Where the Jobs Are: 7 Growth Areas in 2010New Year Looks Promising for Professionals Skilled in Risk Management, Forensics 2009 was a tough year in many ways -- economic recession, massive layoffs, high unemployment rate, scores of bank failures.
But there is good news for information security professionals looking for jobs within the public and private sectors in 2010. There are jobs aplenty, thought leaders say, for information security professionals looking to change jobs, move into leadership positions or switch industries altogether.
The keys to success are to recognize the top growth areas, and be prepared to tackle new skillsets.
"Companies today are looking to hire one or two key information security professionals who are experts in a broad range of security skills and are capable of playing several different hats," says Jeff Snyder, president of securityrecruiter.com. Among the hot skills: access control, user provisioning, digital forensics, incident handling, data loss prevention and ethical hacking capabilities.
"We continue to see demand for positions including security architecture, application security, risk management and regulatory compliance," he says, adding that professionals with these skills will continue to be hired by companies to play a critical role in safeguarding security threats and challenges.
However, as automation and security monitoring tools take over, some security functions such as patch management, network monitoring, vulnerability analysis and help desk functions will see more layoffs, hiring freezes and outsourcing, says Brian Barnier, a board member with ISACA and a senior partner with ValueBridge Advisors, a security advisory and consulting firm based in Connecticut.
Yet, the role of risk management in information security is being re-emphasized and will continue to be a key driver impacting the profession and the job market, says Steve Katz, former CISO at Citigroup, JPMorgan Chase and Merrill Lynch.
"IT security professionals increasingly will be asked to act as advisers to senior business management on risk management strategy going forward," Katz says.
Following are the seven top growth areas for information security professionals in 2010:
1. Risk Management
"Cyber risk is real," and companies are looking for professionals who can understand the business risks to be able to explain the value they're providing to senior management, says Katz. Organizations today are largely concerned with viability and survivability, spending their time, resources and efforts focused on meeting the industry standards and regulatory checklist. They are not necessarily taking a risk-based approach, Katz says. "They are saying 'If I do the checklist, then I must be okay,' and that is really not a good idea."
Security professionals and leaders need to understand how risks affect their own particular role and how that fits within the overarching risk management process within the organization. "Professionals who realize that security is inextricably linked to business and business risks will be successful and in demand in this market place," says Mischel Kwon, Vice President of Public Sector Security Solutions for the Worldwide Professional Services unit at RSA.
For security professionals and senior leaders hoping to thrive and remain strong in the information security discipline going forward, "The key will be to understand that we all have a part to play in recognizing, evaluating and mitigating risks," says Kwon. Therefore, a proactive, efficient and automated management of risks will ensure, she says, "that we all have the information required to perform our role and make important decisions in the future".
2. Security Process Management
Increasingly, organizations focus their efforts in streamlining and centralizing security processes to make security cost effective and efficient. Better security process management enables organizations to determine their most significant security exposures, target their budgets toward addressing the most critical issues, and then achieve the right balance between cost and security, says Barnier. Therefore, business and security process professionals will definitely see an upswing in demand for their skills in:
- Implementing multi-tasking solutions that protect data according to its risk classification levels;
- Investing in the right mix of tools and technologies to manage multiple security measures;
- Knowing to outsource key services including network perimeter security;
- Having the ability to cross functionally operate and communicate with business units.
3. Business Side of Security
Organizations today are looking for forward-thinking professionals who, instead of saying 'no', talk to their business colleagues and see how they can get things done.
Another area of growth will be for more senior and well-rounded security professionals who understand both business and technology and can effectively communicate in business terms to senior management. "At most companies today, security projects are driven by compliance and audit and as such lack a business alignment with security," says Kwon. As a result, security professionals are not working on business problems, but rather on regulatory issues. "IT security professionals will therefore need to have a greater understanding of business if they are to succeed in the next decade," she says. These integrated skills are required for better risk management practices, understanding, implementing and managing emerging technologies, as well as justifying budgets in tight economic times.
4. Forensics and Fraud Detection/ Prevention
Forensics has become critical in the last few years, as people extensively use technology for criminal purposes and cyber fraud. Three broad industries need qualified digital forensic expertise on a daily basis:
- Information Security: to stop hackers, computer based attacks, and recover from data breach incidents.
- Legal: Win civil and criminal cases involving electronically stored evidence.
- Law Enforcement/Defense Industrial Base: to arrest and prosecute criminals/deter enemies.
In the current job market, demand for such experts is increasing in United States, where many companies are facing real-time cyber crime activities. "We have forensic experts that we are looking for," says Nadia Short, vice president of strategy & business development at General Dynamics Advanced Information Systems, which seeks people that are able to lead the investigation and incident response activities. These individuals primarily focus on the ability to understand file systems, logs, histories, patching and, more importantly, understand chain-of-custody activities as, in Short's words, "we look to provide that kind of data to law enforcement officials as they look to put the bad guys away."
5. Software and Application Security
Specialized and niche security recruiters such as Snyder continue to see a strong demand in the area of secure software development and application security. Security implications in software development, operations, maintenance and deployment is gaining prominence "as companies are increasingly focused in integrating security with their software lifecycle to build superior, secure products and applications," says Snyder. "There will always be a growing demand for qualified security programmers, web application analysts, software engineers and security architects," he adds.
6. Regulatory Compliance
With new regulations and compliance requirements expected in the New Year, there may be some significant job openings at federal and state regulators. Crowe-Horwath's a top 10 accounting firm and risk management advisor and senior executive Nathan Johns, a former FDIC examiner himself, sees openings with increased regulations being enforced at security outsourcing and offshoring services. "Examiners will keep a close tab at where the data and information is being sent and who takes ownership for this data when information travels overseas," he says. Other areas getting emphasis will also be within new standards for application and product development, testing and signoff.
7. Emerging Technologies
As consolidation and collaboration continues to take place within the financial sector, the government places emphasis on critical infrastructure protection. Emerging technologies including virtualization and mobilization of services, cloud computing, centralization of data centers and services will call for a new breed of project based consulting professionals, says Barnier - which translates to a need for new and specialized skill set in these promising technologies.