When your kids are in high school or college, you tend to think about what the job market will have in store for them. That's certainly true for Mike O'Malley, VP of strategy at Radware. As both a hiring manager in security and father of kids this age, the 20-year-plus industry veteran is often asked plenty of questions by fellow parents about promising jobs in his field.
His answers have changed over time.
"The jobs aren't the same as two or three years ago," he acknowledges. "The types of skill sets employers are looking for is evolving rapidly."
Three factors have led the evolution, O'Malley says. The first, of course, is COVID-19 and the sudden need for large-scale remote workforces.
"Through this we are seeing a need for people who understand zero-trust work environments," he says. "Job titles around knowing VPN [technology] and how to enable remote work with the understanding that everyone should be considered an outsider [are gaining popularity]."
The next trend is cloud computing. With more organizations putting their workloads in public and private clouds, they've become less interested in hardware expertise and want people who understand the tech's complex IT infrastructure.
A bigger focus on business resiliency is the third major trend. The know-how needed here emphasizes technologies that make a network more intelligent and enable it to learn how to protect itself. Think: automation, artificial intelligence, and machine learning.
The Edge asked around about which titles and skills security hiring managers are interested in today. Here are the in-demand roles and the ones that are fading away.
HOT: Data Scientist/Security Analyst
This title speaks to the influence of business resiliency and the need to future-proof an organization. The job calls for skills that can work on predictive network models.
"These folks are the hunters in security," says Charles Poff, CISO at SailPoint. "They work in security operations and are building threat models, conducting incident response, and hunting for the unknown bad actor."
While the title may vary between security analyst or data scientist, security hiring managers need team members who can analyze data in real time to identify trends. These are the "deep thinkers" who can help a network protect itself by analyzing data and recognizing early indications of the next attack, O'Malley says.
"You need your best mathematical people," he says.
NOT HOT: Security Operations Center Analyst
Many duties performed by SOC analysts are being automated away as businesses turn to machine learning and automation, O'Malley says.
"I am seeing more traditional IT work roles tapering off," adds Ken Jenkins, founder and principal of EmberSec. "And thanks to automation, some jobs require less intervention, like managing a firewall from the front-end user interface vs. having to solely rely on the command-line interfaces and programming."
HOT: The DevSecOps Security Engineer
Considering that research shows the massive growth of DevOps in organizations, job candidates need both security product knowledge and a developer mind set. In fact, according to "IDC FutureScape: Worldwide IT Industry 2020 Predictions," by 2025 nearly two-thirds of enterprises will be software producers with code deployed daily. The research also forecasts 1.6 times more developers than there are now, working collaboratively with other teams, including security.
SailPoint, for one, is looking for candidates with a solid DevOps background for its engineering team, Poff says.
"Security engineers are running, configuring, and tuning security tooling but also integrating and automating security processes," he notes.
NOT HOT: Traditional Security Engineer
This role in many organizations has become "obsolete," according to Poff.
"These roles were traditionally centered around security point products, configuration, and monitoring of these tools," he says. "With today's security enterprise, organizations have shifted to be more data-centric."
HOT: Security Architect
For companies that develop products or provide software-as-a-service (SaaS), having security architects on the team is increasingly important.
"In our case, the security architect will work closing with the product teams to ensure products and services are built securely," Poff says. "This is more of a strategic role that provides guidance and training to the organization while steering the security culture in the right direction."
NOT HOT: Hardware Engineer
O'Malley notes that positions with a focus on traditional hardware or custom chip sets are falling out of fashion as companies move away from vendor lock-in with hardware and toward vendor-neutral, cloud-centric environments.
"Vendor-agnostic skills are in-demand," Jenkins adds.
HOT: Cloud Roles
Expertise in cloud and cloud-native technologies are in demand, according to Jenkins, and one role this translates to is cloud security engineer.
Other hot cloud security roles including cloud security architect and cloud security administrator. O'Malley says this is another area growing so rapidly that it might make sense to identify talent in other areas of the company to reskill for cloud work.
"You can take some of your brightest security people that maybe don't have a background in cloud or data analytics and retrain those people," he says.
NOT HOT: Data Center Security Manager
As the cloud gets hotter, the need for on-premise data centers is cooling down. Gartner predicts that by 2025, 80% of enterprises will shut down their traditional data centers. Companies are doing away with the physical, so the skills needed to manage them are becoming obsolete.
HOT: Governance and Compliance Roles
With a challenging compliance landscape that includes the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), an understanding of how security enables a company to stay in line with regulations is increasingly needed.
"There are privacy laws driving changes in business processes and marketing," says Brian Wrozek, CISO at Optiv Security.
One of the job titles heating up in this area is security control assessor, Wrozek says. Other roles include compliance and risk management director and compliance and risk analyst.
"Familiarity with general cybersecurity principles and privacy regulations is a must," he says. "For example, active involvement in the ISSA [Information Systems Security Association] or IAPP [International Association of Privacy Professionals] would demonstrate tangible initiative."