Information Security Career Predictions - David Foote on What's Hot and Why
This is the prediction of David Foote of Foote Partners, the FL-based consultancy that tracks IT skills and competencies. In a look ahead at 2010 and beyond, Foote discusses:
Foote has long been one of the nation's leading industry analysts tracking, analyzing and reporting on IT workforce management and compensation practices, trends and issues. His columns, articles and contributions appear regularly in dozens of publications.
As Foote Partners' CEO and Chief Research Officer since 1997, David leads a senior team of experienced former McKinsey & Company, Gartner, META Group, and Towers Perrin analysts and consultants, and former HR, IT, and business executives, in advising governments and corporations worldwide on increasing performance and managing IT's impact on their businesses and customers. Prior to co-founding Foote Partners in 1997, David was an analyst and consultant with Gartner and META Group, co-founding and directing META's executive service for Chief Information Officers and leading the firm's IT Human Capital Management and Compensation research practices.
TOM FIELD: What are the predictions for information security jobs in 2010 and beyond? Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today with David Foote of Foote Partners. David, we have talked some about what you call the security careers bubble. Why don't you give us a little historical perspective on that?
DAVID FOOTE: Security has had an interesting history. It is a little different than a lot of other parts of IT, but some significant milestone led up to where we are now; and by the way, I am going to go back and tell you why I believe next year and the year after that security is bar none the smart place to be in IT. And that is spanning of all IT, but I am going to go back to 9-11 and what that did to spur the supply of people wanting to do security who were not doing security, who were reacting to the aftermath of 9-11 and what the Patriot Act did and the Homeland Security Act, and then what Sarbanes-Oxley did in creating demand for security talent.
There were a lot of people back in those years (2001, 2002, 2003 and 2004) who chose security as a safe bet in their career and there was a lot of interesting employment back there, but that crested in about 2004 when a lot of the work, particularly of Sarbanes-Oxley, a lot of that work was being done and some of the first quarterly filings where compliance had to be met and measured were happening in the 70 percent of companies who are on calendar year fiscal years.
At that point, we became aware as analysts looking at workforce trends that we began to see an oversupply of security talent that was driving prices, driving down salaries and paid for security skills, and that trough hit in about 2004 and it lasted into 2006 and at this time we were seeing overall the annual increases in certification pay. We track about 200 certifications and pay for those and about 200 non-certified skills. We started seeing annual increases back in late 2005 of 3.3 percent in all the certifications that were tracked, but security certifications were going the opposite way. At the same time we were seeing 3 to 3.5 percent annual increases in pay for certifications, we were seeing declines of more than 2 percent in security certifications.
So something was happening in security at this time that we started to notice, and it was the one thing, the one milestone that was finally going to get organizations, CEO's, to pay attention to spending in security. That happened to be nervous customers. We began noticing in a lot of our surveys -- and we survey outside of IT as well into the business -- we started to see a lot of nervousness among customers building up. Concerns about the rise of threats to data and data security in general.
For many years if you looked at security budgets, a lot of the budget was devoted to protecting really external threats, defense and not protecting internal data assets, and we started seeing a focus of this in the protection of data assets as customers started becoming nervous and expressing that in terms of how they spent their money and started to explain to vendors 'Look, we are not pleased with the level of security that you are presenting us with your products and services,' and they started to look at some smaller companies that had developed the solutions in these areas.
That message got through the sales force right to the top saying 'Look, this could be a threat to market share of ours, and we have to start looking at security in the products and services that we produce.' At the same time, there were a number of state breach disclosure laws being triggered that began to hurt corporate brands, corporate images, it started to create damage to corporate brands, and the rising cost of breaches was being noticed internally, and at the same time there were concerns about missing mobile device, custom malware was getting to be more of a problem, social engineering, web application vulnerability, the fact that now it wasn't OS, but the browser that had the point of contact.
And at that time we began seeing an interest in hiring security professionals at a time when companies were operating for years with skeletal staff, severely understaffed in security. At this point if you look back at some of our data on just what people were being paid, back in late 2007, and we predicted, we put out an alert back in March of 2006 to our customers saying 'Unless you start immediately beginning to increase higher and intensify staff development in security services and products, you will probably not have sufficient bench strength by late 2007,' when we saw a crescendo in demand from customers who had been seriously understaffing their security functions (that's product development and internal).
