There's a shift in the IT security job market that will continue to gather steam during 2012, based on ongoing predictions about the security threat landscape. The pundits tell us there's a cyberstorm on the horizon, our data will likely to be stolen from social networking sites, our smartphones will be under siege, and political activists will rally greater cyberforces to further their agendas.
Enterprises and government agencies appear to be taking this rising tide of security threats seriously, as the security threat trends are having a magnified effect on hiring. Until recently, there's always been a healthy pool of acceptable candidates to fill IT security-related job openings. This situation was fueled by low entry barriers for network and systems administrators to move into IT security; most skills could be self-taught and backed up by credible certifications. Since the mid-2000s these self-trained IT professionals simply added security to their title, which made them bona fide candidates for the wave of lucrative, new security jobs.
Now, interestingly enough, even though demand for information security expertise is spiking, that same candidate pool is finding it much harder to get hired, and recruiters are finding that a greater proportion of candidates they present are rejected. This can, in part, be explained by the surge in sales of security software and hardware products in the last five years as the threat landscape has evolved. Having made these investments, hiring managers are now being picky, rejecting security generalists, and seeking those that have experience with their particular security infrastructure, right down to vendor-specific products. The effect of this has been to significantly narrowed the eligible candidate pool for each job opening.
Enterprise CIOs and CSOs now seek multi-dimensional candidates who can focus on how to solve complex information security problems that lack clear solutions, and can translate technology risk into business risk. For most enterprises, budgets and on-staff expertise limit what can be done to improve their security posture. Prioritizing that spend and reducing the possibility of a catastrophic breach involves judgment, and getting it wrong could cost a company tens of millions of dollars in fines and lost revenue, as well as tarnishing their brand. As enterprise network perimeters continue to dissolve with the introduction of new, powerful mobile devices and other remote access technologies that create multiple points of vulnerability, modern-day security teams need to be more innovative than ever before.
In the past, certifications counted for a lot and could get an information security candidate an interview and often a "ground floor" position from which he or she could advance. Now nearly every qualified information security job applicant has a certification, and so it's each candidate’s individual experience that differentiates them, especially in hot product niches. With the introduction of new, more complex security products, there is an increasing demand for technical experts that have deep domain expertise with specific product categories, particularly SIEM and DLP. In addition to these skills, candidates that have a good grasp of application security can expect to see a premium for their expertise as enterprises create more of these security specialist jobs.
On the compliance side, the market for security analysts that have good analytical backgrounds and who understand compliance frameworks continues to be buoyant. The financial services sector remains the area of most demand, but with new regulations effecting health care and critical infrastructure, demand for experienced security analysts in these areas is increasing. With data breaches being reported at an ever-increasing pace, candidates that know how to comply with privacy regulations will also find themselves in demand.
Generally speaking, the best information security job candidates in 2012 are those that have mastered several areas of subject matter expertise, know how their work affects the bottom line and can build relationships with their internal customers. Looking at current resumes suggests an information security career path that involves more job-hopping in order to gain valuable experience in what has become a fast-moving market sector. This has not been an issue with employers to date, unlike other IT roles where job stability is sought after.
As for emerging skills, more enterprises are looking for infosec pros who are capable of securing mobile devices, while application security skills will continue to attract a lot of attention from employers in 2012. Employers in more rural locations will find it tough to attract the best talent compared to their metropolitan counterparts. Those companies may be better served outsourcing their security infrastructure to the growing number of managed security service providers who have the necessary skills to keep up with the security threat landscape.
About the author:
Peter Rendall is the managing partner of JobSmart Partner's IT Security & Information Assurance Practice, where he places IT security candidates throughout the United States. Peter has spent the last decade focused exclusively on the IT security sector building award-winning teams.