Today's IT security professionals are expected to offer more than a school certificate

Published 18 May 2010

Demand for IT security specialists in both the private sector and government grows steadily; IT security is the No. 1 growth industry in the government and government contractor sectors; employers, however, no longer see IT security certification as a sufficient qualification, and are looking for a broader set of skills

The IT security job market is booming — but this does not mean everyone is automatically getting a job, or the right job. Just as the threat landscape is rapidly evolving, so are the qualifications and qualities needed for positions in the security profession.

Kelly Jackson Higgins writes in DarkReading that there is a tension between supply and demand: Employers are looking for security candidates who can fill a specific need, such as incident response or risk management, while security pros on the job hunt want to build on their existing skills and advance their careers. “But employers don’t want to hire someone to get experience on their dime,” Lee Kushner, president of L.J. Kushner and Associates, an IT security recruitment firm, told Higgins.

In general, there are more qualified people than jobs. And in specific terms, there are fewer qualified candidates for the jobs people are hiring for,” says Kushner, who also co-founded

Getting the right person for the job is as difficult as getting the right job. According to a report by Booz Allen Hamilton last year, only 40 percent of government managers say they are satisfied with the quality of applicants they are seeing for federal IT security jobs, and only 30 percent are happy with the number of applicants.

Employers are looking for security pros who specialize in specific security disciplines. The days of the Certified Information Systems Security Professional (CISSP) certification guaranteeing employment are over, security career experts say. Security jobs are becoming more specialized, so a general cert does not carry the same weight it once did. “CISSP used to be a must-have. Now it’s more of a ‘nice-to-have,’” says David Bump, portfolio manager for security certifications for Cisco Systems’ Learning@Cisco program.

So what do employers in the federal and private sectors want in a security pro today? Higgins writes that the most in-demand qualifications basically mirror the types of attacks, breaches, and threats these organizations face today, as well as the regulations that help dictate their defenses: These organizations are looking for experience in incident-handling and response, compliance, risk management, business-side acumen, security clearance for sensitive government work, and leadership.

Higgins writes that the six qualifications employers look for in IT personnel are;


1. Incident-handling/response. “The incident responders and handlers are the guys on the front lines,” Cisco’s David Bump says. “And their attention to detail is heightened…there should be a lot of documentation and sharing with other groups