So we put out that alert because we saw in late 2007, and it came true. We saw annual spending on security certifications and people with security certifications going up between 3.5 and 4 percent at the same time pay for all certifications was starting to decline in value. So at this point, starting in 2007 clear up until today, the only area, category of IT skills, certified and non-certified that have increased in value steadily, and this is going back to the beginning of the recession in December of 2007, has been security certifications. They are up about 3 percent in value whereas certifications in general -- and these are 200 certifications we survey -- are down 6.2 percent in value. Since the Wall Street meltdown, security certifications are up about 1 percent in value, and all certifications are down 1.6 percent in value. So what we saw was a real turn to interest in, I think. funding of security operations.
FIELD: That's good David, that's good context. Now you have talked about a perfect wave that has been propelling the surge in security jobs. Talk about that wave a little bit and how it has driven the surge.
FOOTE: Now I have seen two waves in the past where you had a unique kind of combination of factors that come together that create seemingly unstoppable momentum, and with that brings a really quite sensational job skill and career opportunity to IT professionals. We saw this in the early 1980's (1981, 1982) with the introduction of the IBM personal computer and then the personal computer in business. We saw this in 1995 and 1996 with the acceptance of the internet as a business platform. And now we are seeing this right now and the beneficiary are the security professionals.
The perfect storm there are basically five or six things. These are momentum drivers, and one is as I spoke about before, the constant fear of increasing data threats and what that means to companies. The idea of IT professionals no longer interested in just focusing on a kind of attack, but on what are these threats doing to business assets and the value of information that might be stolen in a company and what the value of that is to the company, to their brand, to their image, and to their revenues and profits.
Then you have got regulation increasing, I think we can all agree on that. We have got these accelerating customer expectations and demands for security solutions and good vendors, and a number of vendors have really picked up on this. I am thinking of Oracle, Cisco, SAP, Microsoft and their ability to build some of this into their products. You have got also a boom in virtualization, mobile computing, cloud computing and other emerging what I would call insecure technologies, like Smart Grid. mentioned virtualization before, and you have got also -- and I think this is a big one here because it speaks to a number of new jobs coming into the security department -- the splitting of business and strategic risk roles and traditional operational security roles. This has been really accelerated by market forces.
So we are not talking here about just deep technical infrastructure and application security skills that have risen in esteem. We are talking about new and emerging corporate and business-line security jobs that are just screaming for security pros with specialized skills in business and industry-specific skills, functional domains, to assist in a variety of long overdue risk management governance process and integration activities. And you know that integration is a problem because to this day there continues to be tension between security departments and the business, and that is always going to be an issue, and that is an issue that has created sort of a new wave of hiring in CSO and CISO jobs. That is, you know, business savvy security executives who are able to communicate ROI, who are able to communicate the level of threat and not just to the systems in the business, but overall asset value revenues and profitability.
So you know unlike some of the other IT jobs or job segments, we think in the next year there will be plenty of action for IT security professionals, and not just 2010 and beyond, and part of this is the hiring constraints that we think are going to continue to be felt in 2010 and into 2011, and the fact that there are just finite resources. Employers are focusing less on filling jobs and more on acquiring skills. They are looking at full time/part time security specialists so some will find jobs, but really what you have is just employers reacting, IT departments reacting to business pressure to deliver quicker, more predictable high impact execution. They are going to be turning more in this next year to security contractors and consultants, and we think there are a lot of opportunities there, particularly in boutique consulting firms, small consulting firms that we hear about all the time. We have been hearing about this for three years where they say 'Look we don't have enough people to service the demand for our services that are coming at us right now.' A lot of companies look to the boutiques because number one, it is cost efficient and usually there is a lot of great talent in smaller firms having worked at larger firms and also in significant roles in larger companies. Companies like working with smaller companies. It is a win-win all the way around. But there is a lot of stress being felt in those workforces; again there are not enough bodies to do a lot of that work.
