“Go west, young man, and grow up with the country”. It was a common saying in the late 19th century, but does it apply in today’s cybersecurity industry? Danny Bradbury investigates…
East coast institutions like MIT, George Mason University and Carnegie Mellon are all grooming tomorrow’s cybersecurity professionals. But do graduates of these programs stay in Arlington, Boston, and Pittsburgh, or do they seek their fortunes in Silicon Valley? And if there is a regional brain drain, what does it mean for cybersecurity back east?
Ask around enough and you’ll find plenty of stories about east coast students learning their cybersecurity chops and then heading west.
“Anecdotally at any rate, yes, there’s this sense of inferiority in the New England area when it comes to retaining talent in-region”, says Michael Figueroa, executive director of the Advanced Cyber Security Center (ACSC). One professor he knew said that one of his students kept getting internship offers from the valley.
The west coast has more notable cybersecurity companies than other regions. Analyst firm Cybersecurity Ventures publishes a list of the most innovative, promising 500 cybersecurity companies around the world. Its most recent report sees 120 of those companies in Silicon Valley. DC has 53, while the northeastern US (which covers both New York and Boston) houses 77.
Infosecurity North America, taking place in Boston 04-05 October, aims to bring together the East Coast cybersecurity community to learn, share and network. You can learn more about the event, and register to attend, at www.infosecurity northamerica.com/
Dissenting Views
Despite those numbers, the person that produced them - Cybersecurity Ventures’ founder and editor in chief Steve Morgan – doesn’t support the east-west brain drain hypothesis.
Cybersecurity firms cluster around the Valley’s venture capital, points out Morgan. “You have a situation where not only are there a lot of start-ups there, but also transplanted HQs to be near the money,” he says, adding that it creates a false picture of cybersecurity talent gravitating to the west.
“The perception is that the best talent heads west because you read about so many start-ups out there - often by people who were previously from the east coast or elsewhere,” he says. “But that is not the reality. Cybersecurity people are not heading out to the west coast in droves.”
Michael Coden, head of cybersecurity consulting practice at BCG Platinion in New York, also waves away the east-west brain drain theory. “In terms of services, at BCG our cybersecurity team is very much east coast-based, coming out of DC, NYC, Boston, and Chicago. We find a lot of good cybersecurity professionals”, he says.
Might the promise of more lucrative jobs draw cybersecurity graduates out west? “Certainly, starting pay is higher,” says Figueroa. “I heard one security executive here in Boston say that the reason he sources security staff here in the Boston area is because they’re cheaper.”
Morgan dismisses that idea, arguing that pay is equal between the two regions. Will Markow sits somewhere in the middle. He is manager of client strategy and analytics at Burning Glass, an analytics company that collects job data from 40,000 sources in the US. “There are some factors about jobs on west coast that some workers might find more favourable. The first is higher pay”, he says.
He puts the average cybersecurity salary at $106,000 in Boston compared to $114,000 in San Francisco. That’s a modest difference, though, considering living costs, which are traditionally higher in San Francisco.
A Strong East Coast Industry
Other numbers suggest a strong and healthy cybersecurity landscape along the east coast, especially in the DC area. According to CyberSeek, a US cybersecurity jobs ‘heatmap’ fueled by Burning Glass data, there are 77,000 cybersecurity workers employed in the DC-VA-MD-WV metropolitan area around the nation’s capital. That compares to around 30,000 in the area from Oakland-Hayward down to Santa Clara, taking in San Francisco and the Valley.
A research note from west coast-based VC firm Allegis Capital goes further, alleging three and a half times more cybersecurity experts inside Washington DC’s Beltway than there are throughout the rest of the US combined. Whichever figure you believe, everything points to the government ecosystem around DC having a strong, cohesive base of cybersecurity professionals.
Any discussion of east coast cybersecurity must take this into account. Think about the public and private sectors when considering the movement of cybersecurity talent, suggests Diana Burley. She is executive director and chair of the Institute for Information Infrastructure Protection (I3P) at Carnegie Mellon, and full professor of human & organizational learning at George Washington University.
There are some factors about jobs on west coast that some workers might find more favourable. The first is higher payWill Markow, Burning Glass
“There are people moving out of the federal government and into the private sector, and moving away from DC and into regions of the country that perhaps have an easier lifestyle”, she says.
The cybersecurity community serving DC’s federal government may be sizeable but it has a limitation, points out Ackerman’s note. It cites a 2017 report from American University’s Kogod School of Business and Amplifier Advisors on the DC cybersecurity industry, with one surprising figure: Only 5% of the region’s businesses produce a product. The rest are involved in cybersecurity services businesses.
