Cyber Security Jobs Report

Cyber Security Jobs Report

Release Date

January 8, 2013

Report Sponsors

This report was made possible through the generous support of the Abell Foundation, an organization dedicated to the enhancement of the quality of life in the city of Baltimore and across the state of Maryland. You can learn more about the Abell Foundation at their website, www.abell.org. CyberPoint International, CyberMaryland, Welz & Weisel Communications, and their collective community partners provided additional support.

About the Authors

Organized through the Baltimore Cyber Technology & Innovation Center (CTIC), this report is the result of a collaborative effort between CyberPoint International, CyberMaryland, Welz & Weisel Communications, and their collective community partners.

Table of Contents

Mission

3

Scope the Project

4

Methodology

7

Highlights: Cyber Jobs

13

Highlights: Education and Training

21

Summary

43

Appendix A: Cyber Security Taxonomy

44

Appendix B: The Cyber Jobs Survey

45

Mission

With the dramatic proliferation of computing and communications technologies across the globe, the cyber security industry has experienced unprecedented growth — particularly in the Baltimore metropolitan region. This growth has created an urgent need for qualified individuals to fill current job openings and to develop the skilled workforce necessary to address the expected dramatic job growth in the future.

While there has been a great deal of talk about job growth in the media as well as in industry and

government circles, there are only generalized estimates as to the true number of available cyber security jobs. There is also a lack of consolidated information on the training and educational requirements for obtaining those jobs. The purpose of this project is to shed some light on both of these issues. Our goal for this report was to generate awareness of cyber security jobs in Maryland, including the educational requirements for eligibility (i.e. certifications, two- or four-year degrees, etc.) and the programs available within Maryland to help individuals meet these requirements. While this effort will stand alone as a snapshot in time, we intend to identify a repeatable process such that the results can be updated regularly and periodically and will lead to an on-going cyber security job index based on emerging initiatives and activities.

Scoping the Project

Cyber vs. Cyber Security

The term “cyber” has been applied broadly throughout industry and has evolved to have almost no real meaning. In order to deliver valuable results, it was important to bound this study and define the scope of our project. This starts with defining what the terms “cyber” and “cyber security” mean to us in the context of jobs. Most professionals in the security industry use the term “cyber” as a short form of “cyber security”. When using the term “cyber”, they are not generally referring to Information Technology (IT) or referring more specifically to systems administration, network management, or network administration. Rather, they are referring to the technologies, people, and procedures influencing the protection of information and

information systems. However, those not in the cyber security industry often adopt the term, “cyber”, much more loosely to involve most anything related to IT, software, or any technology or capability that uses 1s and 0s. For the purposes of our study, we specifically considered Maryland programs and positions that support science, technology, engineering, and mathematics (STEM) disciplines in the cyber security industry. This includes positions available in both commercial sectors and government agencies and at all levels of education and training. A main objective of this study was to produce results such that a candidate interested in a certification program or degree program at one of the institutions within Maryland could see how many jobs they will be exposed to after completing such a program. For example, candidate X will know that when he/she completes their cyber security program at Y institution, they will have Z number of jobs for which they qualify to apply. We attempted to identify the numbers and levels of jobs offered throughout the state of Maryland and tie them to the qualifications required. Additionally, the results could be beneficial to job creators, industry and economic leaders, as well as investors and other key cyber stakeholders. The Cyber Security Jobs Report is tailored to job titles and/or roles that support the mission or purpose of protecting data, systems, and infrastructure from unauthorized access, theft, manipulation, or destruction, while maintaining access for authorized users and the effective functioning of essential services. We concede that almost any IT job could serve as a stepping-stone to a cyber security job, just as it could be assumed that any job requiring a security clearance, could serve as a stepping-stone to a cyber security job at one of the federal Intel agencies. However, we based this study on opportunities that serve as a direct path to a cyber security job where purpose determines the role. Additionally, we did not include jobs that are outside a technical STEM field but support the mission of cyber security. We acknowledge positions such as linguist, intelligence analyst, policy maker, and others are abundant in our region and are extremely valuable pursuits in support of the cyber security mission. However, for the purposes of this study, our focus was on

Assumptions

In our efforts to determine Maryland’s true differentiation, if any, with regards to cyber security jobs, there are a few assumptions upon which we relied. IT positions were not considered cyber security opportunities, unless their job roles specifically address security concerns and/or responsibilities, which often was the case in many job listings. It is understood that many small/mid-size businesses often mix roles of IT personnel but larger companies have security teams separate from IT staff. Therefore, we may have discounted some small/mid-size companies that exist in every state that hire one or two system administrators to serve as security personnel. While these jobs exist, they exist everywhere throughout the United States and at a fairly even distribution. Again, it was our goal to highlight what is unique about Maryland as it relates to cyber security.

The organizations targeted for this study included public and private companies, large systems integrators, government agencies, and job placement companies, etc. In scoping this study, we had to consider that many of these organizations might be reluctant to share too much detailed information. It was also necessary to be respectful of their time in order to encourage participation. Therefore, it was important to keep data collection simple and at a fairly high-level in order to yield the best opportunity for the greatest participation. In order to make the numbers as accurate as possible, we also moved away from an initial strategy of allowing target organizations to speculate on future job numbers. An ongoing Cyber Jobs Report will better serve understanding growth in the cyber security job market, and the reality of projections.

Cyber Security Roles

In the area of cyber security, we see the following categories of opportunities within STEM disciplines:

• Analysts • Architects • Developers • Engineers • Executives • Instructors • Interns • Operators • Programmers • Researchers • Sales Engineers

Each of these roles have various educational, certification, and/or level of experience requirements. We considered all levels of roles from chief information security officers (CISOs) to interns; from network security analysts to software security programmers; from security researchers to security software sales engineers. Our objective was to identify and create awareness of all possible avenues into the cyber security field for professionals, practitioners, and entry levels alike.

