Understanding Employer Demand for Cybersecurity and Software Development Skills in the Greater Washington Region

Transcription

1 Understanding Employer Demand for Cybersecurity and Software Development Skills in the Greater Washington Region 2018

2 Acknowledgements The Northern Virginia Technology Council recognizes the members of the NVTC Tech Talent Employer Collaborative (TTEC) for their contributions, support and advice on this report. In addition, NVTC thanks the subject matter experts and practitioners who reviewed the skills, competencies and industry credentials. Finally, NVTC expresses its gratitude to Tonia Patt of My Talent Consultant for her guidance and leadership of the TTEC. The year-round work of the Tech Talent Employer Collaborative (TTEC), as well as this report, would not be possible without the support of the Growth and Opportunity for Virginia (GO Virginia) economic development program, which offers state-incentives for local and regional collaboration to address region-specific economic challenges and create higher wage jobs. The GO Virginia-funded Region 7 Northern Virginia Tech Talent Pipeline project directly supports the ongoing operations of the TTEC, including the model employee competency and credential résumé research, employer feedback surveys and interviews, and skills gap data analysis presented in this report. Visit GO Virginia Region 7 at About NVTC The Northern Virginia Technology Council (NVTC) is the membership and trade association for the technology community in Northern Virginia. As the largest technology council in the nation, NVTC serves about 1,000 companies and organizations, including businesses from all sectors of the technology industry, service providers, universities, foreign embassies, nonprofit organizations and government agencies. Through its member companies, NVTC represents about 300,000 employees in the region. NVTC is recognized as the nation s leader in providing its technology community with networking and educational events; specialized services and benefits; public policy advocacy; branding of its region as a major global technology center; initiatives in targeted business sectors and in the international, entrepreneurship, workforce and education arenas; and the NVTC Foundation, a 501(c)(3) nonprofit charity that supports the NVTC Veterans Employment Initiative and other priorities within Virginia s technology community. Visit NVTC at About NOVA Workforce 2 Understanding Employer Demand for Cybersecurity and Software Development Skills in the Greater Washington Region

3 Introduction Employers nationwide are facing one of the tightest labor markets in recent history. Now, when seeking increasingly scarce talent, some employers are looking to certifications and skills in addition to formal education when hiring, 1 a trend that the Northern Virginia Technology Council (NVTC) has found reflected in interviews with local IT employers. In order to develop a technology workforce pipeline with the skills employers need, NVTC created the Tech Talent Employer Collaborative (TTEC) in The TTEC is a business-led initiative of over 20 diverse IT employers using a demand-driven approach to close skill and capacity gaps in the Greater Washington 2 region s IT workforce. NVTC drew on the knowledge and expertise of these employers to better understand the specific credential and competency expectations for two IT occupations with high regional demand: cybersecurity engineers and software developers. In particular, what are the certifications, skills and competencies necessary for each of these occupations and at what point are these typically necessary across an employee s career? Employee Type Building on the findings of the December 2016 NVTC Greater Washington Technology Workforce Needs Assessment ( NeedsAssessment.pdf) report, this research included a review of employer-submitted résumés of ideal workers from their existing staff to identify which credentials and competencies were cited most often for each role, an analysis of job postings data and interviews and surveys with employers to identify which skills and credentials they considered high demand and their difficulty finding candidates with the skill or credential. Based on this analysis we found that résumés for each role differ meaningfully in the types of competencies they highlight, although these may not always be aligned with employer demand. In addition, many common foundational IT skills are prominent regardless of role. Competency Category Definitions Coding languages: Java, Python, C++, PHP, SQL, etc. Applications and toolkits: pre-built tools and resources like GitHub, Microsoft Office, Jira, etc. Frameworks: operating systems, code libraries and other non-application tools (Linux, AWS, jquery, etc.) Methodology Five TTEC employers representing a range of business models and sizes submitted 58 model worker résumés: 41 for software developers and 17 for cybersecurity engineers. These résumés were grouped by the candidates level of direct work experience (see Table 1) and a review Table 1: Employer-Submitted Résumés by Level of Prior Work Experience Entry Level (0-2 years) Mid-Level (3-5 years) Senior Level (6+ years) Cybersecurity Engineer Software Developer of each résumé then identified which individual certifications and competencies it cited, grouping these into three sub-categories: coding languages, applications and toolkits, and frameworks. With the help of industry subject matter experts, this analysis identified 53 unique industry certifications, 36 coding languages, 78 applications and toolkits and 41 frameworks across all résumés. Six additional TTEC employers then reviewed this list and provided feedback regarding their degree of demand for a given skill or attribute, how easy it is to find candidates possessing that skill or attribute and the career stage they consider the skill or attribute to be a precondition of 1 Lohr, Steve, A New Kind of Tech Job Emphasizes Skills, Not a College Degree, The New York Times, June 28, 2017, 2 Includes the Virginia localities of Arlington County, Fairfax County, Loudoun County, Prince William County, Alexandria City, Fairfax City, Falls Church City, Manassas City and Manassas Park City; the District of Columbia; and the Maryland localities of Montgomery County and Prince George s County. Northern Virginia Technology Council 3

