Is information security mostly an IT concern or mostly a risk management concern? When (ISC)2 asked its membership - all certified information security professionals - this question recently, results were split right down the middle.
Some would argue this tells us the move to a risk management is taking its time. I would suggest that the changes affecting our profession are not so straightforward. Appreciation for information security has matured greatly over the past 20 or so years creating a situation where there is growing demand for risk-based and IT-focused roles. Whether one currently sits within the IT department, a dedicated security department or somewhere else in the organisation, there is solid opportunity to forge a career in information security - as long as one develops the current skill set relevant to each area.
By and large linear careers have been relegated to the past, with targeted lateral moves providing the opportunities to develop and perhaps eventually settling in to a specialist or leadership role. Our research demonstrates this with less than 50% of the profession staying with their employer for more than five years.
The career development moves people choose should be led by an understanding of how responsibilities are moving across the organisation. The trend to centralise responsibility within a dedicated security department is reversing fast. Business units that recognise security as essential to their initiatives are seeking to manage this more effectively with business-focused security professionals that sit within their departments.
Operational responsibilities, such as patch management and network security are moving back into IT. Demand for traditional infrastructure security is declining; however there is a growing emphasis on the application layer and security architecture, creating new IT development roles. Despite this devolution, the dedicated security department itself continues to rise in stature, with a focus on risk management and governance, consultancy and strategic development.
Similarly there are several types of organisation employing security professionals today, each looking for their own skill set. Generally, attention is focused on end-user organisations and their requirements and there are more and more industries prioritising security. There are the ever-expanding suppliers serving the end-users, employing specialists relevant to their field and product-set.
Consultancy opportunities - both external and internal - are also developing as the end-user organisations appreciate their disparate requirements, covering new areas such as security awareness and risk management as well as the more established offerings for penetration testing, forensics, code inspection, security architects and analysts, and the like. And finally, IT outsourcers and systems integrators must have security integrated into their offering, demonstrating competency in risk and security management, IT operations and IT development.
Overall, demand for security has remained strong through the global economic crisis. In EMEA nearly 50% of professionals participating in our second career impact survey tracking the crisis received salary increases, and more than 55% were recruiting in 2009. Unfortunately, 90% of those hiring managers said they were challenged to find the right people for their roles.
In my opinion, all professionals today are advised to assess the skills they have against the opportunities that are developing. There are a core set of common skills, covering knowledge of the fundamentals, communications skills, and project management, and the like, but attention must also be paid to the context of the developing roles: deep technical skills for IT development roles, or stronger interpersonal skills for consultancy roles and pre-sales roles. Demonstrating relevance, as well as security competency, has become a core requirement for those taking advantage of the opportunities.
- John Colley is managing director EMEA, (ISC)2. He will be presenting at Infosecurity Europe 2010 Tuesday 27 April, speaking on current choices: the skills needed for today's infosecurity market in the Business Strategy Theatre at 2.40pm and participating in the keynote panel on professionalism from 3.45pm.