The IT security job market is one of the trickiest job markets in IT - both for job seekers and for employers.
If you consider yourself a security person, and all you know is PCI DSS compliance, or network security, or IDS you may need to broaden your skills out to grow and be a success.
Lee J. Kushner, founder and CEO, L. J. Kushner and Associates, LLC
TechTarget's recent IT Salary Survey 2012 found that many IT security professionals saw raises and bonuses in 2012 and have a fairly positive outlook for 2013. We've also recently covered how unrealistic expectations, and a skills gap mire the market for IT security jobs, as well as how the lack of skilled security professionals has created a challenge for CISOs to fill specialties. The result is a market that is often confused about how to find and hire the talent it needs, and IT security job seekers unsure about the skills they need to build in order to succeed in an IT security career.
For some of the answers, we turned to Lee J. Kushner, founder and CEO of L. J. Kushner and Associates, LLC. Kushner’s firm specializes in recruiting information security professionals. Kushner has been recruiting information security professionals since 1996, and has witnessed considerable change over that time.
SearchSecurity: When you look at the market now, what IT security skills do you see in high demand?
Lee Kushner: There are a number of skills that are more in demand than others, and that have come to the forefront of demand in the past two or three years. We are seeing more of a push toward application security, incident response, threat and vulnerability management, and then overall blended security architecture that marries some of the risk factors with the technology factors. Those are all aspects of IT security that you now are seeing in greater demand in many organizations.
Also, what skills a company seeks, many times depends on if the company is looking to react to a government regulation or if they want to really reach a high level of security.
IT Salary Survey 2012
Security and compliance pros taking TechTarget's 2012 IT Salary Survey aren't complacent, indicating openness to new jobs, eagerness for a promotion.
Those companies that are looking to build a security program based upon compliance or external auditor findings might not be concerned with finding the best people and technologies for the job. They might be more concerned with only finding a solution to satisfy the requirement rather than secure their business from security threats. If they want to be secure, rather than compliant, they may be more inclined to do this on a more elevated level, start looking for talent that is more technical, and has a greater understanding of the external threat landscape, as well as more of the preventative and proactive measures to make sure that a successful breach does not happen.
Looking back over the past decade to fifteen years how would you describe the current demand in the IT security market?
Kushner: The only thing that I can compare this market to is to the year 2000 job market. The difference between 2000 and now is that in 2000 if you could just spell security, people would hire you. It was a very cookie-cutter demand and it was a broad demand. There was not much difference, in the market’s eyes, between a pen tester, a firewall person, or a network IDS person. In other words, they were all security people, and if you could do one thing, you could do them all.
Do companies have a hard time articulating and finding the skills they need?
Kushner: We did a search for an international bank located in New York City. They had this search open for about 6 months before we engaged on it. They were looking for an information security officer for the Americas. They were having a problem because everybody that they had brought into the queue was very policy-driven and they did not have any technical chops. They needed somebody that could meet their technical bar and their leadership bar in order to build a program out. And that turned out to be a real big issue for them. You could not find that talent using generic keywords on the Internet. A lot of people would appear to be qualified, but when you dug deeper into the specifics of what the client was looking for the search was a lot more challenging than they expected.
Also, one of the bigger problems that companies trying to recruit IT security talent now is that many do not understand the difficulty in liberating a security professional from a position and company where they are happy. They can say, ‘We have talked to these firms and they have told us that the right midpoint compensation for this position is X.’ Well, in an internal organization, X might be the right point-of-entry, but when you start dealing with a market with factors such as full employment, and you start dealing with security people who are generally risk-adverse, and economic conditions that require people to factor in risk premiums to their career decision making. When all of that is taken into account an average offer won’t appear compelling.
Are there many professionals who have allowed themselves to become too specialized?
Kushner: There are without question people who stayed within a certain silo, and it limits them. In many cases now, certain aspects of security is seen as a part of other domains. For instance, in order to be a good network architect you have to have some understanding of security. In the past you did not have to. Now security becomes a subset of the networking skill set. I do not think you can be a complete network engineer or architect, whatever you want to call it, without knowing security. But if you consider yourself a security person, and all you know is PCI DSS compliance, or network security, or IDS you may need to broaden your skills out to grow and be a success.
What advice would you offer to someone who wants to move from a relatively low-level security operations role to a security management or leadership role?
Kushner: I think that what they should do is they should find internal projects where they can lend their expertise. There they can start taking more of a leadership role internally. The best way to start transitioning your experience is by taking responsibility internally, rather than looking externally. That sounds completely stupid coming from a recruiter. But that is really where it comes down. You have your best internal cache when you have already built an internal reputation, or a brand for yourself.
If you are well thought of as a network security engineer or a network engineer and there is a project where you can take leadership on, by all means, take the opportunity and start building some of the traits that your company would view as management. Then, before you know it, they give you another project to lead, and then give you another project to lead, and then they’ll say, ‘Wow. This guy has really been working as a manager for the last 18 months here. We have an open position as a security manager or a manager of network security. Instead of looking outside, let us give that opportunity to George, he would be perfect for this.’
This acquisition of skills through experience is very important. You can find opportunities to do so internally. The problem on the flip side of being siloed into one of these one-trick ponies is that it is hard to leverage the value of that one-trick into diverse environments.
About the author:
George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter at @georgevhulme.