Cyber Security Educational Requirements

In addition to considering the opportunities available and offered in the state of Maryland, we explored the educational, training, and certification programs throughout the nation. The categories we set out to consider are as follows:

• Work Study Programs • Internships

• Technology Certification Programs (e.g. ITT Institute) • Community College Degree Programs

• 4-Year Degree Programs • Graduate Degree Programs

• Post-Graduate or Doctoral Programs

• Professional Certification Programs (e.g. CISSP) • Other (Specialized Training)

Cyber Security Jobs Reporting

The results of our report were released in two phases. First, a presentation entitled the Cyber Security Jobs Report was delivered at the 2012 CyberMaryland conference. At the conference, the initial findings were shared and the presentation was followed by a question and answer session with expert panelists. The second phase is this report, where our methods and findings are fully documented.

Cyber Security Taxonomy

As the cyber security market evolves, the technology classifications and taxonomies that describe the industry are evolving as well. Based on industry experience and analysis of the marketplace, we made the decision to adopt taxonomy used by the CyberMaryland Map. While opinions can differ greatly on how best to describe the cyber security marketplace, we believe this taxonomy accurately reflects the key product and service classifications existing in all sectors of today’s cyber security industry. At the highest level, we describe industry sectors and then categorize the functions to support each sector. This taxonomy formed the basis of the industry sectors and functions we considered within the jobs search. Below is a list of the high-level industry sectors. The next level including product types is included as Appendix A of this report.

• Critical Infrastructure Protection • Cyber Intelligence

• Cyber Situational Awareness • Data Protection

• Enterprise Security Management • Infrastructure

• Investigative Analysis • Managed Services • Unified Threat Intelligence • Wireless

Methodology

Research, Analysis, and Synthesis

After defining the scope of our project we set out to test our assumptions and taxonomy. This involved a multi-faceted approach where we would research, analyze, and synthesize in an iterative fashion samplings from both online job boards as well as corporate and government websites. During the first phase of this project, we evaluated sample job requisitions for position and education/training requirements, identified related articles on career and education opportunities, investigated relevant studies, and began to consider the technology community that was most prominent in the Maryland region. We used these initial findings to inform our process for creating a survey and to establish a targeted set of corporations and organizations that had a significant presence in Maryland in which to distribute.

Creating the Survey

Armed with the information from our research, we set out to answer the following questions:

• How many cyber security job opportunities exist in Maryland? More specifically, in the Baltimore

area?

• Who is hiring and what types of positions are they looking to fill?

• What education and training qualifications are required to meet these positions?

• Are there opportunities available for those interested in the field right out of high school?

• What resources (Universities, Community Colleges, Institutes, Certification Programs, etc.) exist in

Maryland to support these needs? And what programs do they offer?

• How does Maryland compare to other states?

We created a fairly complex 24-question survey to address the entirety of these questions that is included as Appendix B of this report. Our goal was to identify concrete numbers, which involved detailed questions. We attempted to make this survey as simple as possible and prepared to offer it online through Survey Monkey as well as to deliver it over the phone to targeted constituents. Our next step was to determine the

appropriate target audience that would provide us with the results necessary to get a feel for the majority of jobs offered in the region.

Defining the Target Audience

In order to obtain a representative sampling of the cyber security jobs offered by the major employers in the region we targeted three primary sectors: Government Agencies, the Defense Industrial Base, and Maryland cyber security technology companies.

Government Agencies

The list of major government agencies with a mission focus on cyber security with a heavy presence in Maryland includes the Department of Homeland Security (DHS), Department of Justice (DoJ), Federal Bureau of Investigation (FBI), National Aeronautics and Space Administration (NASA), and the National Security Agency (NSA). These agencies actively recruit for cyber security professionals throughout the nation and are widely known. Additionally, most local universities have some form of a relationship with one or more of these agencies including those universities that have achieved the status of Certified Academic Center of

Excellence in Information Assurance by NSA.

Defense Industrial Base

Due to the high concentration of systems integrators and government contractors that make up the region’s Defense Industrial Base (DIB), we set out to identify and include the major defense contractors. Through our research, we identified a Baltimore Business Journal source that ranked the top 25 defense contractors in Maryland based on contract size - Proctor, C. (2011, October 28). Top of the List: Maryland’s Defense and Federal Contractors, Baltimore Business Journal1_{. Starting with this list, we pared down and excluded those}

that were not focused on the cyber security industry. The resulting list of 17 included: AAI Corp, Arinc, BAE Systems, Boeing, Booz Allen Hamilton, CSC, General Dynamics, Hewlett-Packard, IBM, Johns Hopkins University/APL, L-3 Communications, Lockheed Martin, MITRE, Raytheon, Northrop Grumman, SAIC and SRA.

Maryland Cyber Security Companies

Of course, in Maryland, there are many more high-technology companies with a focus in cyber security beyond the government and DIB. We set out to identify as many Maryland cyber security companies as possible. This effort led us to use three distinct sources to identify the companies we wished to target: first, because of our relationship with CyberMaryland, we were fortunate to gain access to over 70 companies registered within the CyberMaryland Map whose primary focus is cyber security as we defined it – reference Appendix A and the Scoping the Project section of this report; second, through our relationships with the Emerging Technology Center (ETC), UMBC@bwtech Cyber Incubator, Northrop Grumman Cync and CyberHive programs, Chesapeake Innovation Center (CIC), and other incubators and investors, we have first-hand knowledge of most, if not all, of the early stage cyber security companies in the region; and third, we used a recent report published in Inc Magazine identifying the largest cyber security companies in

Maryland — Top Companies in Maryland on the 2011 Inc5000, Inc Magazine2_{. The complete pared down list}

of targeted agencies and companies is included as Appendix C of this report.