4 employment at their company. Finally, NOVA Workforce provided real-time job postings data for each skill and ability using Burning Glass Technology s Labor Insight tool, which aggregates job postings data from thousands of online public and internal job boards, for all matching job postings in the region between August 1, 2017 and July 31, The full data set of competencies and certifications, number of résumé citations and total job postings is available in NVTC s report Greater Washington Technology Workforce Needs Assessment December 2018 here: Findings Software Developers Six of the top ten most-cited competencies on software developer résumés were for coding languages. Four of these languages were cited most frequently: Java (90% of software development résumés), JavaScript (78%), CSS (73%) and HTML (71%). Demand for Java and JavaScript was reflected in a similarly high number of job postings asking for each. Additionally, jquery a JavaScript library was also highly cited (18 citations, 44% of software development résumés). However, a high number of job postings also requested less-cited languages like SQL (22,500 postings, 18 citations) and Python (15,000 postings, 14 citations). This may be because both are often used in other fields, such as data science, or because employees who know the language simply failed to cite it on their résumés. Frameworks and applications that provide the foundational environment for software development are also common. Strong knowledge of Linux/Unix and Windows operating systems were cited heavily (on 68% and 56% of all software development résumés, respectively), as was Git (46%), which is used for version control in sharing and collaborating on code and other files. However, only Linux/Unix was indicated in job postings at a frequency similar to the most in-demand coding languages mentioned above (i.e., 10,000+). While employer feedback suggested that demand for Linux/Unix is indeed slightly higher than for the other two, local employers also indicated that they do not explicitly request or evaluate candidates for skill in Windows (or, relatedly, MS Office) because it is considered to be a ubiquitous core competency. Although it appeared on only 20% of software developer résumés, CompTIA Security+ was the most common certification cited, and one of the few that occurred more than once. This would seem to indicate that cybersecurity-related qualifications are valuable regardless of job title, particularly given the importance of cybersecurity to all IT fields. Network+ is also cited on multiple software developer résumés and is mentioned in a relatively high number of job postings compared with other certifications. The prevalence of these two CompTIA credentials may also be a result of the employees past experience in other entry-level IT disciplines; one employer in particular shared that their organization has had success cultivating software developers from their network operations staff. In fact, most software developer résumés showed prior IT experience of some kind (three years on average). Still, all of the top 10 competencies were cited on résumés at all levels of experience, indicating that many of the core, in-demand competencies for these jobs are largely developed early in an employee s career. 4 Understanding Employer Demand for Cybersecurity and Software Development Skills in the Greater Washington Region

5 Cybersecurity Engineers Coding languages were much less commonly cited on résumés for cybersecurity engineers. Only one language, Python, featured in the top 10 most common cybersecurity citations and, even then, it was only mentioned on three résumés. In fact, only four cybersecurity résumés referenced any coding language competency at all. Of these, three were for senior level workers with past professional experience in software development. This could be because employers hiring for these positions are more likely to look at other factors first, reducing the incentive for candidates to include coding skills on their résumés, despite having these skills and needing to use them on the job. For example, at least one employer commented that knowledge of coding languages does not factor as heavily into their candidate evaluation process when filling open cybersecurity positions. Security-related frameworks and applications were cited much more frequently on cybersecurity engineer résumés. As with software developers, experience with foundational operating environments such as Windows and Linux/Unix were among the top competencies. Otherwise, three of the frameworks among the most-cited cybersecurity competencies are government-created security frameworks: Director of Central Intelligence Directive (DCID) 6/3 and NIST s Cybersecurity and Risk Management Frameworks. Other frequently-cited competencies on cybersecurity résumés include applications dealing with either security and information management (ArcSight and Xacta) or networking and cloud systems (ActiveDirectory and VMWare). CompTIA Security+ was the most common industry credential, though it was cited on a greater proportion of cybersecurity engineer résumés than in software development. Other security-related certifications, such as Certified Ethical Hacker (CEH) and Certified Information Systems Security Professional (CISSP), only appeared on cybersecurity résumés; in particular, employers re-affirmed that there is a high degree of demand for candidates with a CISSP credential. The predominance of cybersecurity credentials overall, as well as the fact that Security+ and CISSP were both present on entry-level résumés, suggests that regional employers look for these certifications as a foundation when hiring for cybersecurity positions. Northern Virginia Technology Council 5

