http://www.computerworld.com/securitytopics/security/story/0,10801,105902,00.html Security Manager's Journal By C.J. Kelly NOVEMBER 07, 2005 COMPUTERWORLD My decision to stay in my current job for quality-of-life reasons provoked emotional responses from several readers. Some of those who wrote to me about that column [QuickLink 57182 [1]] had made similar decisions. But a few, after reading about how I turned down multiple job offers, asked, "Where are all these jobs you keep talking about?" I felt compelled to do a little research on the information security job market and present the results here. First, I did an unscientific survey of the publicly posted jobs. In my case, most of the jobs I've had have come from personal referrals, so when I'm looking, the first thing I do is contact my network of friends and colleagues. However, I have found that searching the job boards gives me a sense of the types of jobs that are out there, who's hiring and approximate salary ranges. I set out to answer five questions with this research: 1. How many security jobs are out there? 2. What types of security jobs are out there? 3. What requirements do employers have for certifications and degrees? 4. What parts of the country have more security jobs than others? 5. What are the salary ranges? Whenever I'm contacted by a recruiter looking for security professionals, I point him in the direction of the International Information Systems Security Certification Consortium Inc., or (ISC)2, which offers the Certified Information Systems Security Professional (CISSP) certification. When I checked its site, the (ISC)2 had over 80 security job postings, many with multiple positions, for the month of October. The positions ran the gamut from salespeople to technical security engineers, executives and consultants. The companies advertising for security professionals were located all over the map, including Canada, England, Saudi Arabia and California. Eighty didn't seem like a very big number, though, so I surfed to some of the major job boards. Each job board has its own way of making searching easier, but by searching for "CISSP" for October, I got the following results: Dice, 645 matches; HotJobs, 1,000; CareerBuilder, 713; Monster, over 800 matches. There were plenty of job postings from the Big Four consulting houses looking for security types to do audit work, traveling 100% of the time for $40 per hour or less. For a qualified security professional, that's practically minimum wage. Working for one of the Big Four looks good on your resume, gives you a lot of experience (primarily in IT audit) and makes you an expert in dealing with airports, hotels and rental car companies. I would exclude the big consulting companies. They charge exorbitant prices, but very little of that goes to the consultant who does the job. I also think companies would do better hiring full-time security people and internal auditors. (No offense to you Information Systems Audit and Control Association types; I am also a member!) The biggest problem with searching was finding the right security job description for me. There's no real agreement on what constitutes a security engineer as opposed to a security analyst or a security architect. Executive positions (director level and above) aren't always posted, but those that are seem to be fairly clear about requirements. Types of Jobs The answer to the question about the types of jobs out there: You need to know what you are best at and look for jobs that match your skill set. There are plenty of opportunities, though many of them are ill defined. Many companies don't really know what they want and need, so you have to keep knocking on doors until you find one that swings open enthusiastically. As for certifications and degrees, my first conclusion is that you should finish that bachelor's degree if you haven't already done so. Not too long ago, technical people were hired based on a particular skill set, not necessarily on formal education. But the trend now is toward demanding that sheepskin, and a bachelor's degree seems to be the minimum requirement for a large number of posted jobs. In many cases, a master's degree is desired. I also found that employers want degrees to be supplemented by a string of technical certifications. The bar seems to be rising. The CISSP is a very popular and highly regarded certification, but the SANS Institute also offers an excellent certification series that's highly respected. As Linux becomes more mainstream, Red Hat certifications are growing in importance. Microsoft offers the MCSE+ security certification. And let's not forget Cisco. There are many certification programs, but these are on the short list. They are all valuable, each with a different emphasis. The trick is to find the openings that fit your certifications and skills, and just keep knocking on those doors. In the U.S., the West and East Coasts appear to have more security jobs than other parts of the country, and they pay more -- sometimes two to three times as much. Just remember that the cost of living matches those increased pay scales. I noticed that the job boards all have ways of doing area or metro searches, so with a little practice you should become fairly proficient at searching various locales for particular kinds of jobs. As for salaries, they've been all over the map in recent years, and employers seem to be hesitant to post anything specific about them. Just remember to value yourself and your skills in advance so that when you are contacted by a prospective employer, you will be confident in your market value. Remember, it's not about the money. It's about doing what you love where you love to do it. What do you think? This week's journal is written by a real security manager, "C.J. Kelly," whose name and employer have been disguised for obvious reasons. Contact her at mscjkelly at yahoo.com, or join the discussion in our forum: QuickLink a1590 [2] To find a complete archive of our Security Manager's Journals, go to www.computerworld.com/secjournal [1] http://www.computerworld.com/q?57182 [2] http://www.computerworld.com/q?a1590 _________________________________________ Earn your Master's degree in Information Security ONLINE www.msia.norwich.edu/csi Study IA management practices and the latest infosec issues. Norwich University is an NSA Center of Excellence.
This archive was generated by hypermail 2.1.3 : Tue Nov 08 2005 - 00:37:28 PST