Execution

Next, we leveraged the CyberMap contacts list, dug through our resources and researched online sources to identify HR contacts for each of these organizations. As we began to reach out to these targets, we

immediately found a few issues that would have a definite impact on the reliability and accuracy of the survey results. While most of the people to whom we spoke were very supportive and willing to complete the survey, an overwhelming majority wanted to remain anonymous. Additionally, it was clear that the information we requested, which was so relevant to our study results, was just not readily available. Remember, we are conducting this study precisely because organizations do not typically classify their job openings by cyber security so it is not evident how many of these positions are being advertised at any given time. Our initial discussions indicated that it would take months if not an entire calendar year for many of the larger organizations to capture and roll up all of the cyber security job requisitions they had outstanding. We ultimately concluded that the data provided by these candidates would be an estimate and could be misleading. This result was simply not acceptable to us.

Our objective was to get away from the estimates that were bantered about in the industry and leverage actual job requisitions to analyze and support our study. We went back to the brute force tactic of searching job boards and company websites like was done in our initial research phases to assist with defining the cyber security jobs taxonomy. This led us to identify a research partner that would facilitate our searches and resulting tabulations and would provide the scale necessary to produce valuable and reliable results.

Applying STEM to the Study

Our research partner is the chosen job search provider for LinkedIn, MySpace, Plaxo, BusinessWeek, CNNMoney.com, The Washington Post, Mashable, GigaOm, All Things Digital, and thousands of other sites. Rather than tackle this problem with analysts and spreadsheets, we decided to actually apply STEM to our problem. Leveraging their job search engine, we were able to implement our taxonomy into an algorithm that would allow us to get real-time data on actual job requisitions that were currently being offered. This tool allowed us to not only search on cyber security jobs in Maryland, but narrow the search to the Baltimore and surrounding region and compare against the other cyber security hotbeds throughout the nation like Austin, Boston, Palo Alta, San Antonio, and others. This search engine and relationship enabled us to capture data from postings at job boards and company websites across the Internet while implementing an algorithm to ensure multiple listings of the same requisition were only captured and represented once. We would be able to capture metrics based on our searches to include total number of listings, top companies represented and total number of companies providing listings, major job roles, education and training requirements, experience levels, and types of positions (full-time vs. part-time) all broken down by region.

These outcomes were more in line with the goals we set out to accomplish. Real data supported by actual postings rather than assumptions and estimates.

Refining the Taxonomy and Expanding the Search

The initial results and energy that went into creating and initiating our survey proved extremely valuable to the process of implementing the taxonomy into a Boolean logic query algorithm. We established a baseline search for cyber security jobs in Maryland using a combination of forward leaning cyber security keywords such as cyber intelligence, cyber situational awareness, malware, and many others. This baseline search resulted in identifying over 3,000 cyber security jobs representing more than 1,800 employers throughout Maryland. We used this same query to make comparisons across the US, but the numbers seemed disproportional to what we knew about these other cyber security hotbeds. Because these results were not adding up, we took a subset of the jobs postings from each region and dug a little deeper. During this analysis we found that leaving out more traditional network security terms such as information assurance, network security, and others in combination with technology device keywords was to the detriment of these regions’ results. Upon expanding the search to include these terms, the job numbers in these competing hotbeds were magnified exponentially and seemed to even the playing field. With this expanded algorithm in place, our sample set grew to over 340,000 jobs across the nation and almost 20,000 jobs in the Maryland region alone, which made for a better comparison.

Analysis

Once we had a strong baseline of cyber security jobs, we set out to answer the questions cast by our mission. In the survey, we created questions that would lead us to actual data. Within our search results, we had the data we needed at our fingertips; it was just a matter of creating queries to formulate our results. We first established queries that would provide insights into what the industry were looking for in candidates, what qualifications were required, and what positions were sought. While this information was invaluable, making the connection from the Internet world to the physical world was just as important when considering this data.

A regional view is important. With access to the jobs search engine, we had the ability to apply our queries across the 340,000 cyber security jobs across the nation and associate them to cities and states in which they were being offered. This capability allowed us to determine how many jobs were located within Maryland and which ones were within close proximity to Baltimore. We also associated postings in other regions thought to be strong in cyber security to make comparisons to Maryland. Analyzing and

understanding this data at the highest level was critical to answer the questions — Where are the jobs? and just as importantly — Who is offering these jobs?

We designed a query that identified each company and/or government organization that had a posting within our dataset. This yielded over 18,000 companies posting cyber security positions throughout the nation and over 1,800 companies in Maryland alone. The results were representative of just about all of the companies

After compiling the base data set, we conducted deeper analysis of the data to learn what specific job demographics and trends we could highlight. We implemented a query that identified all position titles within each posting and set up a running tally so we could determine the most popular positions. The query initially counted common position titles at different levels as separate counts, but we later refined the results and merged each of them into one common position title. For example, if our original query identified 500 Senior Computer Engineers, 300 Junior Computer Engineers, and 100 Computer engineers, our final assessment concluded there were 900 Computer Engineers for the purposes of comparing common job roles. Of course, there is value in understanding the experience level differences. The experience breakdown is represented later in the results section of this report where we highlight education and experience level demographics.

We specifically evaluated the job position requirements, qualifications and engagement demographics. Our next query highlighted the levels of education required, whether that is a high school diploma, college degree, advanced degree or specialized training. We also looked at levels of experience sought and the types of engagements: part-time, full-time, contract, or internship. We evaluated the positions for

certifications that seemed to be the most popularly suggested as providing an advantage. And there was specific interest in opportunities for those with only a high school diploma.

