The IT security job market is booming -- but that doesn't mean everyone is automatically getting a job, or the right job. And just like the threat landscape is rapidly evolving, so are the qualifications and qualities needed for positions in the security profession.
There's a conundrum between supply and demand: Employers are looking for security candidates who can fill a specific need, such as incident response or risk management, while security pros on the job hunt want to build on their existing skills and advance their careers. "But employers don't want to hire someone to get experience on their dime," says Lee Kushner, president of LJ Kushner and Associates, an IT security recruitment firm.
"In general, there are more qualified people than jobs. And in specific terms, there are fewer qualified candidates for the jobs people are hiring for," says Kushner, who also co-founded InfoSecLeaders.com.
Getting the right person for the job is as difficult as getting the right job. According to a report by Booz Allen Hamilton last year, only 40 percent of government managers say they are satisfied with the quality of applicants they're seeing for federal IT security jobs, and only 30 percent are happy with the number of applicants.
And employers are looking for security pros who specialize in specific security disciplines. The days of the Certified Information Systems Security Professional (CISSP) certification guaranteeing employment are over, security career experts say. Security jobs are becoming more specialized, so a general cert doesn't carry the same weight it once did. "CISSP used to be a must-have. Now it's more of a 'nice-to-have,'" says David Bump, portfolio manager for security certifications for Cisco Systems' [email protected] program.
So what do employers in the federal and private sectors want in a security pro today? The most in-demand qualifications basically mirror the types of attacks, breaches, and threats these organizations face today, as well as the regulations that help dictate their defenses: They're looking for experience in incident-handling and response, compliance, risk management, business-side acumen, security clearance for sensitive government work, and leadership.
Let's take a look at each.
If the revelation of the Google/"Operation Aurora" attacks have taught us anything, it's that no organization is immune to targeted, persistent attacks that easily fly under the radar and don't come to light until it's too late.
These attacks also have drawn government and private industry closer together, and the job markets are becoming more intertwined as the two sectors look for similar skill sets, says Evan Lesser, co-founder and director of ClearanceJobs.com, a site that matches U.S. job seekers with security clearances and government contractors and agencies. "The government is looking toward industry, and industry is looking toward government," Lesser says. "They are working hand-in-hand [more now] because an attack on a commercial financial system is an attack on the country, as with any infrastructure-related [attack]."
And that has made incident response an important job skill that many employers are seeking -- professionals who don't just know how to use or configure an IDS or firewall, for instance, but who also know how to maintain and analyze log files and other incident data and then can share it among others in the company.
"The incident responders and handlers are the guys on the front lines," Cisco's Bump says. "And their attention to detail is heightened...there should be a lot of documentation and sharing with other groups investigating [a breach]."
Security certifications are evolving that reflect this shift. "In the past when you were certified on a product, you knew how to use the IDS/IPS," for example. "We're moving more from certification on products to certification on job roles."
That entails expertise in how to use the information gathered by security devices and systems, security experts say. "Now it's a lot of architecture [knowledge], solutions, and best practices," Bump says. "They also need security architects who deploy the solutions, design them, and look at the policies."
2. Compliance know-how.
Security pros are expected to know their employers' regulatory environments, too, whether it's PCI DSS or HIPAA. "Governance and regulatory positions have a big match, as well," Kushner says. He says he's seeing more jobs looking for expertise in the Health Information Trust Alliance (HITRUST) framework for the secure exchange or storage of personal health and financial information.
Any qualifications and experience related to securing customer data, whether it's data leakage prevention or database security skills, are hot, Kushner says. Another growing area is assessing the risk of third-party partnerships, he says. "Assessing the risk of third parties falls into governance, compliance, and risk...the job orders we receive seem to be a mix of all of that."
That means knowing which security gear the organization needs and where it should go based on HIPPA requirements, for example. "That's a dynamic change" in security jobs, notes Cisco's Bump.
One of the top job openings in federal government agencies and contractor firms today is the information security and assurance expert, according to ClearanceJobs.com's Lesser. These jobs include the DoD's new Certified Ethical Hacker certification for penetration testing, he says.
