Where the Jobs Are: 201110 Information Security Growth Areas for the New Year
Academic institutions such as Carnegie Mellon, Purdue and Norwich University have reached 100% job placements for recent graduates, and there is still a growing demand for cybersecurity professionals not just in government, but in all industry sectors, including healthcare and financial services.
As organizations increasingly focus on protecting critical infrastructure and meeting regulatory requirements, they create a heightened need for qualified information security professionals.
"There is not a single job position within security that is not in demand today," says Tom Sliver, senior vice-president, North America for Dice.com.
Based on his job board's analysis, Sliver has seen a 69% increase in information security jobs compared to last year. High growth areas include network security, application security, forensics and security engineer positions.
Sliver sees an overwhelming demand for application and security architects, as well as software developer jobs, which are 80% higher than last year. "High growth is seen in the identity management, secure products and access control areas as a means to manage new threats and risks," he says.
Also, on the radar for hot jobs are risk management, business continuity and business understanding of security that continue to speak to the evolving needs of the profession, says Mark Lobel, senior partner with PricewaterhouseCoopers and a member of ISACA's security management committee.
"These areas will be critical for security, as it attempts to create value and support the bottom line revenue in organizations."
Top 10 Growth Areas for 2011
Editor's Note: Salary ranges for the following positions are derived from sources that include Robert Half Technology's salary guide for 2011, as well as job sites Indeed.com and Simplyhired.com.
- Business Continuity: Based on the 2011 Global State of Information Security Survey conducted by PricewaterhouseCoopers, business continuity is one of the major factors driving information security spending. The study says that close to 63% of respondents have a business continuity plan in place, but only a marginal percentage of these plans are deemed effective. "What we will see is increased adoption and deployment of a business continuity management program in 2011, as organizations focus on making these effective," Lobel says.
The emergence of increased threats such as pandemic outbreak, recession, power outages, terrorism and cyber fraud have pushed the need for qualified business continuity professionals in today's marketplace.
Jobs for business continuity professionals within banking and government will focus on candidates with extensive risk assessment and analysis skills, who can identify potential impacts that threaten an organization and implement an effective enterprise framework.
Within healthcare, jobs will focus on those professionals who can address the backup and recovery of electronically protected health information (EPHI) and critical business processes, as well as engage in an organizational wide business continuity planning.
These individuals will need to be proficient in risk monitoring, measuring and mitigating skills. "The check list approach will completely wear out, as tackling of new risks will emerge as a necessity," Lobel says.
Salary range for a business continuity analyst is $74,500-$106,000.
- Business Opportunities: A recent IBM Tech Trends study, which surveyed 2,000 IT professionals including IT security architects, network administrators and application developers across 87 countries, confirms the need for IT security professionals to better understand how business works. A key finding of the study is that nine out of 10 IT professionals believe industry-specific business knowledge is critical even in their technical roles, yet only 63 percent indicate they possess the business knowledge they needed to remain competitive.
"Security is all about business understanding and value," says David Foote, chief executive officer at Foote Partners, a Florida-based consultancy that tracks IT skills and competencies. It is crucial for security practitioners to understand basic business concepts such as shareholder value, profit margins, cash flow and supplier diversity, says Foote. "This goes a long way in getting a seat at the executive table."
Companies therefore, are increasingly focusing on soft skills, including presentation abilities, strategic thinking and project management know-how, and they are bringing on board individuals who can make the connections among security, IT risk and business, says John Reed, executive director of Robert Half Technology.
"Understanding business requirements has become mandatory for integrated security initiatives to succeed at any organization," Reed says.
Also, there are new and emerging corporate and business-line security jobs in areas of business analysis, intelligence, risk management, governance and integration activities. "The future will demand practitioners to understand their business, how it's governed and its impact within their industry," Foote says.
Average salary for a business security manager is $82,000.
- Risk Management: According to the ISC2 2010 Career Impact Survey, which polled almost 3,000 respondents from 80 countries, there is a high demand for professionals with risk management expertise. About 47% of hiring managers from various sectors worldwide say they are seeking recruits who are well-versed in information risk management. "All of a sudden people are realizing that managing IT security is all about risk," says Hord Tipton, executive director at ISC2.
