Why IT Security Careers Remain HotAnd What Aspiring Pros Need to Do to Get the Hot Jobs
"A lot of times you're solving problems that don't have clear solutions and it takes many skills in one person to really become involved in this kind of stuff and to have an impact and influence," Foote says in an interview with Information Security Media Group's Tom Field [transcript below].
Certifications today don't hold as much weight as they once did, and are starting to lose value, says Foote. IT security professionals must take a hybrid approach, incorporating different skills and talents into their overall work ethic in order to progress in their careers.
Some of the skills Foote highlights include being able to write and speak business, using marketing and communication abilities to handle high-pressure situations. "Not being able to explain how security supports those business objectives isn't going to get you farther in your career at that company," Foote says.
There is no direct path in security, Foote explains. In order to progress in a career and stay on the cutting edge, security professionals need to take the extra step. "Largely we find a lot of security professionals saying, 'I'm just going to get another certification or I'm going to get deeper into this technology skill,'" he says. "We've said that's not going to get you very far. Companies are looking well beyond depth of technical knowledge in security."
In an exclusive interview about the latest information security career trends, Foote discusses:
- The IT security skills, certifications, and jobs that are in highest demand;
- Why hybrid IT-business professionals are the largest and fastest growing IT job segment; and
- Advice for IT security workers looking to start or re-start their careers.
Foote has long been one of the most quoted industry authorities on global IT workforce trends and the integration of technology and business management practices. His two decades of pioneering innovative benchmark research and analysis of IT skills evolution, compensation practices, defining a new generation of high impact IT/business hybrid workers and commenting on multiple facets of the human side of technology value creation has won him an unquestioned place on a short list of thought leaders in these areas. A popular opinion columnist, conference speaker, and social media commentator, his contributions appear regularly in dozens of online and print publications, in appearances on television and National Public Radio, and on podcasts and numerous blog sites.
TOM FIELD: You've recently released updated research on IT skills paying job trends. Before we get to the trends, tell us a little bit more about how your research is conducted because I know you are unique in the market place.
DAVID FOOTE: I've spent a lot of time at Gartner and we're actually a bunch of ex-consultants and analysts here. I work with a lot of executives and they're always asking me questions and saying, "I can't get any of these questions answered because this is really user-based stuff. It's not vendor. I'm okay with vendor stuff. When I actually have to get stuff done, and I need advice, it's hard to go to the analyst firms to get that." What I did is I took this company out. I was at Medigroup at the time and in 1997 decided to build an actual research foundation for user-side questions that have to deal a lot with execution. I've chosen my vendors. I've got my budget. I've bought my products. But how do I actually get this stuff done? There are all sorts of technology issues in that but ultimately it comes down to people. A lot of our really deep research that we do is around I would say human capital, people and human-value creation, and to that extent our research base is 2200 companies who are partners with us, the really sort of deep partners if you will. They give us a lot of what we need. Just to give you an idea of the demographic on this, 46 percent of those 2200 are 500 million or more in sales. So 54 percent are what would be probably small to medium-size businesses under 500 million. We pull a lot of stuff out of them and we are going to talk about some of that today, at least the part that has to deal with security.
IT Security Profession TodayFIELD: We spoke in 2010. You said at the time that security was one of the best places to be for IT professionals, based on what research was telling you. Does that still hold true?
FOOTE: You know I think it does. I think in a word, yes. But it's not without it's problems and issues. I'm getting a lot of invitations to speak at conferences and groups about security stuff and anything else, security audit, governance, control. I think everybody is looking at this tidal wave coming at them, this category one hurricane if you will. The issue is that we've got mobile computing, we've got cloud, we've got managed services, we've got all this stuff coming at us. We've got enormous quantities of data. We've got platform issues particularly around mobile, and in addition to that we've got all the stuff we've been working on for years with compliance and regulation. ... Basically there is a lot of work to be done in security and there are a lot of opportunities, but the problem is, what we're talking about today, is this gap between the skills and talent that's needed and what's floating out there in the market.
The expectations of employers are that they really want very, very experienced, seasoned people to handle a lot of really tough, complex problems. What they're getting in the marketplace are a lot of people and some of them are certified but they don't really know enough. They're not experienced enough, or they don't have enough of these multi-dimensional technology skills. Or their communications skills - their ability to influence and their ability to simply present some of this to business audiences - are lacking. They're really asking for a highly qualified person to work in security and IT. The idea is there are a lot of jobs, there are a lot of people, and there's money out there. But it's the question of your ability to do really hands-on work and really to grow security as a profession. It's not without its problems, I have to say.
