This content is part of the Essential Guide: Guide: How to hire software developers

Essential Guide

Browse Sections
  • Software developers open up
  • Test your developer knowledge

Job security and a big paycheck? Get security experience

Developers are in short supply all around but those with security experience are particularly in need. Here's how you can move your career in a new direction.

If you want to make more money than the average software developer, have your pick of jobs and work in nearly any area of the country, choose to specialize in security.

There's job security in security -- and huge demand. A January 2016 Dice hiring survey showed developers with security experience are in the top three of most wanted, hardest to hire roles in the U.S. today. This is hardly surprising. Not only is nearly every company in the software business but a string of high-profile security breaches have made companies realize they cannot release software without paying more attention to security.

Demand has driven salaries up, said Matt Sigelman, CEO at Boston-based research firm Burning Glass, which tracks job postings across the nation. In 2015, the average advertised software developer salary was $91,600, while the average salary for a software developer with security experience was $98,600. In the past, security jobs tended to be clustered in the Virginia and San Francisco areas, Sigelman said. "Now security has come to Main Street." This means if you want a security job in Anchorage, you'll find one (though for substantially less than the going rate of $83,000). Or you could move to Silicon Valley and earn $130,000.

There's a catch though. In most cases companies want you to have security experience, and probably a bachelor's degree. "Security is one of those jobs we're seeing more and more of where there's an intersection of a bunch of different domains," Sigelman said. Ideally, he noted, security professionals need a view of the entire software development process and the broader, 30,000-foot view.

But it's nearly impossible to find people like that today. "There just aren't a lot of experienced people out there," said Kurt Bittner, principal analyst for application development and delivery professionals at Forrester Research.. "Most developers who get into security do so by accident because a product that they're working on has a breach. This is really something you have to learn on the job."

What's going on? We have an enormous skill gap in [the security experience] area.
Matt SigelmanCEO, Burning Glass

And that's not the only problem. Many, if not most, companies looking to hire a security specialist want the Certified Information Systems Security Professional (CISSP) certification. Not only do you need to have five years of security experience to earn the certification, there simply aren't many people with it, Sigelman said. "Last year 49,000 job postings were asking for CISSP certifications, but the total number of certified people in the United States is only around 65,000," he explained. "Literally everyone could change jobs and that still wouldn't change the equation. What's going on? We have an enormous skill gap in this area."

Although it's not the only developer area with a severe shortage (mobile, UX and DevOps developers are just a few of the skills in short supply), the security area is unique due to the level of cutting-edge expertise needed and the risks involved in not paying attention to security, experts said. And the fact that it's a bit of a legacy skillset isn't helping either, Bittner said. "In the old way of doing security you had a security team go through a security review or a security team would publish policies of things you have to do or avoid. That just doesn't scale very well." Instead, companies have to figure out how to build security into every level of the development process and, at the same time, have people paying attention to the ever-changing landscape of threats. His suggestion: Do a better job of integrating security into a DevOps system and make everyone responsible for security while freeing actual security people to do the high-level stuff.

That all sounds good, in theory, but it doesn't solve the shortage in the near or even the medium term. Bittner's suggestion, one that is echoed by Sigelman and other experts, is that companies have to start growing their own developers with security experience. "People coming out of the universities are lagging the skills targets pretty significantly," he said. "Companies really need to focus on training their own employees and working on mentoring and developing. That's what's really going to help."

Next Steps

Read the primer on secure software development.

Wondering how your salary compares?

Here's another really hard-to-fill job -- data scientist.


Dig Deeper on Topics Archive