In-Depth

Careers: Strong Demand Continues for Information Security Jobs

With information security increasingly a boardroom-level concern, job prospects continue to be good, according to a new study. Training and certification are becoming increasingly important for candidates and companies alike.

• By Mathew Schwartz
• January 17, 2006

More than ever before, Information security is a boardroom-level concern. In fact, information security professionals report they have increasing influence on executives, board members, and line-of-business owners, and 73 percent of them expect that influence to persist.

So says the “2005 Global Information Security Workforce Study,” conducted by IDC and sponsored by The International Information Systems Security Certification Consortium (ISC2), a non-profit information security certification organization that issues the Certified Information Systems Security Professional (CISSP), Certification and Accreditation Professional (CAPCM), and Systems Security Certified Practitioner (SSCP) credentials.

The survey provides a useful picture of current information security responsibilities and job concerns. All told, 4,305 information security professionals—with a title of security engineer or higher—responded, from 81 different countries. More than 40 percent of respondents were security consultants, and 10 percent hailed from executive-level management, including CIOs and CSOs/CISOs. Companies of all sizes participated, though half of responding organizations have annual revenues over $1 billion.

How is the information security profession itself faring? IDC estimates information security jobs worldwide now number 1.4 million, a 9 percent increase from 2004 to 2005, and it forecasts a compound annual growth rate of 8.5 percent until 2009, when it estimates there will be more than 1.9 million jobs. In addition, salaries are relatively stable. Information security professionals from North America and the Asia-Pacific region report their salaries increased about four percent last year.

Information Security Importance Increasing

One significant survey finding is the growing importance afforded security. “Professionals worldwide indicated that information security is now being perceived as a business enabler rather than a business expense, and as a result, they are increasingly being included in strategic discussions with the most senior levels of management,” says Rolf Moulton, president of ISC2. “This demonstrates that the competency of information security professionals is being recognized as the key to an effective security strategy.”

At the same time, “complex security solutions, regulatory requirements, and encroaching threat advances” also demand more executive oversight of security, notes Allan Carey, the IDC analyst who directed the study.

Indeed, the study found more executives are taking responsibility for security. In 20 percent of organizations (up from 12 percent in 2004), for example, the security buck stops with CEOs. Meanwhile, the number of respondents indicating the board of directors was ultimately responsible for security increased to 6 percent, up from 2.5 percent in 2004.

That trend mirrors CIOs’ decreased accountability for security: in 2005, 30.5 percent were ultimately accountable for security, down from 38 percent the previous year. Meanwhile, not unexpectedly, CSOs/CISOs’ accountability increased from 21 percent (2004) to 24 percent (2005).

Training and Certifications

As the importance of security increases, apparently so, too, do information security professionals’ education levels. For example, in Europe, the Middle East, and Africa in particular, 42 percent of professionals report they have a master’s degree or its equivalent, compared with 32 percent in 2004. In the Americas, the number of professionals with a master’s degree increased from 28 percent to 34 percent. Eleven percent of security professionals worldwide report they have doctorates (or the equivalent).

Certifications are important for obtaining and keeping security jobs. “Employers and hiring managers continue to place emphasis on security certifications as a differentiator in the hiring process. The main reasons provided were employee competency and quality of work,” says Carey. He notes some organizations are beginning to require job candidates possess at least one security certification.

It’s no surprise, then, that more than half of survey respondents anticipate receiving at least one security certification in 2006, with 86 percent rating them as important to career advancement. Helpfully, organizations seem to be underwriting at least some of the certification efforts they prize. On average, organizations spend “more than 40 percent of their IT security budgets on personnel, including salaries and benefits, and on internal and external education and training,” IDC reports.

Going forward, information security professionals are also seeking new types of training. Business continuity, computer forensics, and information risk management are areas of special interest, and as Carey notes, at least some of those perceived educational needs stem from job-security concerns. “Information security professionals are trying to differentiate their capabilities in a marketplace that remains competitive and complex, requires expertise, and demands results.”

Competing in the Security Job Market

Security pros are also competing in a job market that’s tighter than hiring managers would like. “Time and time again, IDC observes the need for more information security professionals among organizations, particularly those with more than 1,000 employees, and the market demand for such individuals with both technical and business skills continues to grow,” says Carey. In particular, according to the Enterprise Security Survey IDC conducted last year, “37 percent of individuals stated that if given a larger security budget, they would initially increase the size of their IT staff dedicated to enterprise security, and better train employees to avert human error.”

Yet many companies say they can’t find the candidates they need. “Anecdotally, many providers of security services are struggling to find appropriate candidates for the vacancies within their security workforces. Consequently, opportunity awaits those individuals looking to enter into an information security career path,” says Carey.

To drive greater numbers of qualified information security personnel, companies might consider recruiting more women. “Men continue to dominate the information security workforce,” Carey notes. By and large, respondents to the survey were male (90.5 percent of respondents, up from 88.9 percent in 2004), and that’s especially true outside of North America. Given the lack of women in the field, Carey calls for an increase in programs at the national and international level, “to foster career development and encourage female participation in the information security profession.”

Related Article

Q&A: How to Get and Keep a Security Job
http://www.esj.com/Security/article.aspx?EditorialsID=1425