IT security pro salaries continue to rise. Here's one security expert's advice on how to break into the field.
10 CIOs: Career Decisions I'd Do Over
(click image for larger view and for slideshow)
Enter the keywords "IT security" into the search field on the popular job board site Monster.com and 1,000-plus job postings will quickly populate the page. Enforcing security policies, outwitting hackers, preventing data breaches, snuffing out cyber threats--enterprises need all the security help that they can get. And IT security pros earned a median pay bump of $7,000 this year, according to InformationWeek's most recent salary survey.
The recession has not dampened the will of cyber crooks. According to Symantec's 2011 Cost of Data Breach Study, conducted by the Ponemon Institute, the cost associated with a breach was $194 per record in 2011, amounting to a total of $5.5 million dollars.
In fact, as more and more mobile devices find their way into corporate offices, security threats are only becoming more complex. And that's broadening the job definition of a cyber-sleuth to include everything from protecting sensitive data to establishing incident response procedures.
So how can an IT professional with general experience become a seasoned security specialist? Just ask Brian Duckering. Once "a go-to guy for general IT," Duckering is now senior manager of Symantec's security endpoint management and mobility group. While it can take as long as 10 years to make it to the position of chief security officer, Duckering said that even his diverse background in mechanical engineering and robotics design is proof that hard work and perseverance can help you carve out a career niche in IT security.
[ Get expert guidance on Microsoft Windows 8. InformationWeek's Windows 8 Super Guide rounds up the key news, analysis, and reviews that you need. ]
Duckering offers these quick tips for working your way from a general-purpose IT shop to the head of cyber security.
1. Consider Certification
According to a recent Foote Partners' report, the market value of IT security certifications increased during the recession, even as the value of other IT certifications decreased. So what certifications are worth having?
Certified Information Systems Auditor, GIAC Secure Software Programmer--JAVA, and GIAC Secure Software Programmer--.NET are only a few pieces of paper that can help you get through the door. But Duckering warned that the value of certification can vary from year to year. "Certifications are constantly evolving," he says. "The certifications that are going to be really important in the coming year or two may not even exist yet." For this reason, Duckering recommends that aspiring IT security personnel select their certification programs carefully, and never depend on a particular certification to help them land a job.
2. Go Back To School
Like it or not, MBAs aren't just for wannabe investment bankers. Rather, Duckering said an understanding of business principles can help round out an IT professional's understanding of today's security issues. An MBA in information systems, for example, can teach future security executives about data communications and systems analysis, as well as the impact security breaches can have in the areas of finance, marketing, and accounting.
3. Delve Into Mobile
Mobile's impact on security is knowledge an aspiring chief security officer simply can't do without. In fact, according to Symantec's 2012 State of Mobility survey, respondents rated mobility as the highest security risk in IT. What's more, businesses of all sizes are experiencing a variety of damages from security breaches. The average business globally lost $247,000 over the past year from these damages.
As a result, Duckering said it's critical that IT professionals "understand how apps on mobile devices work and how they communicate. If you don't understand that, it's going to be almost impossible to protect against breaches. But rather than simply studying the correlation between mobile apps and security breaches, Duckering recommends "writing some apps. When you write an app, you're sending information to the backend server--that's the best way to understand the implications of a security breach. You have to go through the process of protocols and SSLs and writing an app, which really forces you to think about security."
Sometimes the quickest way to learn about what it takes to become a security professional is simply to spend time with one. "Find a friend who's an IT security professional. Go to developer conferences. Get in with security people," recommends Duckering. "Ask them how they're making sure their data is secure. Pester them with questions."
Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?