WP Why Learning DDoS Mitigation Can Get NetOps Pros a Raise

Why Learning DDoS Mitigation Can Get NetOps Pros a Raise

Why Learning DDoS Mitigation Can Get NetOps Pros a Raise

If you’re looking to hire a network engineering professional with DDoS experience, the data from our survey tells us you’ll have a tougher time hiring in the coming months.

Global demand for network engineers who have DDoS mitigation skills has continued to grow over the last six months, as confirmed by our analysis. Based on our findings we believe the reason for this is a scarcity of qualified personnel and a rising demand from companies and security vendors for this specific experience.

We learned that China is seeing the most demand for DDoS network engineering skills, with an estimated 47 percent annual growth (compared to 30 percent in the US). Further, companies in the US, UK and Canada are taking longer to fill these positions, as evidenced by the increase in average listing days for them. In the US, this has increased from 27 to 37 days over a four month period, with the growth rate being over 75%.

Explore the data for yourself—I think you’ll find these charts created with plot.ly very insightful.

A bit of context—In Q3 2015, I hired an analytics/data science consulting firm to report on recent market trends regarding DDoS mitigation job skills. That report pointed to a sustained increase in demand for professionals having DDoS mitigation experience across IT security, network engineering and operations, systems administration and DevOps realms. However, it suffered a potential survivorship bias from expired listings. This comprehensive, longer-term study avoids such bias.*

Recruiting a network DDoS engineer

Job listings with the desired qualifications of an experienced anti-DDoS engineer manifests as a long list that includes years in the industry, carrier experience, knowledge of network infrastructure, network platforms and DDoS mitigation technologies, specifically BGP and GRE tunneling. In addition, the engineer needs analytical, customer service, and communication skills, and frequently needs to be a sleuth when deconstructing an attack .

At our company, a job description for a security expert looks like this:

Position Requirements

  • 4+ years of information security experience
  • Knowledgeable with HTML and JavaScript.
  • Experience with web protocols and standards (TCP/IP, HTTP, SSL, and DNS).
  • Knowledge and experience with SQL and SQL-based environments is a plus
  • Familiarity with Linux in an administrative or technical capacity
  • Familiarity with regulatory standards and compliance (HIPAA, SOX, PCI DSS)
  • (Preferred) 4+ years’ experience in database administration, information security or related fields
  • Keen attention to detail – demonstrated understanding and documenting of customer requirements, while managing expectations, and providing excellent customer service.
  • Excellent problem solving skills with a strong sense of customer commitment.
  • Excellent communication (written and verbal) and interpersonal skills.
  • (Preferred) Bachelor’s Degree in a relevant field or equivalent education

Job listings requiring DDoS skills are growing

We first looked at the number of listings retrieved from the DDoS search. The trend shows an increase in job listings across all countries.

When compared against growth of listings with “JavaScript” experience, it shows that the listings in China are increasing while those in the US remain flat. This indicates that demand for DDoS mitigation skills is growing at a faster rate than that of JavaScript, albeit in smaller absolute numbers (less than 0.6% of the total demand). In any case, both of these are considered hot job skills.

 World DDoS listings growth

We dig deeper into listings growth to better understand the underlying trends among the different job roles.

The worldwide picture shows an overall upward trend as indicated below in the bi-weekly stacked histogram with the number of listings added in a two-week period. In examining individual job roles, we confirm the upward listings growth trend across all job roles.

Growth trend in US DDoS role specific listings

In examining the role-specific DDoS US listings, we also see the trend increase for network engineering and systems administration, but not for DevOps and security.

Worldwide summary of DDoS network engineering listings growth

Here we focus solely on the network engineering profiles and analyze listings growth in various countries. Bubble size indicates the number of listings analyzed over the study period.

One surprising fact that jumps out is that China had more overall listings than the US and also showed higher listings growth.

Growth in network engineering DDoS positions

Looking at the weekly histogram to understand the differences across countries, it shows that listings in China are all fairly recent, while US listings are older.

What is the supply-demand profile?

Why did China have more listings than the US over the course of the study? When jobs don’t get filled, they stay on a job board for a longer duration — hence absolute listing numbers may be higher for the US, it having a lower listing growth, versus China, which had higher listing growth but also a higher supply-demand profile.

We then examined jobs added vs. filled over each sampling period, this chart showing the differences between the US and China. For each period, China had more new listings, as well as listings that had dropped off, indicating both a higher demand and supply of DDoS network engineering positions there.

This could result from a number of factors, including supply of tech graduates, salary differences compared to related tech areas (which may be affecting the same talent pool), and career growth opportunities in technology and network engineering.

Is it getting harder to fill a DDoS network engineering position?

The weekly histogram of different countries shows that US listings are staying on longer than other countries — indicating that American companies take longer to fill their DDoS network engineering positions.

Regarding the duration required to fill DDoS network engineering positions, does the data reveal that it’s getting harder to fill them, and, if so, which countries reflect this trend? The metric we examined is “average listing days” for each country. From the following chart we can infer a couple of insights.

