Security specialists' salaries are up... so what?

Baseline magazine reports that IT security specialists' salaries have been rising in the first half of 2007. Security professionals saw an initial jump in demand after Sept. 11, 2001, but the market for their skills dropped off in the last couple years. Now, things are looking up again -- security professionals are in more demand and commanding higher salaries.

As the Baseline article notes, it didn't take long for most businesses to switch their focus for IT hiring back to typical interest in vendor-specific application stack specialists. Now, in the wake of recent high-profile security compromises in both industry and government, the pendulum's swinging back the other way.

The security hiring frenzy is on again. Most of the decision-makers in these companies, however, aren't really solving their problems. They're just playing a game of Security Problem Excuse Bingo and covering their assets.

The on-again, off-again cycle of security expenditures is only likely to become more pronounced and recognizable in the years to come -- without much real progress in improving security policies, unless the IT industry undergoes some significant and fundamental changes.

First and foremost, IT professionals are going to have to start recognizing the importance of basic security principles rather than considering security to consist of nothing more than rote observance of "best practices." I don't just mean that security specialists must do so -- I mean that the entire IT industry will have to do so. Unless, and until, real attention to security concerns and principles becomes an integral part of the practice of all IT professionals, the IT industry will continue to be reactionary, superficially oriented, and very hit-and-miss in its ability to address security concerns.

Viewed within the greater context of what's been happening on the security front in the last couple of years, all the current upswing in security specialists' salaries really indicates is that the IT industry is still operating in a reactionary manner. More frequent high-profile reports of lost laptops and plundered customer information databases provoke a response, as boards of directors place pressure on CEOs and CIOs to keep their corporations out of the headlines.

By the time decrees filter down to where the rubber meets the road, all we get is budgeting for more vertically integrated security products and another guy on the payroll with a certification. Unless that guy has real skills to offer in addition to his certification, he'll be back in the unemployment line on the next security specialist employment downswing.

There's evidence in security community talk[1] that some companies may be headed in the right direction[2], but as usual the connections between goings-on in the security community and corporate IT shops are tenuous. The question this raises is: What is your organization doing about security these days? Is it making grand gestures, or is it really committing to developing effective security procedures and policies? How does it handle policy enforcement when there's dissent in the ranks? Where is security money being spent -- and does it consider throwing money at security products a solution to the problem?

Does your organization's attempt to tighten security stop at legal compliance and "industry best practices," or is its commitment to security deeper than that?


[1] Information Security and Outsourcing IT Services

[2] best place for IT Security team in the company organisation