The following sections highlight our findings. A key point to consider is that our highlights are generated from actual postings across the Internet. There is no common or standardized data field structure adopted by the companies making these postings. They use their own job titles and descriptions. The data fields one company utilizes do not correspond directly to others. So while some provide required level of experience data, others may not. While some call out requirements for certifications, others may not. We did our best to normalize the results, but we can only make comparisons based on the content provided within each posting.

Education and Training

A solid understanding of which cyber security job opportunities are available is just one piece of the puzzle. However, in order for our emerging cyber security workforce to take advantage of these opportunities and in order to position themselves for successful entry into this field, they need to know what resources in

Maryland are available to them to achieve the education and training requirements necessary. Fortunately, Maryland’s academic and training resources rival those of any in the nation. Local universities are dedicated to grow and build curriculum and certification programs to address the regions growing needs. It is difficult to discern whether the high job numbers demonstrate increasing innovation or a difficulty in filling vacancies. It is clear, however, that there is opportunity for those seeking employment and an enormous amount of cyber security activity in the area. We expect this is partly because of the strong presence of the DIB and

government agencies whose missions are finely tuned to the cyber security discipline. Over time, experts expect the need to continue generating supply and graduates and professionals from other regions will relocate to fill these positions.

By reaching out to local contacts and web searches, we collected data and provided a summary of the university, community college, technical institute, and professional affiliate programs focused on cyber security in Maryland for interested prospects to leverage. Highlights are included and documented in the following sections of this report. If your program is not represented or you wish to update or correct any inaccuracies, please feel free to contact us for future inclusion in follow-on reports.

Highlights: Cyber Jobs

Cyber Security Hot Beds with Job Openings

The Internet is full of cyber security job postings sourced by job boards, corporate websites, and various publication listings. The expanse of our research, which was a snapshot in time of the first week in October 2012, includes 340,000 jobs posted by 18,769 companies nationwide.

Based on this nationwide collection, we were able to segment them by region to make comparisons between several regions that are commonly considered hotbeds in cyber security. Figure 1 shows the relationship of the number of cyber security jobs posted in their respective regions. This data considers each city and the 25-mile surrounding area. Baltimore with 13,393 postings, ranks 3rd _{just behind Palo Alto and}

San Francisco, two technical powerhouses, and slightly edges out Boston who sits at 4. The remaining cities have significantly lower numbers, but are still very relevant cyber security regions.

The numbers indicate that the proximity of Baltimore to the National Security Agency, US Cyber Command, defense contractors and emerging companies supporting these agency missions have a significant impact on the region’s cyber security innovation and representation. This presents both opportunity and a challenge. Do these numbers indicate these regions provide the best opportunity? Or do they indicate they are cyber security professional deficient? It would seem to be a strong indicator for individuals interested in gaining employment. But, could it be a concern for a company looking to relocate or start in Maryland? The latter question cannot be adequately addressed without knowing the rate these positions are being filled. We will leave that for a follow-on study. Local universities are well aware of the high concentration of cyber security opportunity in Maryland, in fact fifteen universities have become certified by NSA as Cyber Security Centers of Academic Excellence.

Maryland Companies with the Most Cyber Security Openings

It’s not just agencies in need of cyber security professionals. The government systems integrators and commercial technology companies supporting the cyber security mission in the region are also on the hunt. With 19,413 Maryland job postings considered in this study, we have identified 1,828 companies with job openings in Maryland alone.

Based on the cyber security job postings that were tuned to our queries, we were able to highlight

companies with the greatest number of outstanding hiring requisitions. These results are highlighted in Figure 2 on the next page. It should be of no surprise that 9 of the 10 companies highlighted include government integrators that make up the Defense Industrial Base. The one outlier includes an online cyber security recruitment company, CyberCoders. Additionally, there were 25 companies with over 100 job postings, 50 companies with more than 45 job postings, and over 100 with greater than 20 job postings. The resulting average posting per company is 10.61.

These companies ran the gambit of industries to include: finance, healthcare, telecommunications,

government, retail, critical infrastructure, academia, technology and many others. Tracking cyber security job offerings by industry is another point of interest for a follow-on effort. It would be interesting to identify which industries are contributing most to the cyber security industry and this could certainly be an indicator. Additionally, it would be interesting in a future effort, to be able to dig deeply into the requisitions and apply earning potential and highlight which industry sectors support the highest paying cyber security jobs.

In addition to the companies represented, several Fortune 500 companies offer positions in cyber security. A cross-section of these companies include: Lockheed Martin, Constellation Energy, Marriott International, Coventry Health Care, and Catalyst Health Solutions all located in either Bethesda, Baltimore, or Rockville, Maryland.

We expect the composition of employers outside of Maryland to be very different. Depending on the location, they are less likely to have such a high representation of defense contractors. We also would expect a lower average number of job postings per company and a more diverse set of companies leading to their

respective numbers. This is mainly because outside of government integrators, the largest population of security positions being offered would be from security companies themselves. There are just simply not as high a concentration of cyber security companies, with the size of these integrators, co-located in any particular region as there are defense contractors positioned in the Maryland area. It would be interesting to evaluate and analyze the details related to each alternate region separately in a follow-on study.

Top Maryland Cyber Security Job Opening Positions

Most recognize the typical cyber security positions to include: chief security officer, chief information security officer, network security analyst, exploitation analyst, reverse engineer, and other commonly known

positions. However, within this study, the scope of our definition was open to include all STEM positions supporting the mission of cyber security. Of the nearly 20,000 Maryland cyber security job postings we found that the most common job titles include much more traditional and widely adopted titles. The most popular titles can be seen in Figure 3 on the next page represented in a proportional comparison.

While a handful of creative job titles were identified, most align around curriculum offerings of our nation’s academic institutions. Engineering, administration, and analysis disciplines that revolve around both development and operational activities are the heavyweights. We have seen over time that work titles have evolved to be more and more in tune with actual job descriptions like reverse engineer and malware analyst, and the more often these positions are offered, the more likely specific education and training curriculum will be created to support them.

We looked at a cross-section of five (5) cyber security companies based in Maryland. Table 1 shows a summary of each of these companies, the number of cyber security jobs they were posting at the time of our study that aligned with our taxonomy, the most common position titles, and the company’s technology focus. When selecting these companies to profile, we wanted to make sure we covered both product and services as well as companies that target sales to both commercial and government customers. To clarify, this data was retrieved from each companies website. As is evident in just this small sampling, while there are several common words used for job titles, we highlighted 20 unique position titles. This is consistent with what we have seen across the larger data set.

Company Name

# Job Openings

Positions Technology Focus CyberCore

Technologies

90 Database Engineer, Web Analytics Developer, Applications Engineer, Network Engineer

Supply Chain

Management, Secure Network Design, Penetration Assessment SafeNet 28 Senior Systems Engineer, Network Security

Engineer, Software Engineering Specialist, Web Developer

Cloud Security, Data Protection,

Authentication, Encryption Raytheon BBN

Technologies

27 Cyber Security Scientist, Cyber Security Engineer, Software Engineer, Staff Scientist

DoS Triage, Cryptography, Systems Security, Standards Development CyberPoint International

11 Reverse Engineer, Vulnerability Research Analyst, Cleared Programmer, Vulnerability Engineer Malware Analysis, Reverse Engineering, Vulnerability Assessments, IR, CND Lookingglass Cyber Solutions

7 VP of Engineering, QA Engineer, Data Engineer, Senior Internet Security Analyst

Over-the-Horizon Cyber Threat Suppression

Maryland Cyber Security Job Breakdown

Taking a deeper look at the education and experience requirements for cyber security jobs in Maryland revealed that there are more opportunities being advertised for the entry- to mid-level workforce. Of those requisitions reporting education requirements, 76% require a Bachelor’s Degree while only 4% require a Master’s Degree or higher. This is consistent with the understanding that most of the jobs being offered are aligned with Engineering and/or Computer Science degrees of various disciplines and focus. Based on our data, it appears there is a great need for candidates with 0-5 and 10-15 years experience. This could be a sign of investment and innovation in cyber security innovation as this level of workforce is often considered both the heart and mind of innovation. We also see that the overwhelming majority of job postings are for full-time engagements. The relational data can be seen in Figures 4 and 5 and is based on a sampling of the overall data.

Figure  4:  Education  and  Experience  Breakdown

What’s in it for High School Graduates?

While the majority of the opportunities, 83%, call for a Bachelor’s Degree or higher, there certainly are opportunities for high school graduates. These opportunities include internships, work-study programs, cooperative programs, and contract, part-time, and full-time employment. The cyber security field, from its inception, has always been friendly to technical professionals without college degrees. While most advertise degree requirements, many positions, from those that are hands-on, network analysts, to those at the highest level, CISO, will take the most qualified individual. A rule of thumb in the industry is that 4 years of experience will account for a 2-year degree equivalency and 8 years will account for a 4-year degree equivalency. The cyber security field grew out of the information technology field, which has always been heavy with self-taught and trained, skilled professionals and technicians.

The majority of jobs offered to high school graduates were established internships that require a path to a degree. However, Figure 6 includes a list of 10 order ranked positions that had the requirement of a high school diploma and not a college degree.

Professional Certifications are Important to Some

Certification programs for Information Assurance have been around since the late 90s and early 2000s. Some have been more widely adopted than others. Based on our research, approximately one-third (1/3) of the requisitions included a certification requirement and/or preference. Based on our data, we have broken these certifications into tiers based on popularity. Popularity is determined by how often each shows up in job requisitions with Tier 1 being the most popular and Tier 3 being the least popular. A breakdown of these tiers can be seen in Table 2 on the next page.

Popularity Level 1000s of Requisitions 100s of Requisitions 10s of Requisitions Tier 1 CISSP

Tier 2 CAP, CISM, SSCP

Tier 3 GIAC, ISSEP, GSLC

Those interested in these certifications should refer to the below information:

The International Information Systems Security Certification Consortium (ISC2_{) offers an entry-level credential}

called the Systems Security Certified Practitioner or SSCP. The SSCP leads directly to the most popular and most prevalent mid-tiered certification — the Certified Information Systems Security Practitioner (CISSP). ISC2 _{also offers the Information Systems Security Engineering (ISSEP), which was developed in conjunction}

with the National Security Agency (NSA) for engineers responsible for incorporating security into project, applications, business processes, and information systems. And finally, the Certified Authorization Profession (CAP) certification is also issued by ISC2 _{and is for practitioners responsible for establishing processes to}

access risk and establish security requirements and documentation. Visit www.isc2.org for more information on CISSP, SSCP and CAP.

The Global Information Assurance Certificate (GIAC) is offered by the Systems Administration and Network Security (SANS) Institute and is thought to be one of the more hands-on certifications. SANS also initiated and manages the GIAC Security Leadership Certification (GSLC) which accredits individuals who manage IT projects. Visit www.giac.org for more information on GIAC or GSLC.

The Information Systems Audit and Control Association (ISACA) offers a certification for information security managers known as the Certified Information Security Manager (CISM). To test for this certification requires a candidate have at least five years experience in information security and another three years in information security management. For more information on the CISM, visit www.isaca.org.

Highlights: Education & Training

Education and Training Opportunities Available in Maryland

The resources for cyber security education and training in the Maryland area are vast and include

universities, community colleges, research centers, learning centers and training institutes, as well as K-12 programs. In this section, we will highlight several of these opportunities.

