Strategic CIO // IT Strategy
News
2/25/2014
02:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

The Rise Of The Security Analyst

The most sought-after quality in security hiring today is strategic knowledge versus technical know-how, a global workforce study says.

In recent years, CISOs have succeeded in getting more boardroom buy-in for security tools and staff. According to (ISC)2's most recent Global Information Security Workforce Study, two-thirds of C-level managers believe their security departments are too small. Employers are interested in expanding their security staff, but they can't find people to fill the positions. 

According to the study, the most sought-after quality is a broad knowledge of security -- more of a strategic understanding than technical know-how -- followed by certifications. This is a tricky combination. Individual technical certifications don't provide a broad understanding of security strategy, and CISSP certifications are only given to people who already have five years of experience working as a security professional.

"There really aren't many entry-level positions in security in the same way there are in other industries," says Julie Peeler, head of the (ISC)2 Foundation. "What we really need is people who have experience beyond the one piece of technology. More than just a Cisco server, they need to know how servers work, and how servers link to each other. They need to understand the strategy and engineering behind a server. They don't make those in college."

Peeler says that the entire security industry is moving away from the super-techie with the IT degree.

"Because of the rise of the security analyst -- someone who can take a lot of disparate information and cull the truth out of it -- companies are looking at people with liberal arts backgrounds -- necessarily non-technical backgrounds," says Peeler. "A lot of these analytical skills are hard to teach." 

The trouble then is, if the people we want in IT jobs do not have IT backgrounds, how can we coax them to apply?

Read the rest of this article on Dark Reading.

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Ninja
2/26/2014 | 6:56:57 AM
Catch-22
Sara, 

Interesting. And tricky. 

"More than just a Cisco server, they need to know how servers work, and how servers link to each other. They need to understand the strategy and engineering behind a server. They don't make those in college."

Maybe it's about time colleges revised their syllabus to better adapt them to the requirements of today's positions in the enterprise. It seems there is a lot of incompatibility between what colleges are teaching and what the companies need. 

"Individual technical certifications don't provide a broad understanding of security strategy, and CISSP certifications are only given to people who already have five years of experience working as a security professional."

This sounds like a typical catch-22. How on this world can you get five years experience working as a security professional if "There really aren't many entry-level positions in security in the same way there are in other industries," according to what Julie Peeler says. :/   

"What we really need is people who have experience beyond the one piece of technology."  

Okay. That's what they need. Does Julie says what is the best way to get that experience taking into account what she previously said about the entry level positions? Or I missed something? :( 

-Susan
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Author
2/26/2014 | 8:51:37 AM
Re: Catch-22
Peeler goes on to say in the original article in Dark Reading:

"...the security industry needs to do more to connect with children in primary and secondary school, as well as expand partnerships with universities. In addition to providing more mentoring, internships, and apprenticeships, the security industry needs to work with universities to create curricula that are nimble enough to respond to a rapidly changing industry."


In a similar vein, Dave Piscitello, VP Security at ICANN wrote recently about the need for more liberal arts education on the resumes of InfoSec job candidates:

"I work in InfoSec alongside respected colleagues who earned philosophy, physics, psychology, and political science degrees. I recently met former concert and improv flautists who are rock-solid privacy experts. STEM-centric education won't fill the short-horizon shortfall of cybersecurity talent -- and my head spins when I imagine the unintended consequences over the long term."

Another interesting point of view. I don't think it's a Catch-22 but a topic worth discussing. Any takers?

Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Ninja
2/26/2014 | 9:20:51 AM
Security and education
Thanks, Marilyn! 

Yes, I have to continue reading on DarkReading. :)

So I was not too wrong with my comment about education. Now reading that quote things look different. It doesn't look like a Catch-22 anymore. It's only a question of synchronizing with the educational institutions. 

Thanks for the second link, too. 

