The IT Security Professional: Bright Spot in a Dreary Economy

David Foote

Collateral damage from the economic recession, which took root in December 2007 and now has us all by the throat, has killed IT security jobs and careers and depressed compensation, right? Not exactly.

Take a look at security compensation trends for instance. Premium pay earned by IT professionals specifically for their security certifications has consistently countertrended declines in nearly all other IT areas since the recession’s inception. That is according to the IT Skills and Certifications Pay Index™ (ITSCPI), the longest-running and most comprehensive survey of skills and certifications pay and demand. Results were compiled from 88,200 IT professionals in more than 1,900 North American employers.

While overall pay premiums for 190 IT certifications surveyed in the ITSCPI declined an average of 6.5 percent in value from the recession’s inception to July 2009, pay for security certifications increased by 2.4 percent (figure 1). Even during the most turbulent months, from October 2008 to July 2009, pay for security certifications rose 1.3 percent on average, with IT certifications overall declining 2.8 percent. Leading the charge are certifications from Cisco, CheckPoint, CWNP, EC-Council, ISACA, (ISC)² and SANS Institute directed at security architecture, forensic analysis, incident handling and analysis, ethical hacking, network security, auditing, secure software development, and security management (figure 2).

Then there’s IT spending behavior. A 2009 survey of chief information officers commissioned by a major staffing firm revealed that information security topped the list of projects executives expect their employers to invest in during the year.¹ Another survey, this one by a top IT industry publication involving 200 IT executives, found budget increases of between 7 and 8 percent over 2008 spending for intrusion prevention and detection systems, network access control, and identity management systems.

Not bad. But it is not all good news for security practitioners. Just last year, analysts were painting a rosy picture for security spending even with the sagging economy. Despite analyst reports late in 2008 citing 8 to 25 percent growth, overall security budgets and spending in the US have since flattened out.

In fact, worldwide IT spending is down a whopping 6 to 11 percent from last year (depending on who you listen to), bad news for security organizations if it were not for one interesting development: the portion allocated to security has grown. Analyst firm Forrester Research insists security-related spending now represents 12.6 percent of total IT operational spending, up from 11.7 percent in 2008 and 7.2 percent in 2007.²

So with head counts shrinking and the number of security incidents rising, there is no doubt that as organizations are tightening their belts, they are making plans for how and where they will spend security monies that so far have been comparatively shrink-resistant.

Foote Partners’ analysts expect that organizations in 2009 will spend about what they spent on security last year. Continued investment in security skills and people is very much a part of their strategies. They are limiting expenditures to areas that are necessary to keep them whole, focusing first on security that meets compliance demands, in particular data protection. Anything they deem discretionary has generally been deferred for the duration of the year.

Larger enterprises pressed to reduce labor costs have so far spared the security staff from large-scale reductions. According to Foote Partners’ latest workforce surveys, IT security head count across all sized employers is down only 0.5 percent from last year. In a recent SANS Institute survey, 79 percent of respondents saw no cuts to their security staffing levels through the end of November 2009. Foote Partners sees moderate investments continuing this year for acquiring a variety of targeted security skills and labor, but also aimed heavily at retaining hot in-house skills and the top IT security workers. Unlike what is happening in many other areas of the workforce, this is no time to be messing around with security bench strength.

Best Bets for Security Pros

The ideal way to pinpoint opportunities for IT security professionals is to track spending and budget behaviors, but also to closely monitor skills pay trends, which are more dynamic and informative indicators of labor market behavior than salaries and headcount. Combining this analysis with field interviewing reveals not only hot jobs and skills areas, but also variations by industry, geography and enterprise size.

Demand for content security gateways, which grew 25 percent in 2008, has remained strong in 2009. Organizations are continuing to spend money on network security appliances (primarily from Cisco, Juniper and CheckPoint), following an 8 percent spending increase last year.

Another area growing in this economy is selective security cloud services such as e-mail security, web content filtering, authentication and network firewall monitoring. As small and medium-sized businesses (SMBs) have been forced to pare down their security staffs, they are purchasing more security services in the so-called “cloud.” These services might appeal to SMBs trying to save money, but across organizations of all sizes demand in 2009 for managed security services has been tepid with the possible exception of vulnerability assessments.

So what is hot? Along with governance/compliance skills (particularly related to Sarbanes-Oxley financial privacy regulations), other premium skills in high demand include forensics, identity and access management, threat/ vulnerability management, intrusion detection and prevention systems, penetration testing, disk- and file-level encryption, data leak prevention, and litigation support (e.g., e-discovery).

Data security is ranked as the highest security priority in Foote Partners’ executive interviews, in particular among the roughly half of all chief information security officers (CISOs) who report to the chief executive officer (CEO)/president or to an executive committee and are most actively engaged in business risk management and business asset protection. This is for good reason, considering the rise in high-volume thefts of credit card information, Social Security numbers, and personal data; the rising cost of information breaches; and damage to company brands and reputations as more breaches are triggering state breach disclosure laws. This represents a huge opportunity for career advancement given the sizable shift in IT security strategies in recent years, from perimeter threat defense to protecting organizational data assets from internal threats. Accelerating the trend has been the increase in sabotage reports linked to workforce reductions and in disgruntled workers.

