Security jobs heat up

Industry observers watching the IT security job market are pointing to up-and-coming areas such as computer forensics and wireless security for the hottest jobs.

Those are the findings from separate studies by the SANS Institute and the International Information Systems Security Certification Consortium (ISC2), which are professional organizations offering security certification. Their recent reports on how IT security jobs stack up indicate that security is gaining more clout with managers.

“To be a chief information security officer takes good technology understanding but also business understanding,” says Rolf Moulton, president and CEO of ISC2, which has 40,000 members. To move up the corporate ladder, security professionals must spend more time speaking with their organization’s businesspeople, learning their goals and communicating with them in ways they can comprehend, “not [in] the technical gobbledygook that technical people give them,” Moulton says. If they don’t, they end up “staying in a security club rather than a business club.”

And the result is a big difference in salary, at the very least.

“The SANS 2005 Information Security Salary and Career Advancement Survey” (.pdf file) shows that those in executive roles – with titles such as chief information security officer, chief security officer or security manager – earned $106,326 on average. That compares with the average $75,275 paid to technical security professionals with job titles such as security engineer, security penetration tester or Web security manager.

Moreover, working in the United States confers an advantage. The ISC2 and SANS reports conclude that U.S.-based IT security professionals overall are paid considerably better than their foreign counterparts, and this is particularly true in Asian countries (more on global pay). Part of the reason for higher U.S. salaries, as compared with the rest of the world, is that network security has been a defined profession here for longer, Moulton says.

Both organizations urge security professionals to facilitate career moves from the technical to the management track through training and certification, as well as college-level business-related studies. “An MBA, as well as a college degree in information security, is what we see in CISOs,”Moulton says.

New skills are in demand

IT security professionals – many of whom started as network administrators and honed their skills to become experts in Windows security, firewall maintenance or , for example – always wonder where the next hot jobs are.

So too does David Foote, director of research firm Foote Partners, which periodically surveys thousands of technical and business managers to determine which IT jobs are in most demand – and which are on the wane. Foote says a recent survey of management opinion at 1,900 companies suggests that in the coming year, corporations will be most interested in hiring security professionals with expertise in a few rising fields: incident response and forensics; wireless security, identity management and VoIP-related security. “I think there’ll be a lot more activity in these areas,” Foote says.

Vendor-specific equipment certifications remain important, such as those from Cisco, which last year introduced new certifications for most of its security products, Foote says.

In addition to the continuing importance of expertise in product or technology areas, there’s a new element that could affect careers in IT security, Foote says: Corporate managers have started indicating a strong preference for hiring IT security professionals who have a solid track record within a specific industry, whether manufacturing, retailing, medical or any vertical market. “Consider staying with a vertical industry,” Foote says.

That shouldn’t discourage job seekers from moving from company to company in search of better pay or working conditions, but now there appears to be clear value in sticking to a vertical market. The reason for this is that employers are expressing greater confidence in candidates who have an understanding of the business relationships and patterns of their industry, not just technology expertise.

ISC2’s “The 2005 Global Information Security Workforce Study” also indicates that wireless security, identity and access management, disaster recovery and forensics are areas where organizations are investing the most. Computer forensics – the intersection of technology with crime and the law – is an evolving field in terms of the definition of a metric for skills.

Lt. Col. Kenneth Zatyko, director of the Baltimore-area Defense Computer Forensics Laboratory, says only in the last two years have a handful of colleges, including Johns Hopkins, Carnegie Mellon and the University of Tulsa, begun offering academic programs for digital forensics examiners. “Frankly, right now we have to grow our own,” says Zatyko, whose laboratory strives to maintain a staff of about 40 digital forensics examiners. Steven Shirley, executive director of the Department of Defense’s Cyber Crime Center, which houses the lab, can approve the lab’s employees as digital forensics examiners, based on Zatyko’s recommendations.

The Cyber Crime Center also is staffed with more than a dozen forensics technicians who are allowed to handle digital evidence but aren’t in charge of analysis. A digital forensics technician’s salary is between $55,000 and $75,000. “An examiner makes about 30% to 50% more,”Zatyko says. In his program, examiners must pass an annual proficiency test.

IDC pegs the current number of IT security professionals in North and South America at 647,577, and expects that number to grow to 787,292 by 2009.