Cyber Security Industry Location Trends 

By Dennis J. Donovan, Principal, Wadley Donovan Gutshaw Consulting

Introduction

This article addresses location dynamics pertaining to the cybersecurity industry. We will touch upon the following:

1. Definition
2. Industry Trends
3. Talent
4. Leading states/universities
5. High risk industries
6. Finding the best location

Definition 

Cybersecurity involves the protection of networks, deliveries, and data from unauthorized access or criminal use. The fundamental tenet of cybersecurity is to ensure confidentiality, integrity, and availability of information. 

Since the start of the pandemic, cybercrime has jumped 600%. Typical cyberthreats include:

1. Malware
2. Ransomware
3. Social Engineering
4. Phishing/Spear Phishing
5. Insider Threats
6. Distribute Denial of Service (DDoS)
7. Advanced Persistent Threats (APT)
8. Man-in-the-Middle Attacks (MitM)
9. Botnets
10. Malvertising
11. Vishing
12. SQL Injection Attacks
13. Business Email Compromise (BEC)

With an increasing number of users, devices, and programs across all enterprises, combined with a torrent of data, much of which is sensitive/confidential, cybersecurity has become intermingled with daily life for organizations and individuals.

There are several dimensions to cybersecurity. Each needs to be coordinated to enhance success of a cybersecurity program. Key elements include:

1. Application security
2. Data security
3. Network security
4. Operational security
5. Cloud security
6. Critical infrastructure security
7. Physical security
8. End-user education

The terms Information Technology (IT) security and cybersecurity are often used interchangeably. However, there is a difference. IT security embraces the protection of data and information systems from unauthorized use. Cybersecurity embodies the protection of data on the internet, primarily from hackers and other cybercriminals. In effect, cybersecurity comprises a subset of IT security.

Trends

As of 2020, the global cybersecurity market was valued at $156 billion. By 2026, volume is projected to reach $352 billion. This expansion represents a supercharged annual compounded growth rate of 14.5%.

Growth is being spurred by economic subsets facing the greatest cybersecurity threats. These sectors include:

1. Small business
2. Healthcare
3. Retail
4. Government
5. Financial/Insurance
6. Aerospace/Defense
7. Energy/Utilities
8. IT/Telecommunications
9. Manufacturing

North America is by far the largest cybersecurity market. Most rapidly growing is Asia/Pacific.

According to Kaspersky Total Security, among near-term trends that are fueling the creation/implementation of cybersecurity strategies/programs/policies are:

1. Remote Working: 

•  Home offices are less protected than central offices
•  Hence, an urgent focus for organizations is managing security challenges of a distributed workforce

2. Increased reliance on the Internet of  Things (IOT):

• By 2026 there will be an estimated 64 billion IOT devices around the world
• This will greatly increase the number of entry points for cyber criminals

3. Ransomware:

• Attacks involving criminals stealing data, encrypting it, and demanding ransom is escalating
• Preventing these attacks has become a top priority

4. Cloud Security Threats:

• Cloud services feature many benefits
• But they are also a prime target for hackers
• Misconfigured cloud settings constitute a significant risk for data breaches and account hijacking

5. Social Engineering Attacks:

• Phishing has become more widespread
• Whaling, or targeting executive leadership, is on the rise
• And smishing, where attackers focus on messaging apps, has become more prominent

6. Mobile Security:

• Public Wi-Fi, remote collaboration tools, and the introduction of 5G technology are increasing security vulnerability from the use of mobile devices
• Additional layers of security will be necessary to minimize this growing threat

7. To counteract cyber threats, we have seen major emphasis on initiatives such as:

• Data privacy as a discipline
• Upgrading multi-factor authentication
• Greater reliance on artificial intelligence
• Combining mobile security software with hardware-based security solutions to reinforce sensitive data storage

Nearly all government, nonprofit, and corporate entities have devoted considerable resources to cybersecurity. Many companies have also outsourced either design and or implementation of cybersecurity efforts. Among the major players in cybersecurity are:

1. IBM
2. Cisco
3. AVG Technologies
4. Dell Technologies
5. Check Point Software
6. Palo Alto Networks
7. Symantec
8. Carbon Black
9. Splunk
10. Varonis
11. CyberArk
12. Fortinet
13. F5 Networks
14. Oracle
15. McAfee
16. Synopsys
17. Juniper Networks

Talent

Reflective of the trends creating a ubiquitous need for cybersecurity, it is not surprising that an insatiable demand for specialized talent has emerged. Unfortunately, demand exceeds supply. 

Cyberseek estimates that the industry currently employs some 956,000 people in the US. Remarkably, demand for cybersecurity talent constitutes almost half of the existing workforce size. As of this writing there are over 464,000 cybersecurity job openings.

