Law of supply and demand.

[2] RAND National Security Research Division. (2014). Hackers Wanted (RR-430). RAND Corporation.

[3] RAND National Security Research Division. (2014). Hackers Wanted (RR-430). RAND Corporation.

[4] U.S. Bureau of Labor Statistics. (2020, September 1). Information security analysts: Occupational outlook handbook: U.S. Bureau of Labor Statistics.

[5] AFCEA. (2013). The Economics of Cybersecurity: A Practical Framework for Cybersecurity Investment. AFCEA Cyber Committee.

[6] AFCEA. (2013). The Economics of Cybersecurity: A Practical Framework for Cybersecurity Investment. AFCEA Cyber Committee.

[7] Statista. (2020, July). Cybersecurity spending worldwide 2017–2020.

[8] RAND Research Brief. (2008). Cybersecurity Economic Issues: Corporate Approaches and Challenges to Decision-making (RB-9365–1). RAND Corporation.

[9] RAND National Security Research Division. (2014). Hackers Wanted (RR-430). RAND Corporation.

[10] RAND National Security Research Division. (2014). Hackers Wanted (RR-430). RAND Corporation.

[11] RAND National Security Research Division. (2014). Hackers Wanted (RR-430). RAND Corporation.

[12] RAND National Security Research Division. (2014). Hackers Wanted (RR-430). RAND Corporation.

[13] Sheetz, M. (2017, August 24). Technology killing off corporate America: Average life span of companies under 20 years. CNBC.

[14] Mochari, I. (2016, March 23). Why half of the S&P 500 companies will be replaced in the next decade.

[15] Todd, R. (2017, September 7). How long your small business will last, according to data. Fundera: Compare Your Best Small Business Loan and Credit Card Options.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cyber Nullius

Cyber Nullius


B.S. in Cybersecurity | CSAP | CNVP | CNSP | CySA+ | Pentest+ | Security+ | Network+ | CTCE | Humble Beginner | Hopeful Space Traveler