Today's IT security professionals are expected to offer more than a school certificate
investigating [a breach].”
Security certifications are evolving that reflect this shift. “In the past when you were certified on a product, you knew how to use the IDS/IPS,” for example. “We’re moving more from certification on products to certification on job roles.”
That entails expertise in how to use the information gathered by security devices and systems, security experts say. “Now it’s a lot of architecture [knowledge], solutions, and best practices,” Bump says. “They also need security architects who deploy the solutions, design them, and look at the policies.”
2. Compliance know-how. Security pros are expected to know their employers’ regulatory environments, too, whether it’s PCI DSS or HIPAA. “Governance and regulatory positions have a big match, as well,” Kushner says. He says he’s seeing more jobs looking for expertise in the Health Information Trust Alliance (HITRUST) framework for the secure exchange or storage of personal health and financial information.
Another growing area is assessing the risk of third-party partnerships, he says. “Assessing the risk of third parties falls into governance, compliance, and risk…the job orders we receive seem to be a mix of all of that.”
That means knowing which security gear the organization needs and where it should go based on HIPPA requirements, for example. “That’s a dynamic change” in security jobs, notes Cisco’s Bump.
3. Risk management. In a recent survey by Cisco of Cisco Certified Internetwork Experts (CCIEs) around the world, more than 60 percent said security and risk management will be the most in-demand skills during the next five years.
There are now more types of security jobs for more types of people, too, Fred Kost, director of marketing for security solutions at Cisco says. “If I have you monitoring a console looking for events, that’s one skill set. If you’re assessing business risk or [handling] compliance and auditing, that’s another skill set. This creates more opportunities for security pros today than in the past when the security guy wore a black t-shirt, long hair, and sat in front of a screen.”
4. Business acumen. Many of today’s IT security jobs are going beyond the technical and demand an understanding of how the business works, plus how security can support it as well as protect it. When two banks merge, for example, the security pro needs to be able to understand the business requirements for the integrated operation and then select the right technologies to achieve those. These candidates have strong technical backgrounds, but can also translate the technology into business needs, Cisco’s Bump says. “They have a lot of experience in big-picture solutions,” he says.
5. Government security clearance. The federal government, namely the DHS and DoD, are heavily recruiting new IT security talent. The Catch-22, though, is that many of these jobs require the candidate to have a security clearance check, which can take six months or more to complete. If the timing is right, it means more money: IT security pros with security clearances earn 20 percent more than those without, according to ClearanceJobs.com’s data.
IT security is the No. 1 growth industry in the government and government contractor sectors, says ClearanceJob.com’s Lesser. “The next world war is not going to start with boots on the ground — it’s going to start over the Internet, with misinformation [campaigns], denial-of-service, or shutting down systems,” he says.
Lesser says DoD Directive 8570 requires that by the end of 2011, anyone working for a federal contractor or federal agency with privileged access will have to have special security training — something to keep in mind when perusing government job openings.
6. Leadership experience. Higgins writes that an oft-ignored skill in information security is leadership, but Kushner says this is the No. 1 qualification he would recommend. “This will separate you from the others,” he says.
Experience here could be in leading a team or project or a professional organization, for example. “Taking a leadership role shows you’re not afraid of challenges,” he says. “Even if you fail, you walk away with the experience.”