Skills & Certifications In Highest DemandFIELD: I've got a two-part question for you. The first part is: which IT security skills, certification, jobs do you see to be in highest demand now, and which areas do you think are going to need more professionals as this threat landscape continues to evolve?
FOOTE: I can tell you that one of the ways we look at this problem is we track pay and demand for security skills and certifications. That's historical, but that is one of the areas that we look at. It's very interesting that through the entire recession, companies pay premiums and they usually embed it into base pay, but they might pay it as a bonus. What they're basically saying is this skill is really valuable to us and other people with your title, what you do, may not have this skill and we need to actually create an incentive here and we need to pay people who have these skills. Now if we track those as a group, they did very well through the recession.
Then about a year ago, security certification started losing value. To the degree which you believe certifications are important, the ones that have really been losing value even in the last three-to-six months have been CW, NT, Wireless Security Professional, the Incident Handler from SANS Institute, the Comp TIA Security Plus, which is sort of an entry-level certification and mid-level, GIAC Intrusion Analyst, the Forensic Analyst, the Master Architect from Check Point, even the cybersecurity forensics analysts have been going down in value. That doesn't mean that they're worth less, it just means that some of the supply has caught up to some of the demand for some of these. But the ones that have been going up in value for instance are the CISCO ASA specialist, the CISCO Certified Security Professional, the CCSP, the Certified Information Security Manager from ISACA, the Ethical Hacker Certification from EC Council. These are some of the things if you look back three-to-six months. But if you were to ask me some of the things that companies are telling us are in demand, they will say security information and event management tools, data loss prevention and a lot of cloud computing security skills. We hear a lot about applications development, secure programming, a lot of things having to do with applications and securing applications. We hear risk management, software security and protecting companies against advanced persistent threats. We're hearing a lot. Basically I'm trying to give you a three-hour briefing in two minutes.
There are a lot of very specific things out there, but I can say that as a group, certifications seem to be starting to lose value because so many people have seen security. It's true what I'm saying. They've seen security as a pretty safe bet in their careers and they've sort of flooded into security as a sort of hedge in their career development and it's true that from what we're hearing a lot of their talent doesn't really match up with the kind of degree of talent that employers are looking for out there. It's like a lot of other things in IT, not just security. They're looking for very specific things and very specific people to do work in very high-pressure circumstances. I'm saying the difference in security is that in addition to all the other stuff they have been doing over the years, you've got things like this mobile platform. Security issues are heavily bent; the vulnerabilities have been on operating systems, platforms and all the moving parts on those platforms. Now you are seeing security issues in cellular areas, in mobile hardware. How many operating systems are there right now for instance on smartphones, about eight or nine? There are probably three that matter. You're talking about not only stuff we've already been working on, but a lot of new threats and a lot of new things. In general the pressure is really on, but the opportunities have never been greater for security professionals if you have what it takes.
Hybrid IT Business ProfessionalsFIELD: You've often talked about the hybrid IT business professional and said that is one of the largest, maybe fastest growing IT job segments. Tell a little bit more about that trend and how it's affecting the security profession in particular?
FOOTE: What I'm talking about here is that the government, the Bureau of Labor Statistics, will go on and on about the fact that they think there are four million IT professionals in the U.S. But I don't think it takes much persuasion to tell you that their definition of security professional has basically 13 categories. These are the administrators, the engineers, the developers; it's sort of the IT department of 20 years ago. But if you look beyond that, there's another 20-24 million IT professionals who work in lines of businesses, work in product and work in corporate departments. They're in marketing, finance, accounting, sales, HR, logistics, operations. They're all over the company and these people would not have gotten their jobs without subject matter expertise in those areas.
But many of them do bring quite a bit of IT and in this case information security expertise into their jobs. We're saying that maybe 17-18 percent of the work force in America, 140 million people, is what we consider IT professionals. Of the more traditional group, it's maybe two to three percent.