6 Takeaways As the IT industry continues to experience transformational growth in the Greater Washington region, it is critical that education and training partners continue to align their programs and training to meet specific employer skill and competency needs. Based on the findings of this report, we can begin to suggest a few actions (indicated in bold) for doing so, particularly around in-demand occupations like software developers and cybersecurity engineers: Proving skill in specific coding languages is critical for software developers, while specific certifications and frameworks are more important for cybersecurity engineers. This does not suggest that proficiency in coding is not required for cybersecurity or that certain certifications are not necessary for software developers. Instead, it may be that the signals of competency for each role are slightly different. Workforce development stakeholders should work with job candidates to effectively tailor their résumé to highlight those competencies and credentials that employers are most interested in for a particular role, which may be narrower than both what may be desired for a role and what a candidate may be proficient in. Highlighting the foundational skills and non-degree credentials that can be developed through other entry-level IT roles (such as user and network support), as well as parallel training/education will be useful as the industry continues to explore more skillsbased, non-traditional talent development pipelines. Identifying and understanding mismatches between the demand and supply of IT skills will be an ongoing challenge. Comparing a skill s frequency of inclusion on résumés versus job postings is a useful method for identifying where talent supply and demand are misaligned. However, in some cases, the reasons for these gaps are still unclear. Identifying answers in these cases will require ongoing conversations between employers and talent providers, including additional research to answer questions that are more complicated and long-ranging. Foundational applications and frameworks such as Windows, Linux/Unix and Git are essential regardless of occupation. Other more domain-specific credentials like Security+ were also relevant to both roles. However, many of these shared competencies are likely also a product of candidates prior IT experience (around three years, on average, for entry-level candidates in either occupation). Many of the employers NVTC spoke with reported having the most difficulty filling mid-level positions (those requiring 2-5 years of professional experience and skill in the relevant IT field) while sourcing entry-level talent is often much easier 6 Understanding Employer Demand for Cybersecurity and Software Development Skills in the Greater Washington Region

7 Further Research While this report provides insight to the employer demand for most commonly cited attributes of the software development and cybersecurity workforce, more work is required to provide a clearer view of the career pathways and interdependencies of IT certification, skill and competency requirements for the software development and cybersecurity workforce. Such analysis would better inform training and education providers, students and the rising workforce on what they will need in order to be successful in their IT career. Examples of possible questions for further research could include: Stacking skills and certifications to climb the career ladder? While this research begins to touch on how different skills may be more appropriate at different stages in a worker s career, more work is required to better understand how IT certifications and skills are related to or dependent on one another at a detailed competency level. This would highlight the extent to which certifications or competencies can be stacked to build on one another across a worker s career. systems, for example) do they expect to have the most trouble filling due to retirements, and what sorts of internal talent pipelines and succession plans do regional employers have in place to train and upskill entry-level workers to efficiently fill these gaps? Higher education to get hired? Further investigation into the rate at which candidates with less than a bachelor s degree are actually hired by regional IT employers particularly over time, to highlight any shifting trends or the degree to which a bachelor s degree is the only avenue to obtain required skills and abilities, would be useful. Using talent pipelines to ride the grey wave? A related project would be to better understand the unique skills and knowledge that mid- and senior-level workers contribute to the labor force, and how regional IT employers are preparing to respond to these skill losses as the current workforce ages and retires at an increasing rate. What specific skills and competencies (understanding of legacy 86% of the model résumés submitted for review (across both roles) indicated having a bachelor s degree; even among those that did not, the majority indicated that a 4-year degree was in progress. Northern Virginia Technology Council 7

8