Working as an information security recruiter and career advisor, many of my conversations begin with the question, “How is the market?” While the question at face value appears to be simple, the answer is complex, and greatly dependent on variables uniquely associated with the individual.
Information security professionals possess many different skill combinations. Some refer to themselves as generalists, having broad knowledge that includes technical, organizational and management skills. Others categorize themselves as specialists or subject matter experts who have deep expertise in a discipline such as penetration testing, network security, application security or forensics. Just as there are a variety of skills profiles, there are a variety of markets for these individuals and their information security career. These markets are driven by two external factors: broader-based technology trends, and locally based corporate and industry trends. Broader market trends for information security professionals often involve the emergence of new technology trends that drive demand for specific talent. Technical trends enhance the market for subject matter experts and have little effect on generalists.
The emergence and importance of Web-based applications is an example of a recent business trend driving the market for Web application penetration testers. The emergence of this broader market force drove up the value and demand for information security professionals with these specific Web application testing skills and technical foundations, and, conversely, drove down the demand and compensation for traditional network penetration testers. (Understand that a global trend will rarely affect industry-leading talent.) Traditional network penetration testers who recognized this and were capable of learning Web application testing skills were able to make the adjustment and create additional value because of their skill blend. In turn, they created a secondary market, based on their skill combination. On the other hand, traditional network penetration testers who decided not to adapt or were not capable, have seen the market for their skills shrink dramatically.
Currently, some of the emerging global information security technology trends include the implementation of security information and event management tools, data loss prevention tools, cloud computing, software security and protecting company’s against advanced persistent threats. In all of these skill disciplines, there are more ongoing projects than there are competent security professionals to execute upon them. Information security professionals who have documented successful experience with these technologies currently have the luxury of a strong employment market.
Another prime market driver for information security professionals are industry trends. Over the last few years, companies have become more exposed to the consequences of not protecting their data and their customer information. Through breach notification legislation, regulations (primarily PCI DSS), hacktivism and the media, information security concerns have moved to the forefront of many businesses that have never properly invested in the development of an information security program.
When companies begin to formally commit to the construction of an information security program, or make the decision to upgrade their existing programs, professionals with broader information security skills generally stand to benefit. In these types of scenarios, companies are most concerned about securing their businesses and managing risk, and are prone to hire information security leaders who can help ingrain information security into the fabric of the business. Information security professionals who have specific industry knowledge, and excellent communication skills, generally can benefit from these situations.
Broader forces influence the market at large for information security professionals, but the individual determines their career market. Although skills are the most important component to the equation, it is the personal factors that ultimately play an equal role in determining the market for your skills. Many times, in order to advance your information security career and maximize your skills, you need to be willing to make some sacrifices that include travel, additional commuting and relocation. Many information security professionals find there is a market for their skill, but the required personal sacrifices prohibit them from recognizing the market opportunity.
If I had to answer the initial question, I would say the overall market for information security professionals is quite healthy. The combination of the pent up demand created by the economic slowdown and the continued emergence of information security as a business enabler and differentiator, has provided a rebirth of opportunity for highly skilled information security professionals. However, many of these newly created positions come with increased personal demands, including long work hours, extensive travel and a high level of scrutiny.
As in the past, you are the determining factor for the market for your skills. Competition, both in the present and the future, will continue to increase, and the proactive management of your information security career, through continued skill development and by making strategic career investment, is the only way to insure the market for your skills remains strong.
Lee Kushner is the president of LJ Kushner and Associates an information security recruitment firm and co-founder of InfoSecLeaders.com, an information security career content website.
Mike Murray has spent his entire career in information security and currently leads the delivery arm of MAD Security. He is co-founder of InfoSecLeaders.com where he writes and talks about the skills and strategies for building a long-term career in information security.