The National Security Agency, located at Ft. Meade, MD, hosts a program called the National Center of Academic Excellence (CAE) in Information Assurance. This program is intended to be a deeply technical, inter-disciplinary, higher education program based on computer science, computer engineering, and electrical engineering; with extensive opportunities for hands-on applications via labs and exercises. This program’s certification requirements are intensive.

Maryland leads all states with 15 colleges fulfilling the criteria for Certification as an NSA CAE with Texas close behind with 12. For a comparison of the states with the greatest number of certified colleges, see Figure 7.

NSA CAE Universities in Maryland

• Capitol College

• Johns Hopkins University • Towson University

• United States Naval Academy

• University of Maryland, Baltimore County • University of Maryland, College Park • University of Maryland University College

NSA CAE Community Colleges in Maryland

• Anne Arundel Community College • College of Southern Maryland • Hagerstown Community College • Harford Community College • Montgomery College

• Prince George’s Community College

• The Community College of Baltimore County

K-12 Programs

The NSA works closely with local elementary, middle, and high schools through several programs including the Math Education Partnership (MEPP), Partners in Education Program, High-School Work Study Program and STARTALK initiatives. For more information on these programs, visit

www.nsa.gov/academia/early_opportunities.

Maryland Universities, Community Colleges, and Technical Institutes Offering Four-Year

and Post-Graduate Degrees, Two-Year and Certificate Programs, and Professional

Development Certificates

In efforts to provide some clarity and insight into what our local education and training resources offer in the way of cyber security, we have documented some highlights of the programs offered by each of the schools that have a designation of CAE from the NSA. Our hope is to provide a one-stop shop for interested parties to get a high-level summary of the unique and common offerings available in Maryland.

Bowie State University

Bachelor of Science

Computer Science Computer Technology

Management Information Systems

Mathematics – Pure Math, Applied and Computational Mathematics, Mathematics Education, Dual Degree Mathematics/Engineering

Master of Science

Computer Science Information Systems

Information Systems with a Concentration in Information Assurance

Doctorate Program

Computer Science

Post-Baccalaureate Certificate Program

Computer Science Information Assurance

Areas of Study

Intelligent agent-based computing, semantic Web technologies, software engineering/software structures, healthcare informatics, information assurance, e-Commerce and e-business technologies, product integration and process improvement, database systems, data warehousing and mining, business intelligence and decision support systems, enterprise information systems, digital business systems and security, project management, and human-computer interaction and collaboration.

Capital College

Associate of Science

Computer Engineering Technology Electronics Engineering Technology

Telecommunications Engineering Technology

Bachelor of Science

Computer Engineering

Computer Engineering Technology Computer Science

Electrical Engineering Information Assurance

Electronics Engineering Technology Management of Information Technology Software Engineering

Telecommunications Engineering Technology Web Development

Master of Science

Information and Telecommunications Systems Management

Doctorate Program

Information Assurance

Post-Baccalaureate Certificate Program

Client/Server and Wireless Devices

Component Technologies and Online Collaboration Information Assurance Administration

Information Technology Network Protection

Prep for CompTIA Security+, SSCP certifications

Undergraduate Certificate Programs

Computer and Network Security Object-Oriented Programming Programming and Data Management Space Missions and Operations Specialist Software Engineering

Website Development

Online programs (BS, MS, and Online Experience Classes)

Information Assurance

Management of Information Technology

Critical Infrastructure and Cyber Protection Center Professional Development for Technical Managers

Certificate Program

Cyber intelligence FISMA

Homeland Security

Identify, Credentials & Access Management Industry Certification Preparation (CISSP)

National Information Assurance Training Standards

Resources

Johns Hopkins University

Bachelor of Science

Computer Science

Electrical and Computer Engineering Concurrent Bachelor’s/Master’s Program

Master of Science

Computer Science

Computer Science with Telecommunications and Networking Option Computer Science with a Concentration in Bioinformatics

Information Assurance

Information Systems Engineering

Opportunity to concentrate in information security, distributed systems, knowledge management, software systems, networking, information systems management

Dual Master’s Program

Post-Baccalaureate Certificate Program

Computer Science Information Assurance

Post-Master’s Certificate

Computer Science and Information Systems Engineering

The program offers two areas of concentration, which can be combined to meet your individual interests. These include networks, which focuses on protecting information assets from network-based intrusion and from attacks that are primarily focused on remote exploitation of protected systems; and systems, in which attacks are explored from within the system boundary, with an emphasis on platform, operating systems, and secure software development. All students have access to our extensive computing facilities, which are supported by a variety of software systems, applications, development tools, and specialized labs.

Information Security Institute

A Master of Science in Security Informatics degree represents Johns Hopkins University’s core cybersecurity offering. Over thirty courses are available in support of this graduate program. Over 15 full-time, part-time, or adjunct faculty are available to deliver these courses at multiple sites spanning the Homewood campus in northern Baltimore, the medical and health facilities in eastern Baltimore, the part-time graduate program operations at APL and the Montgomery County campus, and the SAIS and KSAS facilities in Washington, D.C.

Towson University

Bachelor of Science

Computer Science

Computer Science and Mathematics

Computer Science and Mathematics with Security Track Pure Mathematics

Applied Mathematics

Actuarial Science and Risk Management Information Systems

Combined Major in Information Systems and Business Administration Combined Major in Information Systems and E-Business

Information Technology

Master of Science

Doctorate Program

As a graduate student in Towson’s IT doctoral program, students develop advanced research skills while learning supplementary practices of modern technology. Students are given a comprehensive knowledge of the fundamentals in four of the following five areas: computer science fundamentals (data structures, algorithms, and operating systems), database systems, computer networks, software engineering, and information technology. Students who complete the program leave will be prepared to conduct and present scholarly research.

