Chief information security officers report having a challenging time finding the security talent they need. However, it's not necessarily a lack of IT talent that's proving to be the challenge.
There is a certain set of people who consider themselves security people, but whose jobs are increasingly being shipped overseas.
Rather, according to veteran infosec pros, the IT security job market faces a steep hill of unrealistic HR and hiring manager expectations, rapid commoditization of certain technologies, and a lack of security professionals that can adequately communicate IT security and risk to business executives.
Richard Bejtlich, chief security officer at Alexandria, Va.-based Mandiant Corp., and author of the popular TaoSecurity blog, said one of the first hurdles hit by security job seekers is the unrealistic expectations of many hiring organizations.
"HR departments will get the idea that they need multi-talented experts, rather than experts in one area and generalists in most others. So they go on to create laundry lists of requirements based on the false notion that these multi-talented specialists actually exist," Bejtlich said. "They probably never find what they seek. Especially when the skills they are looking for are at different ends of the spectrum, such as an expert network defender, but also a red team leader. Or they want somebody to be an expert systems admin, but also an expert coder."
That's not to say that the same person can't have these skills; they can. "But generally, they don't exist to the same level because to get to a high level you generally have to specialize," he said.
IT security help wanted: Business communication skills
While there's little job seekers can directly do about unrealistic expectations, there's certainly plenty they can do about one of the biggest letdowns in candidates the security officers we spoke with expressed: business communication skills. "I'm always looking for a good balance between technical hands-on experience, not theoretical or academic, who can also communicate well," said Jay Leek, senior vice president and CISO at the Blackstone Group. "It's not as common to find in one person as you might assume," he said.
Eric Cowperthwaite, CSO at Providence Health & Services, agreed that security professionals with solid business communications skills are too tough to find. "One of the most important skills for someone who wants to build a career in information security, at any level, is communication skills. More and more the value of what we are attempting to do, and risks we face, need to be communicated to the business. And it's one of the most difficult things to find … someone who has adequate technical abilities, but also strong business sense and communication ability," Cowperthwaite said.
IT security skills at risk of being commoditized
While it seems like common sense, a number of security job seekers are not maintaining their skills with what the IT security job market demands.
IT Security Job Market
Infosec career paths lean towards security specialist jobs:
Recruiter Peter Rendall sees information security career paths leading toward security specialist jobs; SIEM, DLP and analysis are especially hot.
CISOs struggle to fill IT security jobs
The market for security professionals is hot, but several experts indicate that the talent pool for IT talent with security skills is dwindling.
Leek recalled a couple of candidates, who possessed either the right communication skills or were otherwise a good fit, were overlooked because their security experience was limited to firewall management and networking. "That's not an information security person. It's not even a network security person. It is a firewall person," Leek said.
And for tasks that can be managed remotely, expect more job consolidation and elimination. "I think there is a certain set of people who consider themselves security people, but whose jobs are increasingly being shipped overseas. It's the same sort of IT pressures that moved other technology jobs overseas. Anybody who administers firewalls, antivirus, any sort of the commodity products, is at risk of their job being commoditized if it hasn't been already," Bejtlich said.
That's not to say that there isn't room for highly technical IT security pros. There is. "You just have to keep developing. A few years ago, all you needed to do was know how to manage the technology, today you need a technical skill and to more fully understand the nature of the business," Cowperthwaite said.
About the author:
George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.