Career Advice for Security ProfessionalsInterview with W. Hord Tipton, Executive Director of (ISC)Â²
To answer these questions, we turned to W. Hord Tipton, executive director for (ISC)Â², the global leader in educating and certifying information security professionals throughout their careers. Tipton previously served as president and chief executive officer of Ironman Technologies, where his clients included IBM, Perot Systems, EDS, Booz Allen Hamilton, ESRI, and Symantec. Before founding his own business, he served for five years as Chief Information Officer for the U.S. Department of the Interior.
The interview focuses on information security career trends in 2009, including job opportunities, certification, job skills, salaries and career advice for information security professionals.
Upasana Gupta: Going forward in 2009, what career trends can we expect to see in the field of information security with regards to jobs and job opportunities?
Hord Tipton: Looking at the impact of the recession on the information security field, even if downsizing in companies is severe, the IT security folks are generally the last to go because their job functions are critical to continuing the business regardless of how many employees are left. There's so much information that people have to still protect - it's digital, it's in databases and transmitted over wires - networking and security people are going to be required.
That's been proven by research surveys that show that IT security managers and architects are rated near the top in terms of the most protected jobs. There may actually be an increased demand for them in many cases because the insider threat is greater than ever. The information security staff must monitor the IT department as well as end-users. People are looking for something to make them more marketable when they must leave their current employer, and thus are tempted to leave with your data.
Another trend is that with the recession, information security professionals who are displaced are looking for things to differentiate themselves from competitors for a job. If you can show your security experience and knowledge is validated by a certification, you have a leg up. When there may be 25 applications on somebody's desk, you want to stand out.
Gupta: Are there new areas of certification or education that (ISC)Â² is focusing on for security professionals in 2009? What are these areas and certifications? Also, can you share information on the demand of existing certifications offered by (ISC)Â² for information security professionals? Its effectiveness and need in the industry.
Tipton: Yes. In September 2008, (ISC)Â² announced its new certification aimed at securing software throughout the lifecycle - the Certified Secure Software Lifecycle Professional (CSSLPcm) - which addresses the increasing concern over application vulnerabilities and maintenance of the application from a software point of view.
This certification focuses on ensuring software security throughout the lifecycle development process from 'cradle to grave,' so to speak. Most observers believe this type of certification was long overdue - the CSSLP has the support of many top organizations around the world, including Microsoft, Symantec and Science Applications International Corporation (SAIC) and many others.
Many information security positions now require certification. The banking, financial services, and similarly-regulated industries typically require security certifications for many positions, so you often won't get a job in these industries without one. Security is highly technical, with many facets and niches. It can also be very specialized, so certifications can help clarify exactly what skills an employee or job candidate brings to the table.
Also, our data dovetails with recent research that says security architects are in demand because our Information Systems Security Architecture Professional (ISSAP), a concentration of our CISSP, is showing a surge of interest. The other credentials are showing sustained demand Enterprises are becoming much more interested in keeping their data secure following high-profile breaches like the one at TJX Companies Inc. With that increased awareness comes greater need for experienced security pros to manage security plans and systems. Gupta: Given the weak economy, what additional skills and attributes will security professionals need to acquire jobs within the industry? What will make them marketable?
Tipton: As mentioned earlier, up-to-date skills in the financial sector, including in depth knowledge of PCI requirements, is important. Also over half of business transactions occur on the web -- a dangerous place to live. Maintaining skills in this is a critical need. Third, security professionals who understand architecture and integration impacts of all company business line will be valuable.
Gupta: What kind of salary can security professionals expect in 2009? What impact will the economy have on existing salaries and overall compensation package?
Tipton: Overall, salaries are probably going to come down now that we are officially in a recession. I think because of the demand, information security professionals will do better than most in maintaining their current salary levels. According to the 2008 (ISC)Â² Global Information Security Workforce Study, the average annual salary for an information security professional who is also a certified (ISC)Â² member earns about $20,000 higher than that of a non-(ISC)Â² member. Most importantly, though, their jobs are more secure.
Specialization also will help. Those experienced in security architecture will likely see higher salaries than generalists. We believe that professionals who gain an understanding of securing software will also be more attractive to employers.
Gupta: Career advice for job seekers in this field?
Tipton: The banking industry is an entirely unique security world in and of itself. It's also the prime target of the criminal element. There are more targeted attacks against financial institutions than any other sector. So that ensures that the demand for people to help protects their interests is sustained. Notably, anyone who has specific skills in PCI compliance and understands the rules and attack vectors from the financial side of it will benefit.