Everywhere you look, cybersecurity is booming.
But there are also huge professional success stories with companies and people working in cybersecurity that are making national headlines. Here are two examples that I want to highlight from just the past month:
Cisco is buying Duo Security for $2.35 billion in cash — “Cisco today announced its intention to buy Ann Arbor, Mich.-based security firm, Duo Security. Under the terms of the agreement, Cisco is paying $2.35 billion in cash and assumed equity awards for Duo. Duo Security was founded in 2010 by Dug Song and Jonathan Oberheide and went on to raise $121.M through several rounds of funding. The company has 700 employees with offices throughout the United States and in London, though the company has remained headquartered in Ann Arbor. …”
Cybersecurity firm Tenable closes up 31% — Shares opened at $33.00,nudging the company's market value above $3 billion, and closed at $30.25 per share. I focus on these two examples because I happen to know Amit Yoran (CEO of Tenable), Dug Song and Jon Oberhide. I am not close friends with any of them, but I have done security work with each of them in a variety of different ways over the years. From speaking at conferences on the same panels, to meeting with their teams, to working on advisory boards together, I admire their hard work and business acumen.
While I did not profit personally from these great stories; nevertheless, I am really happy for them. Their companies will no doubt be studied in business schools around the world, and they are extremely talented individual leaders.
Nevertheless, there are many, many others succeeding in the private sector. A large percentage of those people are former federal, state and local government cyberleaders. I won’t start naming more names, but let’s just say that the list of those who have profited greatly in their careers working in cybersecurity is very long. While many celebrate this private-sector success, alarm bells are growing louder in public-sector circles.
This topic was recently highlighted by a Politico article which describes the FBI’s cybersecurity talent brain drain. Here’s a quote: “The bureau has lost about 20 top cybersecurity leaders to lucrative corporate jobs over the past five years, even as hacking threats multiply.”
CyberTalent Pay Gap: What Has Been Underreported Up Until Now
Yes, there is a wider story here. Add in the growth of many cyberstartup companies, Wall Street investments in security companies, new interest in security company takeovers, and it is not hard to see another important storyline developing. In fact, if you connect the dots going back several years, I admit that I underestimated the cybertalent pay gap storyline. Numerous articles talk about pay packages, bonuses and medical benefit differences, but few analysts are talking about the stock market (gold at the end of the rainbow) aspects of some private-sector cyberjobs.
This blog is an attempt to highlight that very important missing piece and to provide some further thoughts on what may be coming next regarding attracting and retaining public- and private-sector cybertalent. Indeed, if these trends continue, the cyberservices market will need to drive an acceleration in government’s partnering (or “outsourcing” or “co-sourcing”) of cyberjobs with the private sector as we head into the 2020s.
While the hard work, accomplishments and successes of Amit Yoran, Dug Song and Jon Oberhide are truly extraordinary, the benefits of stock ownership for a long list of people cannot be underestimated. Remember, hundreds of others at Duo Security and Tenable and other cybercompanies have received stock grants and options leading to very big paydays when acquisitions or IPOs take place.
Public-Sector vs. Private-Sector Challenge
Here are some helpful background articles with data to consider on public-sector pay gaps for cyberpros:
Computerworld (Australia): The Australian Signals Directorate (ASD) prepares to compete with private sector for cybertalent Army Times: How the army is competing with Google for these Ninjas WSJ: The government needs more cybertalent, but so does everyone else PBS: The FBIs cybersecurity brain drain has long-term implications The Globe and Mail: How Canada can close the cybersecurity talent gap The Wall Street Journal (WSJ) article (above) describes the large pay gap at the CISO level for top talent, but some HR directors and CIOs that I have spoken to in the public sector dismiss these numbers because so few people ever reach this level. Almost like Kirk Cousins making $84 million as quarterback for the Minnesota Vikings, the reasoning goes that very few people ever make this kind of money. Bottom line, there are only so many quarterbacks in the NFL, and only a few top CISOs in New York City at the top banks.
But what this analysis fails to account for is the stock options are given to the majority of employees in companies like Duo and Tenable. Are these companies the exception or the norm (or somewhere in between) over the next decade? That is the big question.
No doubt, most companies are not as successful as these two specific examples. But what I am hinting at is a fundamental shift for some in achieving “the American Dream” — for technology (and especially cybersecurity) professionals.
Another big factor is the stock market overall. Some say we are heading for a crash, while others say we have years to go in our current bull market. The answer to that question will also strongly influence the decisions made by millennial cyberpros and others over the next few years.
My Take on the Current Government Cybersecurity Jobs
I have always been, and still remain, an advocate for public-sector jobs in cybersecurity. I've been interviewed and quoted on the topic, and I like to write articles and blogs on the many non-monetary benefits of public-sector technology and security careers. Articles such as:
2007: Culture of Security (GCN Interview) 2014: The case for taking a government cyber job 2016: Millennials in Government — or Not? 2016: Developing Government Cyber Leaders 2016: Pros and Cons of Working Federal Cybersecurity (Dice Interview) 2018: Evaluating Technology and Security Leaders 2018: Why You Should Consider A Career In Government Cybersecurity (Tripwire Interview) I remain convinced that a government cyber-role is a great way to start, or end, a career. Remember, this is not an “all or nothing” decision, and many pros have both on their resume. There is also more job security and less risk in public-sector cyberjobs.
However, I also want to be entirely transparent with what is going on right now in the cybersecurity job market. Acquiring and keeping cybertalent remains one of the top goals for government technology leaders, and I think the case just got harder with stories like Duo and Tenable making headlines. Ignoring this topic is like sticking your head in the sand, and honest discussion on the career choice pros and cons and risks and benefits is the best approach.
Right now, I am seeing more (but still a small number of) talented experts taking lower salaries, sometimes even below public-sector cybersalaries, in exchange for stock options in small cybercompanies. The Duo and Tenable stories show why.
Like football and baseball free agent markets, there are a few exceptional cases regarding compensation. But everyone who is on the team is influenced by those top salaries.
Back in 2012, the Washington Post and other major media outlets were talking about demand rising for cyberprofessionals. That demand has accelerated dramatically to the point that in later 2018, the cybertalent battle may start to fundamentally change business models.
If the trend continues, governments will have a much harder task of keeping their best and brightest. Exceptions to this trend will always exists for various reasons, such as almost retiring baby boomers who have a few years left to get vested in benefits and/or other unique situations where men and women do not want to move due to family ties. There are certainly regional job market differences, and the quality of life in different roles can vary as well.
Life in some private-sector cybercompanies can be relentless, with travel and longer hours. Some public-sector pros may not want this lifestyle. Nevertheless, more people will chose this road if more companies follow the Duo and Tenable examples to success.
History shows that nothing is certain. In the past, hot tech companies that were soaring on the NASDAQ eventually came back to earth. Stock market corrections swing the pendulum the other way regarding both perceptions and reality.
So what will happen with cyberjobs in the public and private sectors over the next few years? Only time will tell.
But currently, stock options, IPOs and company acquisitions are accelerating the cybertalent compensation divide.