Security may be among the last items in an IT budget to get slashed, but it is still not totally recession-proof. Sometimes, staffers are shown the door, leaving laid-off security professionals with the need to stand out in a crowded field with potentially fewer opportunities.
New research from ISC2 (International Information Systems Security Certification Consortium), however, offers a glimpse at what perspective employers may be looking for. According to ISC2, a survey of nearly 1,500 of its members in the United States found the most sought after areas of expertise are information risk management, operations security, security management practices, and security architecture and models.
"A strong background in network and system administration is strongly recommended, as the majority of the risk in cyber-security lies in the network itself," ISC2 Executive Director W. Hord Tipton told eWEEK. "The role of security involves dealing with a lot of characteristics from the risk management arena, so practitioners need to have a firm grasp of the ever-changing threats and methods to mitigate those threats."
While having a single experience-based certification like the CISSP demonstrates academic competence across a broad range of areas, holding one certification is no longer an automatic differentiator factor when candidates are competing for jobs, Tipton added.
"One way security professionals can bolster their resumes and stand out during the hiring process is by possessing multiple professional certifications, which demonstrates specialization and competence in a variety of areas," he said.
Not to be underestimated as well is the power of communication. Given the economy, it is more important than ever for security professionals to be able to communicate the security needs of their organization to management in a way that makes business sense, Tipton explained.
That may be particularly true in cases where the security budget has not suffered the same fate as other aspects of IT.
"In many organizations, it is likely that the security budget has stayed level or possibly even increased while other aspects of IT spending are being cut, [which] can create a difficult working environment for security groups if they do not manage the perception of their spending wisely," noted Mike Montecillo, an analyst with Enterprise Management Associates. "Organizations concerned with managing their perception are likely to allow other organizations working within IT to utilize some of the security budget to purchase products. For example, a security team may move to purchase a network management solution that combines management capabilities with aspects of security."
Many security groups seeking to purchase tools are increasingly choosing the ones that require the least complex deployment, which is one of the underlying reasons there is an increased interest in areas such as security services and security SAAS (software as a service), he added.
Staffing cuts are also making managed services more enticing, said Forrester Research analyst Jonathan Penn, who added that there is more concern about the short-term payoff of any security investment.
"I don't see any specific area of security suffering more than others, but there is a keen focus on identifying what needs to be done today, and what projects might be delayed until next year [without] increasing the risk to the organization," Penn said.