Where the Jobs Are: 5 Hot Career Tips for 2009Hint: It's a Good Time to Brush up on Regulatory Compliance
Interviews with industry and employment leaders reveal the top growth areas for job seekers looking to make new moves in information security, regulatory compliance or even the regulatory agencies.
"Clearly the consolidations and mergers have caused hiring freezes in many financial services companies, as they try to figure out what's left after the carnage," says Joyce Brocaglia, CEO and founder of Alta Associates, a New Jersey-based information security recruitment firm. "We are still seeing strategic hiring taking place."
"Regulatory and industry requirements are not being forgiven or overlooked," says David Schneier of Icons Inc., a Princeton, NJ risk assessment firm. "Regulators have not and will not ease requirements due to economic conditions." He's also seeing a noticeable spike in criminal activity via digital pathways and says because of this there will continue to be a need for experienced information security professionals across multiple business verticals.
Information security is mission critical, or should be to all companies, says Tom Silver, SVP and Chief Marketing Officer for Dice.com, an Internet job search site specializing in technology and information security jobs. "On Dice.com, we are still seeing good demand for network security positions. Companies will continue to be pressed to keep data private, and network security analysts, CISSP and information security analysts should be the types of positions that would be deemed critical regardless of the economic environment."
Financial Sector Hit Hard
As the summer drew to a close, there were signs that some of the biggest banks and investment firms were in trouble from the fallout from the subprime mortgage mess. Earlier in the year, Bear Stearns fell, followed by the biggest banks ever to fail, including Washington Mutual and Wachovia. Investment firms merged with banks or filed to become bank holding companies, and the layoffs of thousands of redundant employees began hitting the market.
The New York metro area is the Mecca of the financial services industry observes Alta's Brocaglia "They've been hit pretty hard. We've seen a lot of downsizing right here in Manhattan."
This trend is expected to continue at least for the first quarter or two of 2009, and longer if the overall economy doesn't improve, notes Kent Anderson, member of ISACA's Security Management Committee and Managing Director, Encurve, a Portland, OR risk management advisor. The key drivers impacting information security professionals will be mergers and acquisitions and layoffs such at those recently announced by Citigroup (52,000). "Those professionals working in compliance-related activities will be the least impacted, while those working on projects related to IT infrastructure will be affected the most," Anderson says.
He predicts IT security professionals who are technically focused will be more strongly affected by the economic downturn. Technical and administrative security functions such as patch management, network monitoring and help desk functions will see more layoffs, hiring freezes and outsourcing than more business-focused positions, Anderson says. "Contractors and security consultants will feel the effects more than full-time employees, as they will be the first to be let go, but also the first to be re-hired," he concludes.
One bright spot for information security pros to focus on is showing expertise and the ability to use tools most efficiently to identify, capture and protect data. "The people who are able to show this will thrive because there will always be the need for information security and compliance personnel, even in bad times," says Nathan Johns, Executive at Crowe-Horwath, a top 10 accounting firm and risk management advisor.
Threats don't go away, but most organizations are looking for ways to be more efficient, and IT information security is a cost center, so there will be trimming, says Johns. The issues of automation and less manual intervention in the security process will be the focus. "Though at some point logs have to be looked at manually, and an institution will never get down to zero people with just a computer monitoring everything," he notes. The more efficient a security department can be in the use of tools to consolidate, the better off they will be and staff with those types of skills will be even more valuable in these cost-conscious times, he notes.
5 Growth Areas for 2009
So what are the big growth areas in the year ahead? Here's our list:
1. Risk Management/Regulatory Compliance -- The move of Morgan Stanley and Goldman Sachs to become bank holding companies opens the door for positions at those firms for information security professionals familiar with FFIEC regulations and GLBA rules. "In some cases, information security has been part of their operations, but this will definitely mean they will need to bulk up their InfoSec operations in the risk management area," predicts Steve Katz, an information security expert and former CISO at Citigroup, JPMorgan Chase and Merrill Lynch. People who are familiar with that guidance will have room to grow in those new bank holding companies, he says.
2. The Business Side of Security -- Another area of growth will be for more senior and well-rounded security professionals who understand both business and technology. "These merged skills are required for better risk assessments, managing the introduction of complex technologies such as mobility, Web 2.0 and virtualization and justifying budgets in tight economic times," says Anderson.
3. Application/Network Security -- There are jobs out in the industry says Jeff Snyder, President of J.A. Snyder & Associates, Inc., a Woodland Park, CO-based IT information security recruitment firm. "We continue to see demand from our clients. Demand ranges from network security to application security to regulatory compliance and audit. Highly talented information security professionals should continue to be in demand whether the economy is good or bad," he notes. While jobs are being cut and new requisitions are being frozen, hiring is still being done for critical positions. In some cases, Snyder says contractors will be brought in on a project basis to address issues that must be addressed. He continues to see strong demand in the area of Secure Software Development and Application Security. Many times, he sees employers wanting Application Security professionals who were once programmers. "Other times, it is enough to learn to use Web Application Security assessment tools."
4. Regulatory Agency Jobs -- With new regulations and compliance requirements expected in the new year, there may be some significant job openings at federal and state regulators. Crowe-Horwath's Johns, a former FDIC examiner himself, sees that there may not be immediate openings at regulatory agencies in 2009, only because they're still "wading through what's happened and digesting it, looking at the issues and how to best address them." But come 2010 and 2011, "They will turn to IT information security, so getting the experience that a good examiner would need is something to think about in 2009."
Katz agrees with Johns and predicts requirements for regulatory agency personnel "Is going to skyrocket. They are going to need seasoned examiners. They're going to need people who know what the real world looks like and how it operates."
Looking at the FDIC, OCC, OTS, NCUA and FRB and the number of institutions they're examining, the need for examiners is going up, Katz says. "A couple of years ago it was difficult to get examiners hired because the salaries just were not competitive with the private sector. Today information security professionals are looking at job security, and the regulatory agencies offer that level not found in the private sector."
With all of the layoffs and the downturn in the economy, "There is a certain degree of comfort working at a regulator, where the salary may not be as high as at Lehman Brothers, but the person isn't worried about losing their job," Katz notes.
5. Critical Infrastructure/Govt. -- Katz also thinks that there will be an increase across all critical infrastructure industries, including financial services, as the Obama administration will place the same level of emphasis on critical infrastructure protection as the Clinton Administration. "This will increase the need for information security professionals and privacy professionals across all sectors, but especially in the critical infrastructure industries," Katz concludes.
Dice's Silver also sees an uptick in government-related information security positions. "There are more job postings open on Dice.com in Washington D.C. than any other metropolitan area," observes Silver. In December, job postings for the D.C. area were up 6 percent compared to last year. "There are many opportunities in that market, and not just with the federal agencies. Certainly, there are many consulting firms which service the government and the defense industry. In addition, if you have an active security clearance, the market is very strong. We see postings on ClearanceJobs.com up 60 percent this year compared to last year."