According to the latest research from Vero Beach, Fla.-based consultancy Foote Partners LLC., pay for certified IT security skills (.pdf) dropped 0.6% in Q3 2010, down for the first time since 2006.There's less of a demand for security certifications and more of a demand for security skills.
co-founder, CEO and chief research officerFoote Partners
The drop, however, is not necessarily attributable to decreased demand for security skills. David Foote, co-founder, CEO and chief research officer of Foote Partners, said that since 2006, there's actually been impressive salary growth for those with information security certifications.
"This idea of security starting to level out is not at all what you might think it is," Foote said. "The fact that this is leveling out is just an indication that we're ratcheting up to the next level."
But what is that next level, and how does it relate to certification pay? "Except for a handful, certifications stopped being that important a long time ago," Foote said. "It's also clear that there are a lot of skills that are heavily in demand -- there might not even be certifications for these skills."
The change in the landscape, according to Foote, seems to be related to a change in security job descriptions. Unlike years past, security jobs now encompass more of a business role in addition to a technical role; certs may not even be available for those skills.
"There is a rise in hybrid workers," Foote said. "Traditionally, security pros knew a lot about security technologies, but not necessarily about the data itself. The question has become: How do we consider what the most important data is? And that's a business issue, not IT."
Foote Partners' numbers seem to bear out this conclusion: Among non-certified skills for which pay grew over the last quarter, information risk management and risk assessment were two of the highest-paying categories.
"There's less of a demand for security certifications and more of a demand for security skills. There are security issues in finance and accounting, security issues in HR with privacy, security in marketing with social networking and information risk," Foote said. "These days, some security pros are reporting directly to marketing managers. Businesses need security people who understand how to manage product launches over Twitter. It's not the classic IT person, but it is an IT person nonetheless."
But with the move to a more business-based view of security, does that mean security certifications -- and those who have them -- are obsolete? Not so fast, Foote said. According to Foote Partners' research, pay rose during the last quarter for those holding a few specific security certifications, including the GIAC Certified Incident Handler (GCIH) and the GIAC Certified Intrusion Analyst (GCIA)."Don't necessarily assume security certifications are irrelevant. Forensics has been strong for a long time, as has incident handling and managing," Foote said.
"There's also a lot of skill acquisition in the health care industry right now, because privacy and compliance are big issues," he said ."Health care is a hot industry segment now for security people who are certified, because of government insistence on electronic medical records."
Also, said Foote, for those who aspire to be information security managers, it's still important to get a certification. Though the CISSP and CISM are the best-known management certs, Foote also recommended the new Certified in Risk and Information Systems Control (CRISC) cert from ISACA. "Given where we see the market going [integrating more with business], that one probably will be very influential. We don't know of any other certification on the market quite like it."