This is an incredibly good time to be a security professional. If you are new to the field, maybe I can give you a little perspective, as I've been at it almost since he beginning. A very short history- The security industry is less than 10 years old. Its founders are some incredibly bright people, many who will never get the credit they deserve for creating the tools and techniques we all use today. Earning and keeping their respect is one thing that motivates me, they other is the opportunity to build a world class team, regardless of where I work, or what I'm paid. From 1994 until 1998, if you could build a bastion host or install a firewall, you could find work. The mindset of the client was, "I have security, I have a firewall." Attacks from the Internet were rare by today's standard, and many went undetected. There was little demand for serious pen-testing. Most security solutions were product driven-"if you buy this, you can fix that." But, occasionally and enlightened SA would ask you to test his/her work. Unfortunately, most preferred security through obscurity". Many of the BugTraq vulnerabilities were posted by Engineers that were still in college, worked for ISP, or at a college or university. Few had "real" security jobs. Y2K got in the way of information security from 1998 to 2000. Security was put on the back burner. VAR's that found the market slowing for firewall installs, added Security Services and Pen-Testing to their product mix. Most didn't have a clue. They called a CyberCop or ISS scan a pen-test. I reality, maybe 200-300 people in the world were qualified to do a pen-test properly. At the time, Security Engineers went for $35-$70k, depending on location and the value an employer placed on his/her skills in the "black arts". In 2000, the world changed. Y2k was a non-event. DDos attacks took huge e-commerce sites offline. Credit cards were stolen and used or held for ransom. Poorly planned and secured sites made private information public. The public demanded security. The government began to regulate it. Experienced security professionals were sucked up immediately. Salary's jumped. The Dot Com build-up and offers of double even triple salaries exacerbated the problem. People with little or no experience added "security" to their pumped resumes and jumped in, providing substandard services to clients and employers. Recruiters had to deal with placements and employees that produced substandard work. Job jumping allowed people to hide inexperience. It was a confusing time. Employers didn't know what to ask for, how to qualify candidates, or what security skill-sets should be. Then the bubble burst and the world righted itself. What's next? The demand for qualified security professionals is greater today that it has ever been. A search of Monsterboard will give you more than 2000 jobs in some facet of information security. According to Omni Consulting, security budgets increased 38% from 1999 to 2000 and are projected to increase 47% in 2001. NewsBytes reported annual security spending to increase by 50%. That means a constant demand for people that know security and can walk-the-talk. But companies that were burned by inexperience are much more cautious. If you have a resume of one-night-stands, don't expect recruiters or employers to welcome you with open arms. If you have attitude and a short attention span, consider a new career. What can you do? RTFM. Job demand today revolves around Health Care, Financial Services and on-line credit card transactions. Learn what HIPPA and EFFIC Regulations mean, and what VISA, MC and AMEX requirements are and what you need to do to help e-Business comply. Relearn your craft. Fill the gaps in your education. Technology evolves. Are you up to speed on Windows 2000 security? What about wireless? If you're in Management, learn some Engineering. It makes you a better manager. If you're an Engineer, learn processes. If you can't repeat, explain and present what you do, people don't know how valuable you are to an organization. The market hasn't gone away, it's changed. Take advantage of the opportunity. If you're good at what you do, the money will be there. Steve Kirschbaum, CISSP Chief Information Security Officer Totality Corporation skirchbaumat_private
This archive was generated by hypermail 2b30 : Sun Jul 01 2001 - 10:31:58 PDT