Let's also talked about managed services. Managed services, if you look at some of the projections on the growth of managed security services, we have seen projections as high as $6.0 billion dollars in revenue business by the year 2011. We are seeing compound annual growth rate projections through 2014 as high as 27 percent for some segments within managed securities services, and I think that one was in wireless security services, mobile wireless security services, which is very popular right now.
So you have a choice: You have got people looking for skills, they can hire full and part time, they are constrained there, many of them are feeling pressure to execute on a number of these risks and plans associated with risks that look to contractors, that look to consultants and traditionally it has been small to medium sized businesses that have been scarfing up a lot of these managed security services and then the adoption rates are much higher with these small to medium sized because they have very lean staff. We think clearly this is going to be moving upstream to some larger companies as well.
Again, we are just constrained by the inability to hire, but still have the issues at hand and the solutions that they have to solve that are security related. So it is looking like a very good year in 2010 for IT professionals and it is the reason we have said bar none it is the best place to be in IT heading into this New Year.
FIELD: Well, David, let's boil it down to some predictions for 2010 and beyond. What do you see, or what are your predictions for security jobs going forward?
FOOTE: Well, it is hard to be specific about anything after the year that we have seen in terms of numbers, but we do see that we have identified through our surveys that we do a number of different hard and soft surveys, and I am particularly interested in what we are hearing from executives themselves. We compiled a hot list of the 24 most in demand market competitive IT certifications for the first of the year and on that last of 24, 12 are security certifications.
That is a significant number.
We also have asked them, 'Well, what skills, aptitudes and competencies are you most looking for so if you are a person unemployed or underemployed looking for where you can best apply yourself?' That list, in no particular order, in alphabetical order for the first half of 2010 is in biometrics, application security, which is particularly in small to medium sized companies in application security, data leak prevention, disc and file level encryption solutions, forensic analysis, identity and access management, infinite handling and analysis, intrusion detection and prevention, network security, penetration testing, secure code development, security architecture, smartcards tokens, disposable passwords, VOIP security, web content filters, threat vulnerability assessment. And also what I left out of this list are a couple of areas of government compliance and audit and regulatory compliance audit; there are a number of GIAC tools that are becoming more popular and I think companies are starting to look more seriously at some of these as they go forward. There is a new certification -- well it's not new because it has been around for about a year or maybe year and half from ISACA -- in governance and enterprise IT, and we will be taking a good hard look at that in our surveys as we look at people willing to pay. Again these are IT certification and skill pay indexes where we are looking at again, across 406 certifications and non-certified skills and looking at what people are paying for them as premium pay, which is a very popular form of remuniation right now.
We are looking at electronic medical records in the healthcare industry, and the skills in that are a number of application security access control data integrity and DLP, and we are looking at a number of--you know what, I think in the time that we have I think those are the most important. Let me mention that those list of certifications in rank order, the GIAC certified incident handler, which is the number three rank out of 24; the systems security certified practitioner I believe that is from ISC2 and that is number four; checkpoint security administrator is number eight; the CISA, the auditing certification for ISACA is number 11; checkpoint certified security expert is number 14; a couple GIAC [indiscernible], SANS GIAC certifications for forensics analysts at 15; intrusion analysts at 16; the certified hacking forensics investigator is number 19 from UC Counsel; again a couple of SANS certifications at 20 and 22 which are the audit essentials and the incident manager certifications; rounding out the list at 23 and 24 are the checkpoint certified master architect and the secure software programmer from the SANS Institute. So there is a lot of information for your listeners to chew on as far as what people will be paying for and what they will be seeking in skills and certifications in the next year.
FIELD: David where can they go to get more information?
FOOTE: Our website is www.footepartners.com, and we have a number of reports, trend reports that we make available on our website that are opt in's. One is the quarterly IT skills pay and demand trends report and we will have a new one up in the middle of January because that is updated every three months, and the Foote Partners Hot List Report, which I just read from, which are the most in demand non-certified and certified IT skills projected for the next six months and that is updated every three months and the new one will be available about mid-July or mid-January. The one that we have up right now is dated through October 1st.
FIELD: David, as always I appreciate your time and your insight, and I look forward to talking with you in the New Year.
FOOTE: Thanks, Tom.
FIELD: We have been talking with David Foote. For Information Security Media Group, I'm Tom Field. Thank you very much.