CHICAGO -- There is little doubt that security is a sound IT career choice, but the field is far from easy, especially as one moves higher up the chain of command.
Security is hot, but that can be a double-edged sword. Companies are investing in personnel and creating new positions. Yet how security and related issues like regulatory compliance and customer privacy actually fit into the business is still being worked out.
The surest way to learn about new security opportunities is by networking with security pros at events like conferences, said Dave Stacey, the security manager with St. Jude Medical in St. Paul, Minn., which makes medical devices such as pacemakers. Finding out about jobs from peers has been Stacey's most fruitful approach, easily beating out headhunters and cold calls, he said during a panel discussion Monday at CSI's Computer Security Conference and Exhibition.
During the interview process it's important to articulate and explain the kinds of experiences you've had with security. Certifications are fine, but "experience pays more dividends," said Larry Byrns, a security consultant with IBM and another speaker at the panel discussion. "But you still have to tell a good story of your experiences."
For higher-level positions, knowledge of the particular industry is imperative. Positions like chief security officer (CSO) or its equivalent require good communication skills and the ability to work with others to get things accomplished.
"You need to know the business you are dealing with," said Terri Curran, a consultant with QinetiQ. "The technical stuff is secondary."
Fertile areas for security professions are government, academia and law. The latter vertical market has seen "the value of what we do for a living," Curran said, noting that lawyers see how they need to secure the files they keep. Often the pay for such jobs can run into the six figures, she said.
Colleges and universities are coming around to the need for higher-level security and compliance professionals. Often such jobs come with the opportunity to teach some classes, which is a bonus for some.
The federal government is also hiring security pros in light of September 11 and the Patriot Act, Curran said.
For those wishing to sharpen their security skills, project management is a very hot field, Curran said. She has also seen some drifting away from CSOs toward newer positions such as chief privacy officer or chief compliance officer. The latter is becoming more common in pharmaceutical and insurance companies, which are facing regulations such as those detailed by the Health Insurance Portability and Accountability Act of 1996.
Outsourcing is also affecting the security field as companies turn to outside firms to manage specific security functions or their entire IT network, including security. Byrns has seen requests for proposals from two state governments for management of its IT systems, including security.
Security managers may not like outsourcing, as it takes away their control. They may find themselves security managers in name only, with no people reporting to them, "writing policies all day," Curran said.
Stacey can see the business case for outsourcing, especially for repetitive tasks such as monitoring firewall logs. He would prefer to keep security duties in-house, but you can't always get senior management to agree to that approach.