Problem solve Get help with specific problems with your technologies, process and projects.

Entering 2010: The economy and the state of information security

The year 2009 will be remembered as a paradigm-shift in the information security employment market, say career experts Lee Kushner and Mike Murray. See why they predict an even more competitive environment in 2010.

2009 will be remembered for a paradigm shift in the information security employment market. For the first time in our industry's history, information security professionals were forced to confront the broader effects of a deteriorating global economy, largely in the form of layoffs, salary cuts and freezes and fewer new opportunities. To blame were external business factors that included corporate bankruptcies, a reduction of venture capital investments, a decrease in corporate information security investments and an increased reliance on outsourcing and automation.

The events of 2009 should serve as a wake-up call to information security professionals everywhere. Information security has matured and become quite a popular career choice. Where in the past, security practitioners could demand additional compensation and training, many are now simply happy to have stable employment. With 2010 just around the corner and the prospect of continuing economic uncertainty, it should be clear to all information security professionals that the need to continually develop and improve skills while demonstrating value to their employer has never been greater.

More from Lee and Mike

Want more advice on how to get the infosec job you're looking for?

Read all of Lee Kushner and Mike Murray's Information Security Career Advisor tips at
The state of information security in 2010
The business world of 2010 will become increasingly competitive. As the economy will likely continue to struggle, business leaders will prioritize the protection of a company's brand, customer data and intellectual property. At the same time, corporate belt-tightening will force companies to face the challenge of protecting these assets with less dedicated information security staff and fewer budget dollars. A company's information security program will be closely examined, and infosec professionals will need to become more efficient and productive in their daily work activities.

This may seem like a daunting challenge, but in reality, it represents an opportunity for information security practitioners to make their mark. For the longest time, many in the profession have always claimed they have not been provided with the same level of importance and influence as other members of their organizations' information technology or audit groups. However, 2010 will be the opportunity for security professionals to gain the visibility to the business leaders by creating efficient information security policies and practices that have a positive effect on the business and its bottom line.

As we focus on doing more with less, information security professionals must focus on their prioritization skills and show their ability to think strategically and creatively to come up with ways to solve problems "on the cheap." The more information security professionals can show that they are enhancing protection while saving budget, the better they will be looked upon within their organization. Instead of over-spending on new products, 2010 will be the year to find innovative and interesting ways to solve the organization's security challenges with as little budgetary spending as possible.

The increased level of visibility will also make it more obvious how successful an information security leader is at performing his or her job. In instances where the information security program performs well, the leaders will likely be rewarded with more authority, greater responsibility, and more internal respect from their business peers. Information security professionals who show that they understand the company's priorities will earn a "seat at the table" with other business leaders.

This level of scrutiny comes with drawbacks as well. In organizations where the information security program is ineffective, changes in leadership will occur. For those unable to show that they are making progress in the information security program without over-spending, the additional business scrutiny on cost centers like security will provide ample opportunity for the organization to realize a need for regime change. And this doesn't usually just affect the leaders at the top of the security organization; an ineffective security program can taint the internal reputation of team members throughout the enterprise. That's why information security professionals at all levels of an organization have a vested interest in being seen as effective and efficient.

In the event that the organization is unsuccessful and leadership changes, however, this type of transition can create an additional opportunity for information security professionals who have been yearning for the opportunity to lead an information security program and see if they can succeed in that capacity. If you were a member of the previous failed organization, keep in mind that an opportunity may be a limited one; executives may allow less time and exhibit less patience when measuring improvement.

About the authors

The columnists, Lee Kushner and Mike Murray, bring with them different perspectives on career related topics. Together Lee and Mike have advised many information security professionals in various stages of their career development and are regular speakers at industry conferences on information security career-related topics.

Their blog can be found at

Lee Kushner is the President of LJ Kushner and Associates, an executive search firm that has been dedicated to the information security profession since 1999.

Mike Murray is an information security professional and career coach. Mike has held leadership positions in environments that include professional services, security product vendors, and corporate environments.
If economic conditions begin to improve as the year progresses, companies will add resources and personnel to help address information security concerns. Any such hiring will be cautious and will be based on addressing pressing information security needs that link to broader business initiatives. These will include regulatory compliance, cloud computing initiatives, data loss prevention and securing both internal and external facing applications. In addition, depending on the federal government's policies, there may also be an emphasis in areas that include the security of electronic medical records, and even the nation's critical infrastructure.

As we look back on 2009, and look forward to 2010, information security professionals should feel a sense of optimism. Compared to other IT industries, the infosec profession is quite healthy and information security skills remain desirable. If 2009 taught us anything, it showed us that we are not a special part of the organization in the same way that we were a few years ago. Security is as vulnerable to economic downturns as the rest of the cost-centers within the IT organization.

Last year has also demonstrated the importance of remaining current on information security topics that encompass both technology and business so that security pros are able to provide innovation and creative solutions to business problems as technology evolves. Going forward, the information security profession will remain popular, and competition for information security leadership positions will increase. It will be up to each infosec professional to work on developing his or her skills and build the necessary experience so that he or she will remain competitive in the marketplace of the future.

This was last published in December 2009

Dig Deeper on Information security certifications, training and jobs

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.