Job: Security

Enterprises are creating new, well-paid jobs for those with the right credentials.

Available now: IT jobs with rising pay, good benefits and plenty of opportunity for career advancement. To professionals struggling through the tech downturn, this might sound very last-century, but it could be the not-too-distant future for IT security specialists.

A heightened post-Sept. 11 focus on security, coupled with the recent creation of the 170,000-person federal Department of Homeland Security and new regulations affecting industries such as health care have begun to gear up demand for information security professionals, experts say. While the pressure for more security pros is building gradually, the trend represents an opportunity for experienced IT hands hungry for any opportunity for career advancement.

"The future of a career in security looks good, down the road," said David Foote, president and chief research officer at Foote Partners LLC, in New Canaan, Conn.

Even in the midst of IT industry hard times, security salaries are rising. While system administrators annual base pay has dropped more than $2,200 in the past three years, security salaries have risen almost across the board during the same period, according to the latest Foote Partners statistics. Security directors base salaries, for example, rose almost $20,000, from $108,060 to $127,762. Security managers average base pay grew by about $10,700, from $98,100 to $108,798. Web security managers saw an average increase from $89,909 to $98,371.

What can IT professionals do now to take advantage of the coming surge in demand for security skills? First, say experts, develop generalist security skills and get certified. Second, look for security-oriented positions at your current company before looking elsewhere.

One reason for the expected growth in security-oriented IT jobs is that securing a companys systems and data to the greatest degree possible is not a job that can be outsourced easily. The work requires a thorough understanding of a companys day-to-day operations and what, where and how equipment and data are used, experts say.

In most cases, its more cost-effective for enterprises to groom in-house staff as IT security experts, according to Maria Schafer, an analyst at Meta Group Inc., in Stamford, Conn. Therefore, currently employed IT pros interested in gaining security experience should consider opportunities in-house, even if that means taking on extra duties.

Thats what Glenn Davis did. And the result for him has been significant raises and a promotion. After 15 years as a programmer and system administrator at petroleum producer Syncrude Canada Ltd., Davis received his first security certification in 2000 and moved into a security job. Following a promotion, hes now IT adviser at the Fort McMurray, Alberta, company, with primary responsibility for intrusion detection, incident response and security policy implementation.

Syncrude covered the direct costs associated with Davis obtaining a GIAC (Global Information Assurance Certification), GCIA (GIAC Certified Intrusion Analyst) and GCWN (GIAC Certified Windows Security Administrator) certification. Davis estimated the company put out between $8,000 and $9,000 in Canadian currency (roughly $5,120 to $5,760 in U.S. currency) to pay for him to travel to and attend training conferences. In addition, each certification took approximately 100 hours of personal time, including writing the practical assignments and exams, said Davis.

There have been significant benefits to Davis certified IT security focus. "[The] GIAC certifications were not the only factor, but I believe they were an important component in salary increases," Davis said. "After my first GCWN certification, I received a 7 percent increase. Becoming a GCWN-authorized grader and obtaining the GIAC certification were factors in a promotion and additional 5 percent increase," he said.

Like Syncrude, many companies have been using certification as a deal-sweetener to entice IT pros to get training and take on security responsibilities, Foote said. And getting employees certified more than counters the costly process of hiring an expert who would likely command a higher salary, he said.

Companies that must hire outside the walls are looking for specialists with far-reaching security knowledge thats more than firewall-deep. Larger companies, in particular, are laying the groundwork for IT security teams to design and implement companywide security systems and policies in addition to locking down equipment and data, said Meta Groups Schafer.