While putting together a slideshow on the hottest IT skills, based on data provided by Dice.com, it was interesting to find security so far down the list (to No. 14).
Meanwhile, during the most recent quarter, Foote Research Group found the first decline in pay for security certifications since 2006, though Dice still reports high demand for certifications such as CISSP (Certified Information Systems Security Professional).
Yet, in a podcast with Information Security Media Group, David Foote, co-founder of his namesake research firm, maintains that this pay decline does not indicate a devaluation of security skills. In fact, the research found continued gains in pay for non-certified skills.
As he explains it, companies have been "underspending terribly" on security, only doing what they have to to meet compliance mandates. At the same time, they've been cutting the IT budget everywhere else and not hiring security professionals whose skills come at a premium because they're trying to reduce costs. Now the budget-cutting has finally reached the paychecks of security pros as well.
At the same time, threats have grown and business customers have grown more nervous, prompting companies to rethink their internal security plans and to give managed services another look. Many companies are asking themselves whether to do this work in-house or farm parts of it out.
SearchSecurity.com quotes Foote saying:
Except for a handful, certifications stopped being that important a long time ago. It's also clear that there are a lot of skills that are heavily in demand-there might not even be certifications for these skills.
And he talks about the melding of IT and business skills:
Traditionally, security pros knew a lot about security technologies, but not necessarily about the data itself. The question has become: How do we consider what the most important data is? And that's a business issue, not IT.
... There are security issues in finance and accounting, security issues in HR with privacy, security in marketing with social networking and information risk. These days, some security pros are reporting directly to marketing managers. Businesses need security people who understand how to manage product launches over Twitter. It's not the classic IT person, but it is an IT person nonetheless.
He says companies have grown more comfortable with outsourcing parts of their security work, but tend to keep the strategic parts in-house, such as risk management and governance.
Among the hottest areas of security, he said, will be auditing, secure software development and programming, forensics, data loss prevention, intrusion detection, application security and IP-related security
There's been a rise in interest in entry-level security certifications, he said, which he takes to mean more people are considering IT security as a career. Electronic health records will prove to be a hot area for security pros, he said, as well as the services industry and government, although those jobs are not entry level, but usually require specialized skills.