"Organizations are now looking for individuals who can successfully implement security to take risks out of the business."
A key trend seen by industry experts is a move toward enterprise risk management by organizations specifically within banking and government, as they prepare for unmanaged risk. The ERM programs generally provide for a consolidated view of emerging risks and a framework that focuses on the organization's overall business goals and objectives, the amount of risk the organization can tolerate and what fits within its culture.
In the coming year, organizations will focus on building more coordinated and robust risk models, requiring professionals to be proficient in integrated risk analysis and assessment to determine where to concentrate resources -- where can they afford to take risks and generate the most value and selectively de-prioritize those areas that do not contribute?
The jobs for risk professionals within healthcare will focus on understanding IT risk related to patient's right, says Tipton. More organizations will adopt effective risk identification/prevention techniques and methodologies in reducing adverse outcomes and incidents related to medical-malpractice and disclosure of patient's sensitive information. Also, these professionals will be actively involved as organizations transition to electronic health records. It will therefore, be critical for risk professionals to understand compliance requirements such as The Health Insurance Portability and Accountability Act and privacy breach laws.
Average salary for an IT risk manager is $90,000.
- Cloud Computing: Based on the 2010 CIO survey by Gartner Executive Programs, which included responses from 1,586 chief information officers representing 41 countries and 27 industries, a key finding is a transition to collaborative and innovative solutions such as virtualization, cloud computing and Web 2.0 social computing.
"2011 will see a shift in business expectations from just focusing on cost-based efficiencies to achieving greater results based on enterprise and IT productivity," says Reed. This shift will create the need for new roles within information security that will increasingly specialize in managing, negotiating agreements and deliverables with cloud providers.
The cloud movement will further enhance focus on industry-specific, business-related processes and lead to more business, privacy, application, risk and security-savvy management professionals. Who can understand how to protect and classify data in the cloud? What encryption methodologies must be deployed? How does one handle privacy requirements and their impact on the company?
Cloud computing initiatives are high on the government's agenda, as agencies quickly transition to the secure cloud in an effort to increase cost efficiencies. "New jobs with specialized skills including Web 2.0 deployments, virtualization, server consolidation and configuration management will hit the market in 2011," says Tipton.
However, the current adoption of cloud computing at banks and healthcare organizations is lower, mainly because of security and privacy issues related to data protection in a cloud environment. But as cloud computing initiatives get refined and gain prominence, the years ahead will see a higher adoption rate.
Also, professionals with experience in service-oriented architecture, storage technologies, web services standards and open source technologies will find themselves very marketable in all sectors.
Average salary for cloud computing job positions is $102,000.
- Application Security:This has been a hot growth area in all industries because of increased focus on customer-facing technologies, use of mobile applications, transition to electronic health records and need for secure software and products.
In fact, even graduates in information security are finding themselves increasingly hired by online and tech firms such as Google, Apple and Yahoo for IT and security application roles. There has been a sudden spike in application security positions in the last two years, says Jennifer Burkett, director of Career Services & External Relations at Carnegie Mellon University. "We now see a significant percentage of our students filling these roles, requiring innovative thinking and knowledge of Android and mobile applications."
The ISC2 2010 Career Impact Survey indicates that about 42% of hiring managers will seek expertise in application and system developmental security.
As organizations realize that a high percentage of attacks and fraud are focused on the application layer, they are increasingly focused on implementing secure software development lifecycle, says Tipton.
Within the government, specific skills in application security such as Web 2.0 and SOA for Web services, enterprise resource planning, database skills including-SQL Server and IBM Db2, will be in demand. Specifically in banking, the focus areas include identity management, secure products and access control.
Within healthcare, application jobs will be more focused on understanding "how security attacks manifest themselves in the application and emphasize in analyzing the typical patterns and tracks to prevent breaches," says Tipton.
Overall, 2011 will see a growing demand for qualified security programmers, web application developers, software engineers and security architects.
Salary range for an application developer is $85,000-$117,500.