In determining where to either expand or site a new cybersecurity function, talent availability is the overarching locational determinant. Among the skillsets that should be present in a labor market are:

1. Blockchain Developer
2. Cyber Security Analyst
3. Cyber Security Project Manager
4. Cloud Engineer
5. Network Engineer
6. Information Security Analyst
7. Ethical Hacker
8. Cyber Security Consultant
9. Digital Forensic Analyst
10. Security Architect
11. Security Software Developer
12. Systems Engineer
13. Vulnerability Analyst/Penetration Tester
14. Incident Analyst/Responder
15. Cyber Security Specialist/Technician
16. Cloud Security Architect
17. Threat Intelligence Analyst
18. Application Security Analyst
19. Data Governance Manager
20. Security Analyst

In addition, employers seek to hire professionals with certifications. Among the more prevalent certifications are:

1. Certified Information Security Professional (CISSP)
2. Certified Information Systems Auditor (CISA)
3. Certified Information Security Manager
4. Security +
5. Certified Ethical Hacker (CEH)
6. Global Information Assurance Certification (GIAC)
7. Systems Security Certified Practitioner
8. CompTia Advanced Security Practitioner (CASPt)
9. GIAC Certified Incident Handler (GCIH)
10. Offensive Security Certified Professional

In 2021 the majority of cybersecurity industry employment was in twelve states. See map, they are:

1. Virginia
2. California
3. Texas
4. New York
5. Florida
6. North Carolina
7. Maryland
8. Massachusetts
9. New Jersey
10. Illinois
11. Georgia
12. Colorado

Depending on the scale and mix of cybersecurity activities, locating a new operation in any of these twelve states could be prudent. But competitive demand must also be taken into account. Furthermore, many states with a smaller employment base are witnessing strong industry growth. Consequently, such states could be legitimate alternatives for more modest size cybersecurity operations.

Colleges/Universities have also created cybersecurity curricula, typically within their computer science departments. Locating in an area with a strong talent pipeline from higher education institutions is important.

Also, as demand is outstripping supply, do not overlook Community Colleges. More and more of these institutions are offering Associate Degrees in cybersecurity-related fields. Certifications are also being offered. These graduates can be recruited, trained, and if warranted, encouraged to earn four-year degrees.

Siting Cybersecurity Operations    

Synopsis

A structured multi-phase process should be followed in siting new cybersecurity entities. These interrelated phases are: (a) Discovery, (b) Screening, and (c) Selection. Highlights of each phase follow.

Discovery

This phase calls for executive leadership to identify the need, set the overall strategy, and select a leader for the location selection project. The leader will then populate the team with both internal stakeholders and possibly outside experts.

At the outset, the following must be determined (executive management director):

1. What are the overriding needs?
2. To what extent can these needs be satisfied within the existing IT support system?
3. Will cybersecurity functions be housed in a separate facility (e.g., security operations center) or co-located with other IT functions?
4. Are there other technology activities that will be part of cybersecurity for the new operation?
5. Should any of the functions be outsourced?
6. Should any existing facilities be considered for this expansion?

Once these more strategic considerations are defined then tactical elements of the project must be delineated. Among these are:

  1. Targeted date for launching the new operation

  2. Headcount (ascertaining proportion requiring experience vs. recent college grads/entry level). This factor is very important as it will influence viability of any labor market:

  3. Facility

•  Size
•  Characteristics

  4. Utility infrastructure (especially electric power and telecom)

  5. Capital investment

  6. Air Service

  7.  Natural Disaster Risk

  8. Number of Transferees

  9. Time Zone preference, if any

10. Confidentiality protocols (project code name)

11. Workplace Staffing Model, e.g., 

      • All in office

      • All work-at-home (in the local market)

      • Hybrid

         + 3-4 days per week in office

         + 1-2 days per week at home

      • Extent of remote work (beyond the local market)

12. Any locations that should be benchmarked

In addition to requirements/assumptions, agreement needs to be reached on the relative weight of various location criteria. These criteria would be aggregated into broad factor categories (e.g., labor market) and specific factors (e.g., supply of analysts) within each category. The geographic search region also needs to be finalized.

Location Screening

The objective in this stage is to narrow the field of locational candidates to a shortlist of the most promising alternatives. Typically, the shortlist comprises 2-4 locations that would be subjected to field-based evaluation in the next phase.

Relying mostly on desktop research, initial screening stages will comprise an elimination process. Establish a series of metrics. Areas failing to meet each metric are eliminated.

