2009 will be remembered for a paradigm shift in the information security employment market. For the first time in our industry's history, information security professionals were forced to confront the broader effects of a deteriorating global economy, largely in the form of layoffs, salary cuts and freezes and fewer new opportunities. To blame were external business factors that included corporate bankruptcies, a reduction of venture capital investments, a decrease in corporate information security investments and an increased reliance on outsourcing and automation.
The events of 2009 should serve as a wake-up call to information security professionals everywhere. Information security has matured and become quite a popular career choice. Where in the past, security practitioners could demand additional compensation and training, many are now simply happy to have stable employment. With 2010 just around the corner and the prospect of continuing economic uncertainty, it should be clear to all information security professionals that the need to continually develop and improve skills while demonstrating value to their employer has never been greater.
The business world of 2010 will become increasingly competitive. As the economy will likely continue to struggle, business leaders will prioritize the protection of a company's brand, customer data and intellectual property. At the same time, corporate belt-tightening will force companies to face the challenge of protecting these assets with less dedicated information security staff and fewer budget dollars. A company's information security program will be closely examined, and infosec professionals will need to become more efficient and productive in their daily work activities.
This may seem like a daunting challenge, but in reality, it represents an opportunity for information security practitioners to make their mark. For the longest time, many in the profession have always claimed they have not been provided with the same level of importance and influence as other members of their organizations' information technology or audit groups. However, 2010 will be the opportunity for security professionals to gain the visibility to the business leaders by creating efficient information security policies and practices that have a positive effect on the business and its bottom line.
As we focus on doing more with less, information security professionals must focus on their prioritization skills and show their ability to think strategically and creatively to come up with ways to solve problems "on the cheap." The more information security professionals can show that they are enhancing protection while saving budget, the better they will be looked upon within their organization. Instead of over-spending on new products, 2010 will be the year to find innovative and interesting ways to solve the organization's security challenges with as little budgetary spending as possible.
The increased level of visibility will also make it more obvious how successful an information security leader is at performing his or her job. In instances where the information security program performs well, the leaders will likely be rewarded with more authority, greater responsibility, and more internal respect from their business peers. Information security professionals who show that they understand the company's priorities will earn a "seat at the table" with other business leaders.
This level of scrutiny comes with drawbacks as well. In organizations where the information security program is ineffective, changes in leadership will occur. For those unable to show that they are making progress in the information security program without over-spending, the additional business scrutiny on cost centers like security will provide ample opportunity for the organization to realize a need for regime change. And this doesn't usually just affect the leaders at the top of the security organization; an ineffective security program can taint the internal reputation of team members throughout the enterprise. That's why information security professionals at all levels of an organization have a vested interest in being seen as effective and efficient.
In the event that the organization is unsuccessful and leadership changes, however, this type of transition can create an additional opportunity for information security professionals who have been yearning for the opportunity to lead an information security program and see if they can succeed in that capacity. If you were a member of the previous failed organization, keep in mind that an opportunity may be a limited one; executives may allow less time and exhibit less patience when measuring improvement.
As we look back on 2009, and look forward to 2010, information security professionals should feel a sense of optimism. Compared to other IT industries, the infosec profession is quite healthy and information security skills remain desirable. If 2009 taught us anything, it showed us that we are not a special part of the organization in the same way that we were a few years ago. Security is as vulnerable to economic downturns as the rest of the cost-centers within the IT organization.
Last year has also demonstrated the importance of remaining current on information security topics that encompass both technology and business so that security pros are able to provide innovation and creative solutions to business problems as technology evolves. Going forward, the information security profession will remain popular, and competition for information security leadership positions will increase. It will be up to each infosec professional to work on developing his or her skills and build the necessary experience so that he or she will remain competitive in the marketplace of the future.