Today's IT security jobs market is rather like the IT jobs scene 30 years ago. On the plus side there is big demand, so the pay is good. But there is the old IT vicious circle of no experience means no job, and the challenge of trying to justify spending to senior management.
Research group IDC puts growth in the number of IT security jobs at 13.7% a year to 2008, compared with just 5% to 8% in IT as a whole. IDC's figures are in its latest annual study for the International Information Systems Security Certification Consortium, (ISC)2.
"We are now at take-off point in IT security jobs," said John Colley, chairman of (ISC)2 and chief information security officer at a UK financial services company. "Networking and the internet are naturally key reasons, and it looks like we are going to see big growth in the number of jobs over the next couple of years." His own department has nearly 70 IT security specialists.
Trevor Martin, principal consultant and security specialist at IT services group Parity, has also experienced growing demand. "I am on a government adviser scheme for security, and I get more than 20 e-mails a week from organisations looking for qualified consultants," he said.
However, the demand is for experienced staff. Senior people recall how 25 years ago, before distributed computing took hold and when the web was not even a distant dream, they drifted into security from mainstream IT and met in small groups trying to work out what they were supposed to be doing. Nowadays they have titles such as chief information security officer and a string of qualifications. But how do you get to this point?
"Any work with an exposure to security, such as in applications or networks, is a good start," said Martin. "I started in network design, which included acquiring an understanding of security, and that set me on a track to developing a career in this field."
This approach is supported by Dave Pye, managing director of jobs agency Spring Technology. He said this route can work for people already working in IT, especially in an organisation without a huge IT department. However, Colley warned that big organisations will certainly want considerable experience.
"Big companies typically want four or five years' experience," he said. "I have found that complete newcomers can be productive in 12 to 18 months, but they will need supervising. It will be three years before you can rely on their judgement without having to check it."
People who make the sideways move from IT through, for example, network engineering will find themselves competing increasingly against qualified job candidates if they want to progress. IDC said 62% of security specialists would be seeking qualifications in the next year, and 73% said their employers demand them.
Colley said qualifications are certainly needed to get on, and pointed out that people are now specialising in IT security in their first or masters university degree courses. "I moved into security from IT, and like many others had security as a second career, but now a new generation is coming up who have security as their first career choice."
Colley also mentioned fast growing take-up of demanding qualifications from the likes of (ISC)2 and the Sans Institute. The number of people holding the (ISC)2 certified information systems security professional (CISSP) qualification has grown from 3,000 to 35,000 worldwide in four years.
Martin suggested the information security management course from the British Computer Society's Information Systems Examinations Board as a good introduction. He said knowledge of standards such as the Cramm risk analysis method and the British Standards Institution's BS 7799 and ISO 17799 security code of practice was typically needed in government work.
This was supported by the IDC research: ISO 17799 was mentioned by 54% of security specialists as their training priority.
Security product suppliers' certificates are also looked for if employers want specialised knowledge. "Eight years ago you would take on people on the basis of their CV and experience, but now employers are looking for qualifications to back up that experience," Colley said.
Colley said smaller companies look for general security skills and perhaps buy in specialist knowledge, but larger organisations want specialists. There are many career options here, with specialties ranging from firewalls to Unix security, Windows security, penetration testing, disaster recovery and computer forensics.
Once people have specialised, it is vital that they keep their knowledge up to date, said Colley. He pointed out that people holding the CISSP have to commit to an average of 40 hours of professional development a year.
He added, "Many areas are highly skilled, and if you switch to something else for a year you have to learn the latest techniques when you return. Penetration testing, for example, is a lot about vulnerabilities, and these change all the time, so you have to be on top of what is current."
Pye said security specialists should ask prospective employers about training and continuing professional development. Such recognition could be a big issue in choosing an employer.
The IDC study found that 25% of respondents spent most of their time on internal politics, notably selling security to senior management, and 34% cited this as their second biggest job. About 30% said researching or implementing new technology, or both, took most of their time, and 31% said this was their second biggest activity.
The significance of IT security as a field in its own right was reflected in IDC's finding that only 28% of specialists reported to the IT department, 19% were in a security or information assurance department, and 28% reported to senior management or even the board.
The significance of this field - and the shortage of experienced people - was also reflected in the pay. IDC found 64% of security specialists earn between £30,000 and £75,000. Colley said someone with five years' experience could expect between £45,000 and £50,000, especially in London.
Martin said people with deep technical skills might get more than £60,000. Pye talked of £50,000 for four or five years' experience, and knows of some companies offering more than £100,000 for a head of security.
Colley pointed out the scarcity premium would disappear as more people get into security, but the levels of experience that employers look for suggests that it will be a few years before this happens.
As Pye put it, "Right now is the time to be in security."
What IT security specialists need
- Ideally a relevant degree
- Knowledge of network systems and security protocols
- Knowledge of security software products and implementing them
- Knowledge of best practices in developing security procedures and infrastructure
- Excellent oral, written and presentation skills
- Strong conceptual and analytical skills
- Ability to work as an effective team member
- Ability to manage several tasks simultaneously
- Ability to relate security concepts to a broad range of technical and non-technical staff