Information security will never go out of style. As long as
companies have computing infrastructure, security professionals
will be needed to ward off dangers.
 | | | | | Businesses are looking for
professionals that understand security fundamentals and are
specialized in a particular area of technology such as Cisco or
Microsoft or wireless security.
Ali Pabrai,
advisory committee memberCompTIA
Security+ |
| | | | | |
| |
|
But like all other IT careers, the market demands wax and wane
and the requirements change. Experts say spending on security will
continue to rise – and specialization, compliance knowledge and
documented work experience are in demand.
Compliance spending continues
Enterprises continue to pour money into compliance projects,
resulting in a need for more security pros, said Ali Pabrai, CEO of
ecfirst.com and a member of the advisory committee at CompTIA
Security+, the largest developer of vendor-neutral IT certification
exams..
"Financial, healthcare and government organizations are aligning
their security initiatives with compliance priorities," he
said.
Employers are looking for the right talent to specialize in a
particular area, Pabrai said. Finding that niche may be key to
landing the next big job.
"Businesses are looking for professionals that understand
security fundamentals and are specialized in a particular area of
technology, such as Cisco, Microsoft or wireless security," he
said.
While the initial "compliance binge" has slowed down,
professionals who are well-versed in remediation and audits are
still needed, said Ed Tittel, a freelance writer, trainer and
consultant based in the Austin, Texas area.
In addition to compliance skills, companies are looking for
professionals with dual talents in development and security, as
well as professionals with security clearances who can fulfill the
specialized needs of government agencies and defense contractors,
Tittel said.
Experts agree that security spending will continue to increase
in 2007, but at a slower pace than in previous years. Tittel
estimated that the industry would see a 12-15% growth in the coming
year; during the past several years, security spending has
increased at least 20% annually, he said.
VoIP, wireless security growth
New eras bring new risks. And as one might expect from the
skyrocketing numbers, handheld and wireless devices pose an
increasing threat to corporate security, said Neill Hopkins, vice
president of skills development for CompTIA.
According to a survey by Fierce-Wireless-Bluefire Wireless
Security, 87% of respondents had concerns about the security of
email access to corporate server accounts and remote access to
corporate networks, Hopkins said. Respondents also had concerns
about wireless security and loss or theft of mobile and wireless
devices.
Hopkins also warned that companies will be facing threats from
increased use of voice-over-Internet Protocol (VoIP) telephony and
related technologies that are delivered over converged
networks.
"In the IP-based communications environment, the system's
functionality resides on standard computing platforms, which are
vulnerable to the same types of attacks – viruses, worms, Trojan
horses – that plague the data environment," Hopkins said.
Companies adopting IP-based communications solutions should
thoroughly re-evaluate security practices and strategies to reduce
vulnerability, he said.
Certifications in demand
So what will best prepare would-be security pros for the demands of
2007?
According to Hopkins, the following are the most demanded
certifications:
- Global Information Assurance Certification (GIAC)
organization's set of credentials
- Information Systems Audit and Control Association (ISACA)'s
Certified Information Systems Auditor (CISA) and the Certified
Information Security Manager (CISM)
- (ISC) ² 's Systems Security Certified Practitioner (SSCP) and
Certified Information Systems Security Professional (CISSP)
certifications officer, chief security officer or senior security
engineer.
- Product vendor certifications such as Check Point, Cisco
Systems and Microsoft
But a certification isn't always enough to guarantee jobseekers
a paycheck.
For entry-level jobseekers, Tittel said that skills, knowledge
and experience can be more important than certification. He advises
network administrators and others hoping to enter the security
market to document security-related aspects of their jobs, such as
incidents handled, training delivered and audits undertaken, in
addition to pursuing certifications.
"Intermediate to advanced credentials like the mid-range SANS
certs, CISSP, CISM and so forth represent the first significant
stepping stones into a space where certification does register," he
said. "But you're wise to recognize that three to five years of
relevant, current information security job experience also factors
into this equation."
More and more, said Hopkins, employers are looking for
candidates who have degrees in IT, ideally focused on information
security, and proven on-the-job experience along with great
versatility and a broad skill set.
"Technical skills alone are no longer enough for most IT jobs,"
he said. "IT workers who understand how to use technology to meet
business goals, and who can articulate this understanding, are
golden in the eyes of employers."