Now in security, it's a very vast field. You've got physical, social engineering and development, digital communications and cellular. You've got regulation and compliance, network design, infrastructure. You have all these business aptitude areas and subject matter experts. We find that more and more, as we look at the market of IT-related skills, you see a number of security professionals populating those areas. Again, not under a CIO, sometimes not even under a CISO directly or a CSO, but they're tackling security issues all around the enterprise, because frankly right now IT is being managed all over the enterprise. It's distributed everywhere. It's not just under CTOs, CISOs, CSOs and CIOs. Many companies don't even have CIOs anymore, but as management of that has really become distributed, security has been one of those areas where people are very sensitive to that everywhere in the company. As I talk about hybrid IT business professionals with a lot of other people, I'm not talking about security in your case. I have to say we're seeing a lot of security skills and talent needed as well outside of the traditional security organizations, systems and professionals.
Biggest ChallengesFIELD: When you look at the job market for IT security professionals, where do you see the biggest challenges for them and for the people managing them as well? And how can these challenges be addressed?
FOOTE: I think their biggest challenges are to understand that depth of knowledge in security is not the only thing that they really need. ... There have been articles and also podcasts where I've spoken very specifically of what security people need to think about, well beyond depth of technical knowledge, if they're going to get anywhere in their careers. Those have included things like being very multi-dimensionally skilled, the diversity in training. If you look at all the threat vectors out there, these are issues well beyond just one or two elements of technology. A lot of times you're solving problems that don't have clear solutions and it takes many skills in one person to really become involved in this kind of stuff and to have an impact and influence. A lot of times it's just learning to translate technology risks into business risks, being able to language this stuff, present this stuff and speak in very simple terms to the business. Think business; learn how to speak business. Know your industry and all the threats that might be specific to your company's business model. Not being able to explain how security supports those business objectives isn't going to get you farther in your career at that company.
Be able to write and present. ... Be able to market yourself, be very aware. Be very high touch if you will. There's not a lot of help with security professionals, and I've said this for a long time, in terms of formulating their careers. No company is going to take you and show you a career path in security. It's up to you to do that kind of stuff. But largely we find a lot of security professionals saying, "I'm just going to get another certification or I'm going to get deeper into this technology skill." We've said that's not going to get you very far. Companies are looking well beyond depth of technical knowledge in security.
For example, I spoke with somebody the other day who is working in a marketing department for a CMO at a company and their job is in social media and social networks. That could be a content job for some marketing specialist, but in their case they're worried about security issues in social media and the kind of content they can and cannot put on their sites. They have a number of security issues and some of them are technical and they need someone to help think through these things. That person is there because they have a very strong expertise in marketing and in social media, but now they also in addition have a very strong understanding of some of the security issues involved in that. You find dozens and dozens of different versions of that person all over companies right now thinking about how security impacts that part of that business. You see that in a lot of areas where there is big data management. You find them everywhere. You find them in data warehouses. You find them all over in various E-Commerce, web development and web deployment parts of departments. Obviously security issues are everywhere in companies right now. That's my basic answer. I could talk another hour on this by the way.
Advice for IT Security ProfessionalsFIELD: I know that. Just a final question for you because that is all the time we have now. What advice would you offer to current IT security workers and managers as well as those entering the field today about jobs and careers?
FOOTE: I want to just carry something I said earlier. I would say, don't think that technical knowledge is necessarily all that companies are looking for. Yes they are, but even if you look at something as simple as cybersecurity skills, there's a whole list of cybersecurity skills around policies and standards. There is deterrence vulnerability, threat reduction, international engagement, incident response, recovery policies, information assurance and law enforcement intelligence. In that one area of cybersecurity there are so many things beyond technology that companies are asking for. Every position that we see, that we track, every job that we see these days is more and more requiring this multi-dimensional person who has a certain level of technical knowledge but goes well beyond that because these problems are not necessarily technical in nature. The idea is that you are trying to understand these threats and the kind of people. What is motivating these people and how do they go about thinking through?
Right now for instance, I would say some of the greatest opportunities are in mobile, because mobile is not seeing exploits being used the way that you are seeing them in desktop and PC platforms. Basically mobile threats are mostly social engineering, but they want to monetize these attempts as much as possible. That hasn't really happened so much on smartphones. That's a huge opportunity for somebody going forward, to specialize in mobile threat vectors, because I think a lot of the mobile security issues are ahead of us. Get out in front of them; it's a great opportunity for a career. Again I could talk in a lot more specifics about that if we had time.