Security

Security specialists' salaries are up... so what?


Baseline magazine reports that IT security specialists' salaries have been rising in the first half of 2007. Security professionals saw an initial jump in demand after Sept. 11, 2001, but the market for their skills dropped off in the last couple years. Now, things are looking up again -- security professionals are in more demand and commanding higher salaries.

As the Baseline article notes, it didn't take long for most businesses to switch their focus for IT hiring back to typical interest in vendor-specific application stack specialists. Now, in the wake of recent high-profile security compromises in both industry and government, the pendulum's swinging back the other way.

The security hiring frenzy is on again. Most of the decision-makers in these companies, however, aren't really solving their problems. They're just playing a game of Security Problem Excuse Bingo and covering their assets.

The on-again, off-again cycle of security expenditures is only likely to become more pronounced and recognizable in the years to come -- without much real progress in improving security policies, unless the IT industry undergoes some significant and fundamental changes.

First and foremost, IT professionals are going to have to start recognizing the importance of basic security principles rather than considering security to consist of nothing more than rote observance of "best practices." I don't just mean that security specialists must do so -- I mean that the entire IT industry will have to do so. Unless, and until, real attention to security concerns and principles becomes an integral part of the practice of all IT professionals, the IT industry will continue to be reactionary, superficially oriented, and very hit-and-miss in its ability to address security concerns.

Viewed within the greater context of what's been happening on the security front in the last couple of years, all the current upswing in security specialists' salaries really indicates is that the IT industry is still operating in a reactionary manner. More frequent high-profile reports of lost laptops and plundered customer information databases provoke a response, as boards of directors place pressure on CEOs and CIOs to keep their corporations out of the headlines.

By the time decrees filter down to where the rubber meets the road, all we get is budgeting for more vertically integrated security products and another guy on the payroll with a certification. Unless that guy has real skills to offer in addition to his certification, he'll be back in the unemployment line on the next security specialist employment downswing.

There's evidence in security community talk[1] that some companies may be headed in the right direction[2], but as usual the connections between goings-on in the security community and corporate IT shops are tenuous. The question this raises is: What is your organization doing about security these days? Is it making grand gestures, or is it really committing to developing effective security procedures and policies? How does it handle policy enforcement when there's dissent in the ranks? Where is security money being spent -- and does it consider throwing money at security products a solution to the problem?

Does your organization's attempt to tighten security stop at legal compliance and "industry best practices," or is its commitment to security deeper than that?

notes:

[1] Information Security and Outsourcing IT Services

[2] best place for IT Security team in the company organisation

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

6 comments
jim.greenstreeter
jim.greenstreeter

Good article, and the I think I've scored many bingos in my career.

adaple
adaple

All of what is done here is done in REACT mode. The feces has to hit the rotary oscillator in order for the CEO and CFO to get pissed enough to do what we've been asking for. I think that IT is still looked upon as an expense and not as a true asset. I also believe that the "higher ups" don't really believe what we tell them until something happens to their beloved spreadsheet or accounting program. I agree that security begins with enforcement. If there's a policy but no action is taken to enforce it, then there is no real security. Well done.

d_getaneh
d_getaneh

Yes in deed a paramount importance should be given to security!

halibut
halibut

The article is well writen and to the point. To the point about being unemployed when the security frenzy cools, the one advantage we have as security individuals is that we can fit into other IT sectors when there is a Security job downswing. And we get frustrated when the organization says that they don't have the budget to implement X level of security. IT security in general is still a mystery to most individuals outside of the IT security realm. "Our company is too small to be a target" or "We have a firewall, right? We are secure." or my favourite, "We paid $X,000's for that high end security appliance, or service so we are compliant. That is one less thing to worry about." When IT Security is understood by more individuals and management in organizations the more job security we will have.

Locrian_Lyric
Locrian_Lyric

I think IT is not understood by the corporate world in general. We are essentially wizards they call upon to waive our magic wands utter a few spells (tho we call it code) and make everything better, then complain about how much we cost. I agree with you completely, now how do we get management to understand?

apotheon
apotheon

IT security is one of those fields where the experts want other people in the organization to know [b]more[/b] about what they do, not only because it makes their jobs easier, but it also increases job security. Often, the less people know about security, the more they think they know about it -- and thus, the more they think they don't need someone there who [b]really[/b] knows something. That's not to say that everyone should go right out and find someone to tell them new places they can spend money for a greater feeling of security. On the contrary, security is about saving money in the long run -- and a security professional should provide decision-makers with options for how to save money, not only by protecting themselves against future disasters but also by implementing efficient, necessary security rather than picking up some obtuse sense of "industry best practices" from a magazine (and ending up with that $X,000 appliance you mentioned). There's a lot more I could say about it, but I think I'll stop before I get too boring here, and save it for a future IT Security blog article. "[i]The article is well writen and to the point.[/i]" Thanks for the positive response to this article.

Editor's Picks