Companies' penchant for posting data to cloud-based services not surprisingly makes that one of the hottest targets for cyber criminals – and one of the biggest job opportunities for security professionals.
Add to the mix healthcare organizations scrambling to meet multiple federal mandates to digitize and share health records – including updated HIPAA (Health Insurance Portability and Accountability Act) privacy rules that went into effect earlier this month.
Recent breaches at Wells Fargo, Citigroup and PNC Financial Services highlight the need for security pros in financial services, and plenty of positions are available at Facebook, LinkedIn and media and e-commerce sites.
A Burning Glass report earlier this year found that demand for cyber security experts is growing at three-and-a-half times the pace of the overall IT job market and 12 times faster than the total labor market.
It’s no wonder tech players including HP, Apple, Google, Intel and Cisco Systems are making acquisitions to jump into the security market, which is expected to reach $94 billion in 2017, according to Gartner.
These days, though, security is part of every company’s business.
"Everyone’s operating on the idea that it’s not if you get breached, it’s when," said W. Hord Tipton, executive director of the International Information Systems Security Certification Consortium (ISC2). "And when you get breached, what do you do?"
Cloud, Mobile and More
In the ISC2 2013 Global Workforce Survey, respondents pointed to the cloud as the biggest threat the industry faces. The proliferation of mobile devices – and the more than 1 million applications for them – wasn’t far behind.
Over the past year, the biggest gains in security job postings on IT job site Dice.com have been in security architecture and network security.
Meanwhile, beyond the electronic health record mandates, healthcare IT pros are working to secure myriad wireless medical devices – including devices implanted in patients such as insulin pumps, pacemakers and defibrillators.
The biggest staff shortages, the ISC2 survey respondents said, were for security analysts (chosen by 47 percent), a multifaceted role for evaluating and mitigating a company’s risk across systems; security engineering-planning and design (32 percent); and security auditors (31 percent).
Three factors stand in the way of adding security staff, they said: business conditions, executives not fully understanding the need and an inability to locate appropriate security talent.
Not Just Security Smarts
Companies are looking for security pros with multiple skills, according to Tipton and David Foote, CEO and cofounder of research firm Foote Partners. They want security pros who can do more than just vulnerability testing or penetration testing, Foote said.
"They’re looking for people who can translate technical risk into business risk," he said. That requires a deep knowledge of the business, as well as the technology, and the ability to help business leaders understand how one affects the other.
"They want people who are able to talk to customers, who can be ambassadors for the business as well as security," he said. "They want people who can write well, that can present. They want to send them to conferences."
This need for business savvy is especially true for chief information security officers (CISOs). For most companies, Foote said, this requires finding technical people, then training them to move from the tactical to more strategic roles.
Moving to strategic roles is key for IT pros who want to advance their careers, Foote said – yet so many aren’t really interested in moving into management where much of their job is fighting for resources.
Forensics and incident handling have been areas of huge growth, according to Tipton.
"People need to understand how the incident happened, where they were vulnerable and what do you learn from that?" he said. "Do you want to prosecute whoever attacked you? Can you definitively make a case against them? This has become a huge area."
They both cited secure software development as an area where demand is hot. And Tipton pointed to rising interest in certification to secure the SCADA systems that run our nation’s critical infrastructure.
Security Pay on the Rise
Employers are paying a premium for certain security skills.
In its third-quarter IT Skills Demand & Pay Trends Report, Foote Partners listed risk assessment/analysis along with security architecture and modeling among the noncertified skills drawing the highest premiums – and it predicted those bonuses would increase.
While the premium value of IT certifications overall has been on a years-long decline, according to Foote, this quarter saw an uptick in the amount employers are willing to pay extra for them.
The report noted these certifications in particular are rising in value:
- GIAC Certified Incident Handler, up 22.2 percent in the past three months
- GIAC Certified Firewall Analyst, up 20 percent
- GIAC Certified Forensics Examiner, up 16.7 percent
- CWNP Certified Wireless Security Professional certification, up 16 percent
- GIAC Certified Intrusion Analyst, up 10 percent
- GIAC Certified Forensics Analyst, up 10 percent
- The Infosys Security Engineering Professional certification, known as the ISSEP/CISSP from ISC2, up 10 percent
Among the certifications drawing the highest premiums overall, though not necessarily showing a jump in value during the last quarter:
- GIAC Security Leadership
- Certified Information Systems Security Professional (CISSP)
- Certified Information Security Manager
- CyberSecurity Forensic Analyst
- Information Systems Security Architecture Professional (ISSAP-CISSP)
The only security certification falling more than 10 percent or more in value last quarter was the GIAC Certified Penetration Tester, which dropped by 33.3 percent.
Infosec: Not Just a Job
Security pros in North America make higher salaries than those in other parts of the world, according to the ISC2 survey. Across the more than 12,000 respondents, the average salary was $92,835. C-levels and officers reported the highest average annual salary at $106,151. Government-defense ($101,246) and healthcare ($98,037) are the highest-paying sectors.
And the jobs tend to be – ahem – secure. Only 3 percent of respondents reported an employer change due to layoff or termination.
Consulting firm Frost & Sullivan, which prepared the report for the ISC2, predicts double-digit, year-over-year percentage increases in security employment over the next five years. In 2013, it predicts the number of security pros will grow by 332,000 to 3.2 million.
In a survey of 500 cyber security pros across the United States and Puerto Rico by the public-private partnership Semper Secure, the average salary was $116,000 a year or approximately $55.77 an hour.
Those responding to the Semper Secure survey emphasized their desire to do important work for organizations with high ethical standards.
"For top talent, cyber security isn’t about just a job and a paycheck. It is about the hottest technology, deployed by honorable organizations, for a purpose that is inherently important," Jim Duffey, secretary of technology in the Office of the Governor of Virginia, said in a statement.
In that survey, 65 percent said they’ve had two or fewer employers during their careers. Tipton said that sort of tenure, however, is the exception these days.
"I’d be surprised if many security pros stay at a job more than five years. There’s just so much poaching going on," he said.
Susan Hall has been a journalist for more than 20 years at news outlets including the the Seattle Post-Intelligencer, Dallas Times Herald and MSNBC.com. She writes for IT Business Edge, Dice.com and FierceHealthIT.