- Forensics: Digital forensics is growing in importance as companies work to comply with federal and state regulations affecting many industries, including banking and healthcare, that require organizations to be able to quantify how much customer information was exposed during the course of a breach. These investigations frequently require the application of digital forensics, such as to analyze the impact of malware.
Also, as cyber attacks increase and become more sophisticated, no organization is immune to targeted, persistent attacks, and therefore they need to prepare and invest in professionals to perform incident response and digital forensics activities to understand what happened, what was the damage and analyze the extent of the attack, says Rob Lee, director and IT forensics expert at Mandiant, a Washington-based information security software and services firm.
2011 will see an increase in jobs requiring forensics expertise for positions including information security crime investigator, forensics analyst, incident responder and litigation support specialists in all three sectors. "The on-demand skills will need professionals to specialize in firewalls, hacking or mobile devices," Lee says.
Average salary for a forensics professional is $81,000.
- Network Security: Of the 100 jobs that make Money magazine's and Payscale.com's list, network security is ranked number eight as one of the most desirable job positions, carrying a 10-year forecast growth of 27%.
"The ongoing cyber attacks and online crime are driving a huge need for experts who can proactively protect critical infrastructure," says Sliver. " We are seeing an increase in job postings for professionals who are offensively attacking malware for instance even before they hit the networks."
An increased demand for these professionals is coming from government agencies such as the National Security Agency, Central Intelligence Agency, Department of Homeland Security and the Defense Department, which are all seeking entry-to-mid level, qualified professionals to design, implement, maintain and troubleshoot their network/security infrastructure, servers and workstations. In addition, Burkett also sees an increase in scholarship funding by defense contractors like Boeing and Lockheed Martin, who are directly recruiting IT security graduates for these positions.
Within the healthcare sector, demand for network security practitioners is gradually increasing as organizations get aggressive in implementing IT security measures to secure their networks and maintain compliance with critical regulations such as HIPAA.
Average salary for a network security engineer is $75,000.
- Regulatory Compliance: Reed finds a big emphasis on compliance and regulatory requirements from employers while hiring IT security professionals specifically in the banking and healthcare sectors, which are so heavily regulated. He says that he often finds understanding of industry regulations including the Payment Card Industry Data Security Standard, The Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, as mandatory for positions dealing with data privacy, vendor management, as well as governance, risk and compliance activities.
"Compliance is driving the need for security and protection in these industries," he says, as new compliance emerges within mobile applications and technologies such as virtualization and cloud computing. Going forward, there will be a need for a new breed of security professionals "who can draw a balance between the reality of compliance requirements and the appropriate risk decisions they will participate in."
Average salary for a compliance officer is $77,000.
- Wireless Security: Managed wireless security services, including mobile wireless, is a hot area for 2011, says Foote. "We are seeing compound annual growth rate projections through 2014 as high as 27% for wireless segments within managed securities services." Looking at the wireless security market, Foote says, "It's a (US) $9 billion market in Europe, a $5.7 billion market in Asia-Pacific and between $4 and $5 billion in North America."
Within this area, Foote sees demand for professionals with specific skills including VOIP security, vulnerability scanning, threat assessment, incident management, data leak prevention, secure code development, intrusion detection and prevention and IP based services.
Salary range for a wireless network engineer is $74,750-$102,500.
- Security Leadership: is increasingly a business focus and demands leadership skills in 2011 that are centered toward achieving the strategic needs of an organization. "Leaders within security are moving from just battling incidents and regulations to becoming revenue orientated, with 'can do' attitudes," says Lobel. Their role is becoming more intertwined with high-level organizational risks, and in the more regulated and mature industries, the security leader is getting engaged in managing business processes residing on IT systems such as SAP or other ERP, and in addition is looking at IT risk beyond the conventional thinking around the Confidentiality, Integrity & Availability triad.
In 2011, leaders will need to drive change in their organizations and not simply respond to it," Lobel says. They will need to identify new technologies (cloud, mobile applications and social media) and how those technologies can increase or protect market share or revenues. For instance, if an organization is looking to migrate into the cloud rather than trying to stop the business from using new technology, leaders will need to have their plans in place before the business decides they need this migration.
Salary range for a chief security officer is $110,750-$165,750.