In the healthcare industry, demand for electronic medical record (EMR) systems is set to explode as attention has turned toward government-mandated patient information management. Addressing software security, system integration and compliance issues will be top security challenges in this space, with demand accelerating for professionals skilled in application security, access control, data integrity and data loss prevention.

Another hot area is secure software development and web application security. For example, employers are in hot pursuit of C, C++, Java and .NET developers who can demonstrate solid expertise in cross-site scripting (XSS), Structured Query Language (SQL) injection, code injection, cookie injection, Lightweight Directory Access Protocol (LDAP) injection, application firewall bypass, cross-site request forgery, buffer overflow, single sign-on (SSO) flaws and similar areas.

The explosion in virtual storage, servers, desktops and applications has thrust the security organization into the center of a debate about whether traditional physical computing environment security standards and practices are sufficient for protecting virtual environments. Companies are increasingly concluding that they are not, which is providing ample opportunities for security professionals to apply new tools and solutions to provisioning virtual machines, securing intravirtual machine network traffic, guarding against information leakage and dozens of other virtualization platform security functions. What is the scale of this opportunity? Gartner estimates that 611 million virtualized PCs will exist worldwide by 2011, up from less than 5 million in 2007.³

Demand for governance, risk and compliance (GRC) professionals is growing. Demand for governance, risk, compliance and audit (GRCA) professionals is growing. Companies are adopting GRCA tools and searching for qualified security professionals to lead efforts to identify risks and ensure compliance with external requirements, internal policies and business processes.

Finally, buyers of security products and services have long been asking vendors to help them “bake” security into everyday IT operations to reduce the portion of the security budget regarded as separate or discretionary line items. In the long run, this trend will help provide the security workforce with more insulation against economic threats to their livelihood and build more confidence in skills acquisition and career development.

The Big Picture

Well into one of the worst economies ever it is becoming clear that, unlike the last recession, urgent demand for niche talent in IT has eclipsed broad, knee-jerk reactions to reducing budgets and cutting people, projects and purchases. Executives and managers are acting more strategically, not simply reacting to the short-term pressures to cut costs. To ensure their place in the post-recession enterprise, they are listening, building bridges to the business, and being as flexible and agile as possible.

Investing in security skills and labor is the smartest thing they can do to make it through the bad times as stronger, undiminished enterprises. Driven by compliance directives and concerns about escalating security threats, both internal and external, employers are realizing they cannot afford to lose key people or be caught short when skills requirements are clearly delineated and outsourcing is not an attractive option. Keeping critical security workers challenged and paid appropriately—in effect, removing two of the most common reasons why people leave their employers—results in one less problem to worry about.

Endnote

¹ Robert Half Technology, “Top 10 Tech Investments,” news release, 13 April 2009, www.roberthalftechnology.com/PressRoom?pressRelease_5.request_type=RenderPressRelease& pressRelease_5.releaseId=2458
² Brenner, Bill; “IT Security Spending Up for Some,” CSOonline, 7 January 2009, www.csoonline.com/article/474390/IT_Security_Spending_Up_For_Some
³ Gartner, “Gartner Says Virtualization Will Be the Highest- Impact Trend in Infrastructure and Operations Market Through 2012,” news release, 2 April 2008, www.gartner.com/it/page.jsp?id=638207)

David Foote
is cofounder, CEO and chief research officer of Foote Partners LLC, an independent IT workforce research and advisory firm that serves more than 1,400 clients on five continents. The firm’s IT Skills and Certifications Pay Index™ is the oldest and most comprehensive continuously updated survey of pay and market demand for IT skills. He can be contacted at dfoote@footepartners.com.

ISACA Journal, formerly Information Systems Control Journal, is published by ISACA, a nonprofit organization created for the public in 1969. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors, employers or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.

Subscription Rates:
US: one year (6 issues) $75.00
All international orders: one year (6 issues) $90.00
Remittance must be made in US funds.


What is CISA	What is CISM	What is CGEIT	What is CRISC
Benefits of CISA	Benefits of CISM	Benefits of CGEIT	Benefits of CRISC
How to Become Certified	How to Become Certified	How to Become Certified	How to Become Certified
Register for the Exam	Register for the Exam	Register for the Exam	Register for the Exam
Prepare for the Exam	Prepare for the Exam	Prepare for the Exam	Prepare for the Exam
Taking the Exam	Taking the Exam	Taking the Exam	Taking the Exam
Apply for Certification	Apply for Certification	Apply for Certification	Apply for Certification
Maintain Your CISA	Maintain Your CISM	Maintain Your CGEIT	Maintain Your CRISC

World Congress: INSIGHTS	Training Week	Webinars
North America CACS	eLearning Campus	Virtual Conferences
EuroCACS / ISRM	On-Site Training
Governance, Risk and Control	Exam Review Courses	COBIT EDUCATION
North America ISRM
Latin America CACS / ISRM
Oceania CACS
Asia-Pacific CACS / ISRM


COBIT 5 Home
Product Family
Training & Accreditation
Licensing
Join the Conversation
News
Recognition
FAQs