Examples of metrics for a cybersecurity project include:

  1. Minimum population size

  2. Population age/growth (including net migration)

  3. Size of the Information Technology workforce (e.g., if the new center needs 100 employees, the metro should have at least 10,000 employed in the IT sector)

  4. Workforce educational attainment (prefer above average college educated)

  5. Annual number of computer science graduates per annum:

• Four-Year
• Two-Year

 6. Proportion of the workforce employed in the above noted high-risk industries (a macro indicator of a cybersecurity employment base)

  7. Presence of Fortune 1000 HQ (another macro measure)

  8. Average IT salaries

  9. Air Service

10. Natural disaster risk

Desktop research should produce a longlist of perhaps 7-10 potentially suitable locations. At this stage it will be necessary to gather intel/insights on each area. This review can be accomplished by issuing a confidential Request for Information (RFI) to the lead economic development agency in each area. For a cybersecurity site search the RFI might encompass the following:

  1. Roster of major employers (100+ employees):

• All
• By sector

  2. Companies with a sizable IT headcount

  3. Cybersecurity employers:

• Private sector
• Government
• Non-profit

  4. Companies that have sited new IT operations in the area during the last three years

  5. Local colleges/universities offering cybersecurity curricula

  6. Examples of secure office space for the project in question

  7. Summary of electric power and telecom infrastructure

  8. Any relevant local wage surveys

  9. Potential incentives

10. In fifty words or less, why is the area a superior fit for this project?

In addition to the above research, it will be necessary to data mine job posting sites to gauge the depth and demand for specific skillsets. Such sites could include Dice, LinkedIn, and Indeed.

Varied research inputs need to be analyzed.  Subsequently, rank/score each area on key factors. Those areas scoring the highest, especially on HR considerations, would comprise the shortlist.

Location Assessment

This phase of a site search encompasses field-based evaluation of each shortlisted location. The project team asks the lead economic development organization to arrange each visit. Typically, 1-2 days are spent in each location. The main objective is to ascertain which location can best support day-to-day operational requirements, especially HR, over the long haul.

Perhaps the most instrumental component of field assessment is interviewing several enterprises that have sizeable IT contingents, including cybersecurity. Among the interview discussion points are:

  1. Profile of the IT/cybersecurity unit

  2. Percent/projected hiring activity:

• New
• Replacement
• Types of positions

  3. Degree of difficulty staffing for positions that are needed for the project in question:

  4. Time to fill open positions

  5. Market level salary by position (recent college graduate and experienced)

  6. Incentive compensation

  7. Annual turnover

  8. Workplace model (e.g., hybrid)

  9. HR success keys for staffing IT/Cybersecurity Operations

10. Best submarket from a labor draw standpoint

11. Local companies comprising the most competition for labor

12. Best schools for recruiting new hires:

• Four-Year
• Two-Year

13. Future outlook (competitive demand/supply) for IT/Cybersecurity talent

14. Opinion on other operating considerations such as:

• Electric Power
• Telecommunications
• Disaster risk
• Taxation
• Quality-of-life/transferee appeal
• Air Service

Interviews should also be held with other entities. These include:

1. Staffing Agency
2. Workforce Board
3. Higher Education
4. Local Government
5. Utilities (Electric Power and Telecom)

Additionally, conduct tours of potentially acceptable office buildings and hold initial discussions with landlords/building owners.

Post fieldwork, develop a template for recording findings/conclusions and repopulate scorecards. Then a recommendation on the preferred location can be developed:

1.   Metro
2.   Sub labor market
3.   Community(s)
4.   Building shortlist

Final Commitments

Essentially this phase constitutes last mile negotiations for office space and incentives. While securing a favorable lease or sale agreement it is important not to overlook the fact that real estate should enhance the ability to recruit/retain topflight talent. This enhancement involves issues such as sub-labor market, distance to where the bulk of talent resides, location of competing employers, ease of commuting within a 30-minute zone from a site, building appearance, sufficient parking, amenities, and green/sustainability. Also, we are seeing an increase in space standards due to the effects of COVID.

Relative to incentives, these should be treated as “icing on the cake.” It is difficult to find suitable labor markets for cybersecurity and nearly as difficult to find available buildings in the optimal sub-labor market. Once these requirements are met then incentives can enhance a prudent business decision. Among incentives that would be of greatest interest to cybersecurity are refundable job creation tax credits, refundable cap ex tax credits, discretionary grants, and customized training.

Conclusion

Cybersecurity is one of the fastest growing industries both in the U.S. and globally. In siting new cybersecurity operations, the most critical determinant boils down to talent.

Locations should display an extensive industry ecosystem, sufficient breadth/depth of IT overall and specific skillsets needed by the new entity, favorable demographic trends, appeal for regional/national recruiting, office space with robust infrastructure, and office space situated in the right sub-labor market.

Following these guidelines should lead to a location decision that will support the new IT/cybersecurity center over the long-haul. When all is said and done, the final choice becomes an “HR Deal.”

---

About the Author

Dennis J. Donovan is a founder and Principal of Wadley Donovan Gutshaw Consulting, LLC based in Bridgewater, NJ. WDGC has been advising companies on location strategy and business site selection for four decades. Many recent projects have involved information technology with a sizable cybersecurity subset.