3. Risk management.
In a recent survey by Cisco of Cisco Certified Internetwork Experts (CCIEs) around the world, more than 60 percent said security and risk management will be the most in-demand skills during the next five years.
Fred Kost, director of marketing for security solutions at Cisco, says he's seeing more organizations considering how to deploy security in order to minimize risks to their businesses. "More of our customers are looking for security people being defensive and enabling the business," he says. "They are thinking about compliance, risk management -- broader business thinking on how to deploy security to take risks out of the business."
There are now more types of security jobs for more types of people, too, he says. "If I have you monitoring a console looking for events, that's one skill set. If you're assessing business risk or [handling] compliance and auditing, that's another skill set. This creates more opportunities for security pros today than in the past when the security guy wore a black t-shirt, long hair, and sat in front of a screen."
Government IT security jobs in the DHS, DoD, and their contractors not only require the GIAC Information Security Fundamentals (GSIF) certification as a baseline, but also are starting to look for candidates with GIAC Security Essentials Certification (GSEC), according to Lesser at ClearanceJobs.com. "This is the next step up from GSIF" and focuses on risk assessment, security policy, password management, IDS, firewalls, and other issues.
4. Business acumen.
Many of today's IT security jobs are going beyond the technical and demand an understanding of how the business works, plus how security can support it as well as protect it.
Cisco has a new certification that reflects this shift toward more real-world experience: the Cisco Certified Architect. The Certified Architect must be able to articulate the business value of a specific security or network technology in order to get C-level buy-in, according to Cisco.
So when two banks merge, for example, the security pro needs to be able to understand the business requirements for the integrated operation and then select the right technologies to achieve those. These candidates have strong technical backgrounds, but can also translate the technology into business needs, Cisco's Bump says. "They have a lot of experience in big-picture solutions," he says.
Meanwhile, one big mistake job seekers make is overemphasizing certifications at the expense of gaining actual, on-the-job experience, including business-side exposure.
"There's always been a battle between candidates saying I have a certification or I have experience. It's got to be a combination of both," says ClearanceJobs.com's Lesser, who describes his firm as a matchmaker or online "dating service" to match job candidates with federal security clearances with open positions in government agencies or government contractors. "Certifications are required for anyone doing work for the government. But certification is by no means the be-all, end-all. Real-world experience is very important as well."
5. Government security clearance.
The federal government, namely the DHS and DoD, are heavily recruiting new IT security talent. But the Catch-22 is many of these jobs require the candidate to have a security clearance check, which can take six months or more to complete. If the timing's right, it means more money: IT security pros with security clearances earn 20 percent more than those without, according to ClearanceJobs.com's data.
IT security is the No. 1 growth industry in the government and government contractor sectors, says ClearanceJob.com's Lesser. "The next world war is not going to start with boots on the ground -- it's going to start over the Internet, with misinformation [campaigns], denial-of-service, or shutting down systems," he says.
Lesser says DoD Directive 8570 requires that by the end of 2011, anyone working for a federal contractor or federal agency with privileged access will have to have special security training -- something to keep in mind when perusing government job openings.
Among the newest job qualifications in demand among agencies and contractors that require security clearances is experience in wireless security and software security. Lesser's site works mainly with federal contractors, including the big names like Boeing, Lockheed, and Raytheon, as well as smaller contractors, national federal laboratories, and universities with federal contracts, such as MIT and Georgia Tech, he says.
Younger candidates, including ones just out of college, are attractive to the DoD and DHS and their contractors, he says. "The older you are, the more baggage you have that can deny you a security clearance, which can take longer," Lesser says. "It's interesting: We're seeing a lot of younger people getting security clearances faster [and getting hired]."
6. Leadership experience
An oft-ignored skill in information security is leadership, but Kushner says that's the No. 1 qualification he would recommend. "This will separate you from the others," he says.
Experience here could be in leading a team or project or a professional organization, for example. "Taking a leadership role shows you're not afraid of challenges," he says. "Even if you fail, you walk away with the experience."
Meanwhile, some positions are harder to fill due to their need for technical depth and business collaboration requirements, including software security and identity and access management, according to Kushner. "The hardest jobs to fill are ones where people are looking for a certain level of technical depth, as well as the ability to fully articulate it and communicate with senior [business] leaders," he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio