But like all other IT careers, the market demands wax and wane and the requirements change. Experts say spending on security will continue to rise – and specialization, compliance knowledge and documented work experience are in demand.
Compliance spending continues
Enterprises continue to pour money into compliance projects, resulting in a need for more security pros, said Ali Pabrai, CEO of ecfirst.com and a member of the advisory committee at CompTIA Security+, the largest developer of vendor-neutral IT certification exams..
"Financial, healthcare and government organizations are aligning their security initiatives with compliance priorities," he said.
Employers are looking for the right talent to specialize in a particular area, Pabrai said. Finding that niche may be key to landing the next big job.
"Businesses are looking for professionals that understand security fundamentals and are specialized in a particular area of technology, such as Cisco, Microsoft or wireless security," he said.
While the initial "compliance binge" has slowed down, professionals who are well-versed in remediation and audits are still needed, said Ed Tittel, a freelance writer, trainer and consultant based in the Austin, Texas area.
In addition to compliance skills, companies are looking for professionals with dual talents in development and security, as well as professionals with security clearances who can fulfill the specialized needs of government agencies and defense contractors, Tittel said.
Experts agree that security spending will continue to increase in 2007, but at a slower pace than in previous years. Tittel estimated that the industry would see a 12-15% growth in the coming year; during the past several years, security spending has increased at least 20% annually, he said.
VoIP, wireless security growth
New eras bring new risks. And as one might expect from the skyrocketing numbers, handheld and wireless devices pose an increasing threat to corporate security, said Neill Hopkins, vice president of skills development for CompTIA.
According to a survey by Fierce-Wireless-Bluefire Wireless Security, 87% of respondents had concerns about the security of email access to corporate server accounts and remote access to corporate networks, Hopkins said. Respondents also had concerns about wireless security and loss or theft of mobile and wireless devices.
Hopkins also warned that companies will be facing threats from increased use of voice-over-Internet Protocol (VoIP) telephony and related technologies that are delivered over converged networks.
"In the IP-based communications environment, the system's functionality resides on standard computing platforms, which are vulnerable to the same types of attacks – viruses, worms, Trojan horses – that plague the data environment," Hopkins said.
Companies adopting IP-based communications solutions should thoroughly re-evaluate security practices and strategies to reduce vulnerability, he said.
Certifications in demandSo what will best prepare would-be security pros for the demands of 2007?
According to Hopkins, the following are the most demanded certifications:
But a certification isn't always enough to guarantee jobseekers a paycheck.
For entry-level jobseekers, Tittel said that skills, knowledge and experience can be more important than certification. He advises network administrators and others hoping to enter the security market to document security-related aspects of their jobs, such as incidents handled, training delivered and audits undertaken, in addition to pursuing certifications.
"Intermediate to advanced credentials like the mid-range SANS certs, CISSP, CISM and so forth represent the first significant stepping stones into a space where certification does register," he said. "But you're wise to recognize that three to five years of relevant, current information security job experience also factors into this equation."
More and more, said Hopkins, employers are looking for candidates who have degrees in IT, ideally focused on information security, and proven on-the-job experience along with great versatility and a broad skill set.
"Technical skills alone are no longer enough for most IT jobs," he said. "IT workers who understand how to use technology to meet business goals, and who can articulate this understanding, are golden in the eyes of employers."