Online Courses

Master of Science

Applied Information Technology

Integrated Homeland Security Management

• the research, development and analysis of security strategies; • critical agency infrastructures and their inter relationships; • team leadership and cooperative planning; and

• formulating and executing integrated, rapid responses to crisis situations.

Post-Baccalaureate Certificate

Security Assessment and Management

5-course interdisciplinary program to provide an applied graduate education for personnel working in various areas of homeland security, risk protection and management, emergency response, and crisis

communications.

Areas of Study

• Database Management Systems - Design and develop database systems and learn to manage

a large database system.

• Information Security and Assurance - Implement and support computer-based information

systems with a focus on securing information.

• Information Systems Management - Learn information systems processes and understand the

central function of technology in managing organizational processes and achieving objectives.

• Internet Application Development - Create and apply the latest information systems

capabilities for the Internet.

• Networking Technologies - Develop and implement the design requirements of a successful

networked environment.

• Software Engineering - Study, design, develop, implement and support computer-based

US Naval Academy

Bachelor of Science

Upper class computer science majors may engage in independent study, or participate in summer internships with the National Security Agency, the Defense Information Systems Agency, or the Naval Research Labs. Annually, a select group of computer science majors participate in the Service Academy Cyber Defense Exercise. Several midshipmen acquire majors in both computer science and information each year.

Computer science graduates can be selected into the highly competitive Information Professional (IP) or Information Warfare (IW) career field options. IP officers harness technology, information and knowledge to ensure battlespace dominance and IW officers conduct offensive cyber warfare operations. Software engineering and other computer science related fields are one of the fastest growing industries in the United States. A degree in computer science can lead to a highly successful career in the Navy and Marine Corps, or in the government and private sectors.

Information Systems Mathematics

Electrical Engineering

A number of summer internships with organizations such as the National Security Agency and the Naval Research Laboratory provide the opportunity to work with scientists on improving the design,

University of Maryland

Baltimore County

Bachelor of Science

Computer Engineering, Electrical Engineering Computer Science and Information Systems Cybersecurity

Mathematics

Master of Science

Computer Engineering, Electrical Engineering Computer Science and Information Systems Cybersecurity

Mathematics

Doctorate Program

Computer Engineering, Electrical Engineering Computer Science and Information Systems Cybersecurity

Mathematics

Post-Baccalaureate Certificate

Cybersecurity Strategy and Policy

Undergraduate Certificate

Auditing for Information Systems Network Administration

Project Management for Information Systems Web Development

University of Maryland, College Park

Bachelor of Science

Master of Science

Doctorate Program

University of Maryland University College

Bachelor of Science

Computer and Information Science Computer Networks and Security Computer Science

Cybersecurity Homeland Security

Information Systems Management

Master of Science

Cybersecurity Cybersecurity Policy

Digital Forensics and Cyber Investigations Information Technology: E-Business Technology Management: E-Business

Information Technology: Homeland Security Management Information Technology: Information Assurance

Management: Homeland Security Management

Technology Management: Homeland Security Management Information Technology

Management: Information Systems and Services

Technology Management: Information Systems and Services Management: Intelligence Management

Information Technology: Software Engineering

Information Technology: Telecommunications Management

Online Programs

Cybersecurity

Information Assurance

UMUC offers a Bachelor of Science in Cybersecurity, Bachelor of Science in Computer Networks and Security; an undergraduate minor in cybersecurity; Master of Science programs in Cybersecurity, Cybersecurity Policy, and Digital Forensics and Cyber Investigations; and five graduate certificates. All programs are available entirely online.

Anne Arundel Community

College

Associate of Science

Computer Science Transfer Computer Information Systems Management Information Systems Game and Simulation Programming Computer Engineering Transfer Electronics Technology

Associate of Applied Science

Database Administration

Personal Computer Systems Technology Programming/Analysis

Information Assurance and Cybersecurity Information Assurance and Cyber Security Information Assurance and Cyber Security Cyber Forensics Option

Computer Network Management

Computer Science: Internet and Mobile Device Software Development

Certificate Program

Network Security

CISCO Certified Network Associate Cyber Forensics

Server Administration and Security Cyber Forensics

Database administration certificate Personal Computer Specialist

• Electronic Office

• Microsoft Office Certification • Help Desk Specialist

• Personal Computer Technician

Scientific Programming Options Computer Network Management Unix/Linux System Administrator

Internet and Mobile Device Software Development Publication Design on the Internet

Letter of Recognition

Database Administration Office Applications Specialist Network Operating Systems

College of Southern Maryland

Associate of Science

Computer Science Career opportunities

Software engineer, computer systems engineer,

systems programmer, systems analyst, computer scientist

Associate of Applied Science

Computer Information Systems Information Services Technology

Information Services Technology: Microsoft Certified Windows Network Administrator Information Services Technology: Web Developer

Information Systems Security Career opportunities

Information systems manager, systems analyst, business information systems designer, business information systems developer, business information systems project manager, information analyst, project analyst

Certificate Program

Electronics Technology

Electronics Technology: Communications Electronics Technology: Microprocessor Information Processing

Information Services Technology Web Developer

BootCamps

CISCO Certified Networking Associate A+ Certification Network+ Certification Security+ Certification CISSP ITIL V3 Foundations

Seminars

Security Wireless Networks Securing Mobile Technologies Virtualization and Cloud Computing

Hagerstown Community College

Associate of Science

Cybersecurity Computer Science

Associate of Applied Science

Cybersecurity

Computer Forensics Concentration, Information Systems Technology Computer Support Specialist, Information Systems Technology Network Administration, Information Systems Technology

Simulation and Digital Entertainment, Information Systems Technology Web and Multimedia Technology

Certificate Program

Advanced Network Security, Cybersecurity Cisco CCNA Prep, Cybersecurity

Network Security, Cybersecurity Desktop User Specialist

Network Administration Small Business Technology Web/Multimedia Development

Areas of Study

Major areas of study include network fundamentals, ethics, penetration testing, computer forensics, and operating systems. Students who plan to transfer to a four-year program should identify an intended transfer institution as early as possible and complete appropriate courses. Students should always confer with advisors and transferring institutions for specific requirements as these are subject to change.

Harford Community College

Associate of Science

Computer Science

Information Systems Management

Associate of Applied Science

Computer Information Systems

Information Assurance and Cybersecurity

Certificate Program

Programming Software UNIX

Information Assurance and Cybersecurity

Areas of Study

Students will complete courses in Information Science, Introduction to Business, Information Systems Security, Network Security, Computer Operating Systems, Windows Server Operating System, Strategic Infrastructure Security, Network Defense and Countermeasures, and Project Management.

Montgomery College

Associate of Science

Associate of Applied Science

Computer Applications Cybersecurity

Network and Wireless Technologies

Certificate Program

Advanced Network Security

Computer Applications – Database Systems Computer Applications – Information Technology Computer Programming Database Systems Information Technology IT Professional Java Developer Network Engineer

Prince George’s Community College

Associate of Science

Computer Science Mathematics

Associate of Applied Science

Computer Engineering Technology Information Security

Computer Information Systems Information Technology

Certificate Program

A+ Preparation Cisco CCNA Prep

Computer Service Technology Information Security

Information Security Management Computer Graphics

Computer Programming Database Systems

Network Systems Administrator Technical Support

Technical Core Concepts Web Technology

The Community College of Baltimore County

Associate of Science

Computer Science

Information Systems Management

Associate of Applied Science

Network Technology

Information Systems Security

Information Technology – Programming Information Technology – Database Information Technology – Web Technology Mathematics

Certificate Program

CCBC emphasizes technical skills as well as skills to enable our students to articulate and implement thoughts and ideas. Our students can attain certificates in networking and computer- related technologies including Microsoft (MCSA, MCSE), Cisco (CCNA), CompTIA (A+, Network +, Security+), Linux (RHCT) and information technology support.

ITT Tech

School of Information Technology

Bachelor of Science

Information Systems and Cybersecurity Information Systems Security

Data Communication Systems Technology Software Engineering Technology

Project Management

Software Applications Development

Associate of Science

Network Systems Administration

Information Technology - Computer Network Systems

Information Technology - Software Applications and Programming Information Technology - Web Development

Software Development Technology

Online Programs

Bachelor of Science

Information Systems and Cybersecurity Information Systems Security

Project Management

Associate of Science

Network Systems Administration Information Systems Administration Computer Forensics

School of Electronics Technology

Bachelor of Science

Electrical Engineering Communications Technology Industrial Automation Engineering Technology

Associate of Science

Electrical Engineering Technology Computer and Electronics Technology

Computer and Electronics Engineering Technology

Summary

The results of this report have yielded findings that demonstrate the State of Maryland a major player in the cyber security job market, with 19,413 cyber security job openings as of October 2012. Based on our analysis, Baltimore with 13,393 job postings ranks third behind Palo Alto and San Francisco and slightly edged out Boston. These numbers are exciting and offer hope in a time where many industries are experiencing contraction. The cyber security industry seems to be alive and well in Maryland.

Job opportunities for STEM-related prospects are prevalent at all levels of education and experience. To address these urgent needs; Maryland higher education institutions are well positioned and lead the nation in programs certified by the National Security Agency in Cyber Security. The programs with this unique

distinction offer technical and professional certifications, undergraduate and advanced degrees, and cutting-edge research and training opportunities. Partnerships exist with government agencies to introduce cyber security education to K-12 students as well.

Our efforts to quantify these cyber security opportunities are just underway. We look forward to publishing future reports that will enable us to get better clarity around the opportunities, their rate of fulfillment, and any seasonal, event-driven, or time-based trends. We also look forward to provide more comprehensive material on educational programs that are evolving to meet these job requisitions.

Appendix A: Cyber Security Taxonomy

Critical  Infrastructure    

Protection       Infrastructure      

    Control  Systems       Applications       E-­‐Commerce       Cloud  Computing       Energy       Database  Management  

    Finance       Facilities  

    ISP       High-­‐speed  Computing  

    SCADA       Virtualization  

    Telecom   Investigative  Analysis      

    Utility       Attribution  

Cyber  Intelligence           Cyber  Terrorism  

    Global  Threat  Intelligence       Fraud  and  Economic  Crime       Exploitation  Techniques       Forensics  

    Operations   Service      

    Vulnerability  Discovery       Accounting  Compliance   Cyber  Situational  Awareness           Analysis  

    Continuous  Monitoring       Contracting         Cyber  Threat  Suppression       Finance       Data  Fusion,  Aggregation,  Visualization       Integration       Distributed  Security  Solutions       IP  Protection       Extended  Enterprise  Monitor-­‐ing       Legal  Compliance       Supply  Chain  Risk  Manage-­‐ment       Liability  Protection   Data  Protection           M&A  

    Identity  Management       Operations       Display  Security       Risk  Management   Enterprise  Security  Man-­‐

agement           Software  Assurance  (Insurance)       Deep  Packet  Analysis       Venture  

    Forensics   Unified  Threat  Intelli-­‐gence      

    IPS  /  IDS         DNS  Monitoring       Network  Event  Monitoring  and  Analysis  –  SEM       BGP  Monitoring       Policy       Phish  Monitoring       Privilege  User  Monitoring       Malware  Monitoring       Third  Party  Oversight   Wireless  Security