2011 marked a solid year for IT risk professionals in terms of career opportunities. The field of IT risk is fairly broad, considering that these professionals can be employed in IT audit, security, within risk-management functions, IT compliance, or embedded in the business side of an organization. All of these areas are enjoying a healthy rebound in job openings. A recent ISACA survey finds more than one-third of U.S. companies plan to add IT-risk staff over the next 12 months.
While the market for IT risk and security professionals remains solid, we expect to see a continued gap in the "haves" and "have not's" moving forward. Although the number of open positions has increased dramatically, hiring standards remain high.
Although the number of open positions has increased dramatically, hiring standards remain high.
We see an increasing emphasis on candidates with "the whole package," including deep technical skills or subject-matter expertise, excellent communication skills and a solid understanding of the business and its associated risks. In addition, we also see a strong paradigm shift to focus on candidates that demonstrate creativity, judgment, critical-thinking skills and the ability to effectively multitask and meet tight deadlines. At the same time, the bar remains high with regard to credentials (degrees and certifications) and stable work histories (not too many jumps; good progression; minimal gaps in employment).
Over the past several years, we have seen structural changes in the economy, which has put a premium on candidates with relevant in-depth knowledge. Moving into 2012, risk professionals will need to develop deep areas of subject-matter expertise. I recommend anyone in the IT risk field to select at least one area relevant to either your organization, or where you would like to move, and dedicate yourself to gaining expert-level knowledge. Here are some areas of increasing importance to IT-risk professionals in 2012:
- The Cloud: Movement to the cloud is inevitable; the only question is to what degree and how fast? The job of the risk professional is to make sure business leaders fully understand and weigh the various risks with the potential cost savings. Among issues of consideration are: security, privacy, reliability, segregation of duties caused by decreased IT personnel, and especially contractual issues, as well as understanding what assurance you have or don't have from an SSAE16 SOC report.
- Mobile Security: This area is really keeping CISOs up at night. This may be leading to a gradual paradigm shift with more focus on protecting critical data as it travels beyond the perimeter, as well as understanding malware vulnerabilities.
- Cyber Threats: These risks, including Advanced Persistent Threats, are becoming increasingly sophisticated and in some cases, state-sponsored. More significant is the change in tactics from "hit and run" attacks to more stealth-like attacks in which hackers will harvest critical information, sometimes over years. This will put a premium on risk individuals having the technical expertise to understand, detect and respond to these challenges and strategically maneuver the enterprise around these risks.
- Social Networking and Privacy: This is another phenomenon that has perhaps grown beyond companies' ability to fully understand all of the repercussions and to develop effective policies to mitigate the risks.
- Data Analytics: This has become an increasingly important skill set, as there is high potential to add value to the organization. Auditors now are able to look at and analyze entire data sets, rather than limited samples, and companies have the ability to develop continuous controls, giving risk professionals the opportunity to use sophisticated tools to evaluate risks and measure the effectiveness of these controls.
- Reducing the Compliance Burden: There is no mistake that companies have come under a mountain of regulatory scrutiny (SOX, HIPAA, PCI DSS, ISO, Dodd-Frank and others), with new legislation and guidance coming out every day. The opportunity for the risk professional is to reduce the regulatory burden, or what Microsoft calls "The Audit Tax" by finding redundancies, leveraging prior work and generally looking to streamline the process, while still maintaining compliance.
The sooner risk professionals specialize and gain expertise in these areas, the better advisers they can be to the board and other executives on risk-related issues.
Todd Weinman is president and chief recruiting officer of The Weinman Group, an executive search firm specializing in audit and GRC. He is a member of the Leadership Development Committee for ISACA.