|
|
|
|
|
Updated: 30 January 2004 |
|
Tech
Job Outlook: Sizing up Security
| |
| |
There are no universal truths in the I.T. world, but one statement that comes as close as any is that the demand for I.T. professionals with bona fide enterprise-security experience is strong and growing. At no other time in the industry's history have so many high-tech executives been obsessed with protecting their company's data, preventing hacker attacks, and warding off viruses and worms.
Does that mean every I.T. worker should run out and get training in the technical aspects of security ? Not necessarily. Many of the new job openings require just as much business experience as they do hands-on technical know-how.
No Such Thing as Too Much
While the overall job market has begun to pick up, information security hires have been increasing for three or four months, said Jeff Markham, San Francisco branch office manager for Robert Half Technology.
Security is one of the top three skillsets that hiring companies are looking for in I.T. candidates, Markham said. The development of disaster recovery plans and the continuing need to safeguard corporate networks from spam and viruses is driving the need for information security personnel, he said. "Even large, publicly trading companies don't have adequate security systems set up," Markham told NewsFactor.
Security jobs also are paying well. Premium pay for skills certification and base pay have been outperforming the overall average in I.T. for eight straight quarters, said David Foote, the president and chief research officer of Foote Partners LLC. "It's surprising that more people don't see that and point their careers toward [security]," Foote said.
Part of the problem could be that security does not have the "branding" that skills like programming had in their heyday. Also, measuring the return on investment of I.T. security efforts is difficult, which makes security unattractive to a certain kind of manager or executive, Foote told NewsFactor. Also, institutions of higher learning have been slow to offer specialized degree programs in information security.
|
But the numbers do not lie. According to a November 2003 report by Foote Partners, the average security professional's total cash compensation increased between 16 percent and 32 percent in the last three years. The only exception was the lowest level job --termed "security system administrator" -- which saw its overall paycheck decrease by 2 percent since 2000. Pay increases are slowing down, but not to the extent that other I.T. jobs are experiencing.
More Room at the Top
The top echelon positions -- chief information security officers, vice presidents and director-level security executives -- saw a 6 percent increase in salary and bonus packages in 2003. The national average for total compensation at this level was US$163,060 in 2003, according to Foote Partners. The continuing salary increases for these jobs are attributable to the growing demand for "professionals who can translate security into business operations," Foote said. They are typically "politically savvy and moderately technically astute."
Such titles as "chief security officer" and "chief privacy officer" were not around two years ago, Markham noted.
Among the essential characteristics for security executives are global experience, regulatory experience (Sarbanes-Oxley, for example), legal knowledge and marketing ability, according to the Foote report. The security executive also must be able to plan, develop and implement security programs at an enterprise level and ensure that security is part of every business project in its earliest stages.
Lower down, middle managers -- especially Web security managers and data warehouse/business intelligence security managers -- fared well in 2003, the Foote report says. They saw increases of 7.2 percent and 9.6 percent in total pay in 2003. Junior-level systems administrators and security analysts saw increases of 2-3 percent in 2003. The average total pay for security administrators nationally in 2003 was $78,475.
Certifications Count
Premium pay for certifications dropped in 2003, but certifications are still a proven way for information-security professionals to increase pay and expertise and move up the career ladder, Foote says.
Workers earning the Certified Information Systems Security Professional (CISSP) certification in 2003 received the highest incentive-pay premiums, according to Foote Partners, which regularly tracks bonuses and premium pay for certifications. They received 12 percent of base pay -- a 20 percent increase from 2002.
Workers earning the Certified Information Systems Auditor (CISA) certification also saw a substantial increase. And the GIAC Certified Unix Security Administrator (GCUX) and GIAC Certified Windows Security Administrator certifications also saw steady growth in premium pay.
At the same time, premium pay for GIAC Certified Incident Handler (GCIH) and GIAC Certified Firewall Analyst (GCIA) certifications fell about 10 percent in 2003.
The Industry-Specific Experience Edge
Certifications help but they are not a guarantee of success. "It separates somebody from the pack," Markham said, "but it will not win him the job. In and of itself, it is an aid to your skillset -- it shows you are committed to your profession," he added.
Organizations hiring information-security personnel sometimes ask that candidates be certified, but they also often ask that information security candidates have experience in their specific industry, Markham said. "All in all, the more business experience you have the better," he remarked.
In general, technical security certifications will lose ground in the next couple of years as more certifications are issued and their value is diluted, Foote said. But the security-management and auditing fields will gain ground.
Regulations -- such as Gramm-Leach-Bliley and HIPAA -- will drive a need for "stronger security controls, policy management and enforcement, and auditing," the Foote report predicts. Security efforts will focus less on technology and more on implementing processes and educating management and end-users.
"Corporate auditors are flooding into places [to get technical training]. They see a career opportunity to be a more technical auditor," Foote said.
Follow the Money Trail
Future I.T. spending can also be a window into figuring out what type of security positions will be in demand.
Organizations are increasing their spending in a number of areas inside information security. Those attracting the highest level of investment in the next three years, according to Foote Partners, include identity management, intrusion-prevention systems, security event and information monitoring, enterprise-security management and vulnerability assessment.
The information security skills and knowledge most highly valued in the workplace, according to Foote, include remote and wireless access, authorization mechanisms, network-management tools, risk management, formulating and implementing user-awareness policies, project management and measuring effectiveness using metrics.
Some type of network-security experience is necessary for many enterprise I.T. positions. Dice, an online recruiting service for technology professionals, currently has 2,585 jobs listed that request enterprise- or network-security expertise, said Susan Simcox, a spokesperson for Dice. About 1,200 of the jobs listed request Microsoft Windows experience, and 845 request Linux or Unix experience, Simcox told NewsFactor.
"Many of the jobs are for systems or network engineers that request enterprise-security knowledge rather than specialized network-security jobs," she said.
Are enterprise-security jobs the safe haven that I.T. professionals are seeking? Not necessarily. The current I.T. job market is about as safe as the corporate network -- it needs constant attention and monitoring, and even then it may not be out of harm's way.
 |
|
 |
|
|
Copyright 2004 © EHTO All rights reserved EHTO is not responsible for the contents of external websites it links to. Mail suggestions to: webmaster@ehto.org |