-Susan 
Joe Datacenter
50%
50%
Joe Datacenter,
User Rank: Apprentice
2/26/2014 | 9:50:11 AM
Re: Catch-22
Michele Chubirka wrote an article related to this on Network Computing: The Return of the IT Generalist. While the point is slightly different than the security study cited here, it speaks to a trend toward more integrated and overarching IT skill sets.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Author
2/26/2014 | 9:58:40 AM
Re: Security and education
It doesn't look like a Catch-22 anymore. It's only a question of synchronizing with the educational institutions. 

True, Susan. But "it's only" is not an easy task! 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Author
2/26/2014 | 10:05:18 AM
Re: Catch-22
Thanks for the link, Joe Datacenter. It is indeed an interesting article reinforces Sara's point. I particularly liked this quote from the author Michele Chubirka, who wrote in The Return of the IT Generalist

"With extreme specialization, have we created our own professional prisons, locking ourselves in chains of boredom? Engineers are by nature curious creatures and you need only look at most IT resumes for evidence. The two-year job-hopper is common in this field, because an individual will simply run out of challenges in most IT departments."

We definitely live in interesting times! 

Old Bull
50%
50%
Old Bull,
User Rank: Apprentice
2/26/2014 | 5:05:26 PM
I'm not seeing it
"According to the study, the most sought-after quality is a broad knowledge of security -- more of a strategic understanding than technical know-how -- followed by certifications."

I posted the below at the original Dark Reading column but got no response so I'll try again here:  who is favoring the IT generalist? I'd love to know.

"@ Sara, it was with great interest I read this article because I fit this description of the "non-techie" security applicant. I have psychology and business degrees, and twenty-plus years of seasoned business experience. Last year, I completed an M.S. degree in cybersecurity (no certs yet) and since have applied to approximately 75 cybersecurity firms and businesses advertising for cybersecurity positions (even though I may not have the *exact* qualifications they stipulate. Does anyone?) I haven't had the first interview or the first query of interest, even after listing my information with all of the major IT job boards.

The reason I went back to school for the graduate degree was so much talk of a shortage of people needed in cybersecurity, going back even for several years. However, the job ads I've seen put such qualifications on job candidates that they won't fill many (or most?) of these positions for a decade, until those they can groom early on from secondary schools are finished with school. Qualifications such as "must have an active security clearance in place", "minimum 5+ years experience" in this and that, "CISSP required", and so on. There is no interest in security newbies nor is there a desire to invest in developing anyone though the need for people is reportedly there.

So, coming from the trenches, I'm just not seeing this hunt for the non-techie security analyst. It just isn't happening. Please inform as to which companies are interested in us non-techies. Thank you.

R.S.

 
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Ninja
2/27/2014 | 8:01:18 AM
Re: Security and education
Marilyn, 

True. Not at all is an easy task! The "it's only" was meant in a positive way, as saying that there is a way out, there are possibilities, which is much better than my previous impression of the situation, totally lost, or extremely difficult. 

The educational institutions need to provide the kind of education required for today's needs. Some of them live long in the past. 

-Susan 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Author
2/27/2014 | 8:26:13 AM
Re: I'm not seeing it
Thanks for your post and reality check, "Old Bull." I would hope that what you are experiencing is a time lag in getting the word out from the forecasters who look at trends and the actual hiring managers in the real-word. Keep working on those certs, getting experience and and security firms looking for a more strategic perspective will eventually take notice.
shakeeb
50%
50%
shakeeb,
User Rank: Black Belt
2/28/2014 | 8:23:57 PM
Re: Catch-22
This is an interesting article. IT security has become an important as aspect for most of the organizations. This helps is streamlining IT process with proper procedures.  
Page 1 / 2   >   >>
Transformative CIOs Organize for Success
Transformative CIOs Organize for Success
Trying to meet today’s business technology needs with yesterday’s IT organizational structure is like driving a Model T at the Indy 500. Time for a reset.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 24, 2014
Start improving branch office support by tapping public and private cloud resources to boost performance, increase worker productivity, and cut costs.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.