So where are the cybersecurity product companies? Think of Palo Alto, Cisco and most other companies that spring to mind: they’re headquartered in the Golden State. Their ethos relies on heavily marketing their products.
VCs aren’t going to fund many service-based companies because of their relatively slow growth potential. The money follows products. So those cybersecurity pros heading west may well be pursuing a start-up career. They’re rare though, says Morgan.
“There is of course a sliver of the entrepreneurial types who head west for an HQ to raise capital. But that's a very small percentage of east coast cyber talent”, he says.
The Strong and Silent Type
The east coast public sector cybersecurity crowd also makes far less noise, says Figueroa. Whereas the Valley is showy and transparent in how it works, the cybersecurity community in the federal government won’t – and often can’t – talk about what it does.
These character traits stifle the growth of community. “It makes it very difficult to build a supportive community when you’re not allowed to talk about the work that you’re doing”, he says.
So the real issue may not be a difference in employment opportunity, so much as a difference in personality. The characteristics and motivations of cybersecurity pros in the beltway and in some other spots along the east coast may just be at odds with those out west.
“I think the personality of the cyber professional in New England tends to be more experienced”, says Figueroa. He distinguishes between an older workforce dedicated to cyber-defense versus a younger worker with a hacker mentality, in it for the dollars and the glory of breaking things.
“Pay becomes less of a metric vs other less tangible benefits”, he says of east coast workers.
That attitude crystallizes in the Beltway, says Fritz Finley, technology partner at DC-based early stage cybersecurity funding firm Cyber Capital Partners.
“Besides the politicians that get all the spotlight, there is a workforce that is dedicated to helping the country,” he argues. “They could get more money elsewhere but they want to protect our borders.”
Conversely, Burning Glass’s Markow says that the west coast is where the business-to-consumer jobs are, which recent graduates may see as sexier.
“You have young graduates who may have finished studies on the east coast and they want to go and make an impact in the world,” he says. “It's an easier sell to recruit them for a company as visible as Facebook or Google than a company that has the same cybersecurity needs as those firms but maybe supports a specialised industry, that you might not have heard of.”
I think the personality of the cyber professional in New England tends to be more experiencedMichael Figueroa, ACSC
The cultures may be different, but there’s an osmosis happening. Hip west-coast companies are coming to the east coast, chasing technology talent that prefers to stay there. Microsoft, Google and Facebook are some of the many companies that started out west but have offices around the country, including in New York and Boston, points out Stuart Madnik, professor of information technology at MIT’s Sloan School of management. “There’s more than one centre of gravity.”
Many Regions, All Fighting For the Same Thing
The battle for cybersecurity talent isn’t so much a battle between east and west, as a struggle between many communities around the country that want to become cybersecurity centres of excellence. The fuel for that battle is talent, which Burley says is in short supply.
“There’s a shortage of professionals in the field,” she says. “Any time there’s a shortage you’re going to see movement.”
Whether or not the draw is to the west coast or to elsewhere, the fight is on for regions to retain that new cybersecurity talent. “How do we get them to decide that this is the place where they want to be?” muses Figueroa.
There are various regional initiatives, such as Maryland Cyber and Figueroa’s own ACSC. Beyond that, the private sector is moving in to try and change the culture.
Ackerman obviously sees potential in that community. He teamed with cybersecurity guru Mike Janke to create a cybersecurity incubator called DataTribe. It focuses on those DC security pros with a product idea that need help to get started in a service-focused community.
Finley also suggests another option: a government-style VC firm. He envisages a shared fund that could support innovation on the east coast to directly benefit government across multiple departments.
“Establish a cross-agency fund to ensure that the tech that comes out of the government VC model is available to everyone who participates,” he suggests. He admits, though, that this kind of venture is outside the federal government’s comfort zone.
Who will win out in the battle for cybersecurity skills? Each of the many competing regions has its own personality, and jobs that will appeal to different kinds of workers. DC has its defence and intelligence ecosystem. New York has its financial centre, while Boston is an academic hub with a vibrant research community. So is Silicon Valley, but it also has a product focus with vendor-based cybersecurity jobs that few can match.
The real problem facing all these places – and the pockets of cybersecurity activity across many cities in between - will be producing enough talent to go around. That can only be good news for the next wave of cybersecurity graduates.
The Infosecurity Spring Virtual Conference, the leading virtual event for the information security community, is taking place on Wednesday March 21. Our easy to digest format offers a mix of short sessions, panel debates and live profile interviews, all fully produced and moderated by the Infosecurity Magazine editorial team. ?You can register to attend here.