    • US and UK job listings have longer average listing days than China
    • Hiring demand in China is being met much faster
    • The upward trend in average listing days may indicate that all countries are finding it harder to fill their DDoS network engineering positions

Supply chain metrics can help determine demand fulfillment for DDoS network engineering positions in the US and China. Given the demand (the number of open listings), we want to know the fill rate in the sampling period (the number of positions filled as a percentage of open listings). The proximity in pullDates affects this trend, so absolute values become the focus. The result shows China as having a much higher demand fulfillment for DDoS jobs than the US.

Where are the Worldwide DDoS Jobs?

We plotted all jobs on the world maps below. The color code indicates a greater number of listings. The maps are zoomable, and you can browse to see information about job title, company and city.

Where are the worldwide network engineering DDoS jobs?

Where are US DDoS jobs located?

Where are US network engineering DDoS jobs located?

Conclusion and implications

Companies worldwide are looking to hire skilled and scarce human resources to address security concerns threatening their online presence. The growth in attacks makes it essential for every organization to have a DDoS planning, prevention and mitigation strategy. Our researcher experienced a DDoS attack on his server during the course of conducting this analysis.

We believe that the demand for network engineers with DDoS expertise is growing as a direct result of the rise of volumetric attacks on organizations. Whether organizations build or outsource their DDoS mitigation, they require a specialized resource in their IT departments to focus on internal solutions or actively manage vendors.

The supply of skilled engineers is also falling short according to a report by Dice. In the face of a robust jobs market for tech workers, security is not yet a course requirement for most computer science degree students. Technical training in DDoS is available, for example, in our Our DDoS Training Bootcamp that offers beginner and advanced technical training in DDoS and the technologies that mitigate it.

Our analysis of job listings for DDoS skills indicates that organizations are scrambling for DDoS engineers, creating a demand that is not met by the meager supply of applicants with desired skills. Typically we would consider this normal behavior in the face of an emerging new threat. However, when it comes to DDoS protection it can be unclear what the role of that engineer is and what the required qualifications are – in particular when considering DDoS attacks affect the external side of an organization’s communication line and can only be mitigated through a service external to the organization. And as seen in our job listing earlier, the anti-DDoS service provider is competing for the same talent as the enterprises themselves.

Where does your company stand with respect to its need of network ops professionals with DDoS experience? The average time to hire a qualified person is approaching 40 days for the US and UK as of this writing, and is on an upward trend worldwide. DDoS attackers are skilled and nimble. Your strategy needs to be equally nimble and agile to prevent this continued and growing threat.

Phase 2 survey methodology *

To eliminate the bias, the research firm ran a longer study over six months. Using a JSON API that searched for keyword, DDoS, it mined jobs from both Indeed.com and SimplyHired.com every two weeks. This was repeated for each of the 37 countries in scope of the analysis. In all, 19 runs were mined over 30,000 DDoS job listings from Indeed.com and over 16,000 from SimplyHired.com. Over 1,500 files from the study period were then aggregated and analyzed, using a linear model to fit and observe trends.

We decided to go with the Indeed listings, both because of the comprehensive country coverage and also, on manual inspection, we found this data set to have higher accuracy than that of SimplyHired.

We used the Google Translate API to translate foreign listings (jobtitle, jobsnippet, city and company) to English, and then executed text analytics to classify them into the required job roles.

We also compared trends in general tech hiring by extracting “JavaScript” jobs during each data mining activity. As it turns out, both of our search terms are universally used.

Focusing on the demand for DDoS network engineering resources, we categorized the data into the following four profiles: network engineering, systems administration, security and DevOps. We omitted the 9% matching the sales and marketing profile, as well as 7% representing various vendor companies (including Incapsula/Imperva).


The following project tools and software were used for analysis and profile matching.

The analysis work was done in R with the dplyr package and also Python.

Visualization was done using plot.ly and ggmap.

Translation was done with Google Translate

Mapping visualization used OpenStreetMaps

Profile matching

We used the following regular expressions to determine job profile.

# Network Engineer, System Admin, Developer, Sales, Security

salesKeyWords <- “(Sales)|(Business Development)|(Marketing)|(Alliance)|(Demand Generation)|(Product(.*)Manager)|(Account(.*)Manager)”

networkEngineerKeyWords <- “(Network Management)|(Network Security)|(VLAN)|(MPLS)|(BGP)|(IP-Sec)|(Network Engineer)|(SOC)|(NOC)|(Traffic)|(DNS)|(Network Operations)|(Network(*)Architect)|(Network Administrator)”

securityKeyWords1 <- “(IT Security)”

securityKeyWords2 <- “(Security)|(Fraud)|(Penetration)|(Investigator)|(Governance)|(Risk Management)|(Intrusion)|(Intelligence)|(InfoSec)|(DDoS)|(Firewall)|(Attack)|(Cyber)|(Cryptographic)”

sysAdminKeyWords1 <- “(Systems Admin)|(System Admin)|(Sys Admin)|(IT Operations)”

sysAdminKeyWords2 <- “(System)|(IT Operations)|(Configuration)|(Administrator)|(Linux)|(Windows Server)|(Infrastructure)”

developerKeyWords <- “(Copywriter)|(Java)|(Architect)|(Software)|(Devops)|(Solution Architecture)| ((*)Scientist)|(Engineer)|(Project Manager)|(Developer)|(WAAF)|(Analyst)|(Data(.*)Architect)”