Available now: IT jobs with rising pay, good benefits and plenty of opportunity for career advancement. To professionals struggling through the tech downturn, this might sound very last-century, but it could be the not-too-distant future for IT security specialists.
A heightened post-Sept. 11 focus on security, coupled with the recent creation of the 170,000-person federal Department of Homeland Security and new regulations affecting industries such as health care have begun to gear up demand for information security professionals, experts say. While the pressure for more security pros is building gradually, the trend represents an opportunity for experienced IT hands hungry for any opportunity for career advancement.
“The future of a career in security looks good, down the road,” said David Foote, president and chief research officer at Foote Partners LLC, in New Canaan, Conn.
Even in the midst of IT industry hard times, security salaries are rising. While system administrators annual base pay has dropped more than $2,200 in the past three years, security salaries have risen almost across the board during the same period, according to the latest Foote Partners statistics. Security directors base salaries, for example, rose almost $20,000, from $108,060 to $127,762. Security managers average base pay grew by about $10,700, from $98,100 to $108,798. Web security managers saw an average increase from $89,909 to $98,371.
What can IT professionals do now to take advantage of the coming surge in demand for security skills? First, say experts, develop generalist security skills and get certified. Second, look for security-oriented positions at your current company before looking elsewhere.
One reason for the expected growth in security-oriented IT jobs is that securing a companys systems and data to the greatest degree possible is not a job that can be outsourced easily. The work requires a thorough understanding of a companys day-to-day operations and what, where and how equipment and data are used, experts say.
In most cases, its more cost-effective for enterprises to groom in-house staff as IT security experts, according to Maria Schafer, an analyst at Meta Group Inc., in Stamford, Conn. Therefore, currently employed IT pros interested in gaining security experience should consider opportunities in-house, even if that means taking on extra duties.
Thats what Glenn Davis did. And the result for him has been significant raises and a promotion. After 15 years as a programmer and system administrator at petroleum producer Syncrude Canada Ltd., Davis received his first security certification in 2000 and moved into a security job. Following a promotion, hes now IT adviser at the Fort McMurray, Alberta, company, with primary responsibility for intrusion detection, incident response and security policy implementation.
Syncrude covered the direct costs associated with Davis obtaining a GIAC (Global Information Assurance Certification), GCIA (GIAC Certified Intrusion Analyst) and GCWN (GIAC Certified Windows Security Administrator) certification. Davis estimated the company put out between $8,000 and $9,000 in Canadian currency (roughly $5,120 to $5,760 in U.S. currency) to pay for him to travel to and attend training conferences. In addition, each certification took approximately 100 hours of personal time, including writing the practical assignments and exams, said Davis.
There have been significant benefits to Davis certified IT security focus. “[The] GIAC certifications were not the only factor, but I believe they were an important component in salary increases,” Davis said. “After my first GCWN certification, I received a 7 percent increase. Becoming a GCWN-authorized grader and obtaining the GIAC certification were factors in a promotion and additional 5 percent increase,” he said.
Like Syncrude, many companies have been using certification as a deal-sweetener to entice IT pros to get training and take on security responsibilities, Foote said. And getting employees certified more than counters the costly process of hiring an expert who would likely command a higher salary, he said.
Companies that must hire outside the walls are looking for specialists with far-reaching security knowledge thats more than firewall-deep. Larger companies, in particular, are laying the groundwork for IT security teams to design and implement companywide security systems and policies in addition to locking down equipment and data, said Meta Groups Schafer.
As with any relatively new field, the necessary expertise required by employers will continue to shift from generalists to specialists, said Alan Paller, director of the SANS Institute, a Washington-based cooperative research and education organization. Would-be IT security professionals who are certified in an area of this field have a powerful weapon in their arsenal, Paller said.
The International Information Systems Security Certification Consortium Inc.s CISSP (Certified Information Systems Security Professional) certification, which aims to prepare recipients to manage entire enterprise security systems, is one of the most-sought-after certifications, industry observers said. Also in demand are the SANS Institutes GIAC credentials, which address a range of skill sets, including security essentials, intrusion detection, incident handling, firewalls and perimeter protection, and operating system security, among others.
CISSP certification can be a deal maker for employees at Guardent Inc., a managed security services and consulting company based in Waltham, Mass. According to Douglas Barbin, principal consultant of Guardents Enterprise Security and Privacy Services, West Coast, in San Francisco, virtually all the company consultants—around 150—have the CISSP designation.
“The CISSP is good in that it requires the professional to have that broad-based understanding of the core aspects of information security with a focus on enterprise security,” said Barbin. Guardent also values the GIAC certification, Barbin said, in part because it requires that security professionals not only obtain technical skills but also learn to communicate security issues to businesspeople.
“From my perspective,” said Barbin, “that is key: The industry is abundant with very smart, very technical people that can solve a variety of complex security problems. The challenge comes back to communicating the solution in a way that a company or an agency can take the appropriate action.”
A new, broad-based security credential is being added to the stew as well. The Information Systems Audit and Control Association plans a new certification targeting information security managers. The ISACA certification, to be called the Certified Information Security Manager, will be launched next year and appears destined to compete with CISSP certification. (See “Security Cert Provider Cries Foul.”)
Although some hot IT specialties have their day, then go off the résumé radar as technology shifts, security-oriented certifications, especially those geared toward management, should have more staying power, experts said.
There will even be a growth path, said Meta Groups Schafer: The quest for optimal security will drive many more companies to hire chief security officers, and subsequent privacy issues will generate a new chief privacy officer position to deal with the thorny issues that tight security will likely raise, she said.
eWeek Labs Managing Editor Mary Stevens can be reached at [email protected]