A long time friend and colleague of mine, Harry DeMaio, published a book in 1992 titled Information Protection and Other Unnatural Acts. At that time, information security was very much in its infancy. Most of us had entered the ‘IT Security’ profession as a result of some sort of career change, usually from an IT background, and mostly with a lot of management experience.
As a group we moved from being the techies in the corner to becoming highly regarded first-generation specialists writing the rule book on this new black art. Twenty years later I find myself at one of our (ISC)² education events listening to a keynote from barrister and author Stewart Room. He discusses how the political dynamic in the UK is resulting in a whole new legal framework for data security through amendments to the Criminal Justice & Immigration Act, Coroners & Justice Act, and the like.
| "One recruiter recently told me that in this economy, a candidate is more likely to be quizzed on their ability or experience with arguing for a new budget during a freeze rather than their technical competency" |
Our black art is becoming imbedded in mainstream concern, to become a part of almost everything we do in business and society. This gives us reason to be confident of continued opportunities, with our vibrant profession now employing more than two million people worldwide. Such growing appreciation, however, also gives us reason to consider the adjustments we should be making as we navigate our careers in this new world.
An evolving profession
Information security has evolved from being solely an IT concern to becoming a core management discipline, as more and more business processes are conducted online. This is being accelerated by a tough economy that is forcing businesses to rethink priorities, and embrace new ideas as cost-cutting initiatives very rapidly, altering the norms of how we do and therefore secure business. The adoption of cloud computing, for example, puts large demands on non-technical elements of the internal security manager’s skill set – to enable competent data management and defined accountabilities, leaving the specialist technical work to the provider.
"Information security has evolved from being solely an IT concern to becoming a core management discipline, as more and more business processes are conducted online" |
At the moment, most people within a dedicated security department must bridge the technology/business divide, even if their role is not specifically defined in this manner. They must develop as advisors, not necessarily as experts, and manage broad responsibilities in the areas of governance, policy, strategy, architecture and awareness. Many functions that have traditionally fallen within the IT department are becoming more and more of a commodity and are outsourced, along with broader operational functions.
Looking toward the future, I anticipate the inevitable development of security competency in the overall business, as well as in the security and IT departments. IT will be operational and advise on the security implications associated with new systems and services – business will operate with a better understanding of the risks they take in their every-day processes; and security will maintain its holistic view as the gatekeepers of overall strategy, policy and priority.
Filling the skills gaps
In the meantime, there are gaps in skills that exist today. At (ISC)², our ongoing effort to track the impact of the economic downturn on our profession tells us that hiring managers find it challenging to find candidates with the right skills. Over 90% of hiring managers responding to a survey taken in January of this year told us this, while 40% of the roles available are taking three months or longer to fill. This could at least partially explain why about half of the approximately 3000 respondents (600 from EMEA), received salary increases in 2009, while less than 5% lost their jobs. The average annual salaries for professionals with five years of experience and who considered themselves to be predominantly focused on security was over £46 000, according to the (ISC)² 2008 Global Workforce Study.
The areas of expertise being sought indicate that companies are taking a holistic, risk-based approach to their security. They include operations security; information risk management; security management practices; and ISO/IEC (Code of Practice for Information Security Management). Telecommunications and network security have also moved into the top five, knocking out the long-time priorities of access control systems and methodology.
Symantec’s 2010 State of Enterprise Security Report supports our observations, that despite having large security teams, the 2100 companies participating feel understaffed at a time when they are rolling out new cost-cutting initiatives that include infrastructure, platform or software as a service, along with server and endpoint virtualisation.
The report also correctly points out that the issues are not merely lost revenue or productivity but loss of customer trust, which speaks to the growing value we’re seeing for our services as a profession.
Technical skills, firm foundation
What does this mean for our security careers and the skills we should be developing? One recruiter recently told me that in this economy, a candidate is more likely to be quizzed on their ability or experience with arguing for a new budget during a freeze rather than their technical competency. The technical knowledge, however, should not be discounted. We’ve recently worked with the Information Security Forum (ISF) to conduct several focus group sessions across Europe on the subject of how to ‘recruit, retain, develop and motivate tomorrow’s information security staff and leaders’. Here it was generally accepted that business skills were lacking, but also that it would be more effective to teach a technically qualified individual the business skills rather than to instil the technical skills in a business professional.
| "The average annual salaries for professionals with five years of experience was over £46 000" |
Looking at the ISF/(ISC)² combined research – covering developments in both security roles and security profiles within organisations – confirms that technical skills will continue to provide the firm foundation for a career, while the profession is dividing into four inter-related but separate roles.
- The specialists – with deep expertise in an area such as forensics, penetration testing or architecture.
- The generalists – who will be less technical when compared with the specialists but will still have a thorough grounding in information security and a focus on the risk/technical interface.
- The consultants – internal or external – assisting projects, with broad skills in business, risk management and information security and able to work comfortably where these areas meet.
- The leaders – which includes CISO and people who are capable of leading information security projects, programmes, or functions, which requires skills oriented to the business, such as resourcing, finance and strategy.
With the exception of the specialists, these roles are developing on both the technical and business sides of the organisation. For most, a rounded view and knowledge of information security, complemented by a range of ‘soft’ skills such as communication, project management, people management, and relationship building.
Career development is moving away from the traditional linear progression, to one of lateral moves that add to one’s body of experience and marketability.
Formal certification required
Information security is increasingly being recognised as a profession, with standards, common skills and ethics, and a sense of community. In many ways its growth curve is similar to that of the IT industry over the last 30 years. Growing demand has led to a consistent increase in salaries, a diversity of roles, and growth in the number of people entering the profession. With this comes the development of formal qualifications and certifications driven by the community’s growing body of knowledge and determination of best practices.
University degrees and formal certification of knowledge, as well as the technical competencies required for leading vendors’ systems, are all playing a role in different areas. Our mandate at (ISC)² has similarly progressed to support a family of qualifications fit for disparate requirements, with emphasis on the technical depth required for the operational practitioner, managerial depth for the leaders, the breadth of knowledge required of the generalist, and specialist areas such as software and architecture.
I expect the information security profession will reach a level of comfortable maturity over the next 10 years, after the huge growth we experienced over the last 10 years. Our own membership of professionals, for example, has grown from less than 10 000 globally at the beginning of the decade to more than 71 000 members today. As our profession matures, so too will the skills and knowledge required to participate in it. We must accept that we are no longer taking part in a black art, but rather developing on a foundation of established competency, and welcome the fact that there is now more room for individuals to develop according to their interests.