It's Cisco Live this week - in London, at least. As usual, Cisco makes certification announcements around the time of the show, and this time the announcement has to do with Security. And while the actual announcements are interesting, the bigger deal is that Cisco appears convinced that the demand for security workers will exceed the supply, both now and in the coming years. Today I'll take you through some of the facts of Cisco's announcement, and then develop some of the reasons why Cisco believes security is a hot career area.
Cisco lists certifications in two broad categories: career certifications and specialist certifications. The career certifications include the broad and more commonly known certifications, like the CCNA, CCNP, and so on. The specialist certifications cover a narrower range of topics - sometimes directly overlapping with the technology in the career certifications, and sometimes covering topics outside the career certifications.
Before this week, Cisco already had several specialty certifications related to security. Cisco's adding three back to the mix this week:
- Cisco IOS Security Specialist
- Cisco Firewall Security Specialist
- Cisco VPN Security Specialist
How do you get these? Well, you simply pass one or two of the current CCNP Security exams, and meet the pre-requisite of needing a current CCNA Security certification. The figure below shows the three new security specialty certifications.
These certs map directly to the exams in the new CCNP Security certification. In particular, if you pass all four exams to get your CCNP Security cert, I could 5 total specialty certs earned along the way - the three above, plus the IPS and ASA specialty certifications.
Why the Focus on Security?
The bigger question that comes to mind, for me at least, is why all this focus on security? So, in the pre-announcement briefing, I asked. Here's the brief version:
1) Security Requires Role redundancy: Simply put, you can't go without a qualified person for short to medium periods of time. Everyone has to have some time off, go to classes and meetings, and so on, and the risk associated with having your only skilled person gone and unavailable is too much. The solution? At least have role redundancy, that is, have multiple people with real skills for each part of the security puzzle. Common sense, but this is one of the reasons highlighted by Cisco.
2) Security Personnel Turnover Expected to Increase: Cisco reviewed generally the assertion that demand for network security engineers will exceed the supply for the foreseeable future, and that Cisco was trying to help the market through these new exams and courses (last fall) and these new specialty certifications. Taking that at face value, it's a microeconomics 101 issue: demand exceeds supply, which drives up how much security engineers are paid. That means turnover as more security engineers go for new higher-paying jobs. And it creates an opportunity to learn security and get dragged along into job opportunities and higher pay.
Then, you tag team that idea with the chance of going months without key network security personnel after someone goes to a new job, then the need for role redundancy is greater - which means most organizations should be scrambling to increase security skills of the existing staff.
So, that's some of the substance of what I heard from Cisco. However, I was a bit skeptical, and asked if they had any publicly available data to back up the baseline assumption: security personnel demand does/will exceed supply. Cisco cited three references:
A 2010 CCIE survey, which showed that security is the top skill needed over the next 5 years. (Survey is dated Feb 2009.)
A 2009 Forrester research study, published on Cisco's web site. This survey asserts that managers need to focus on roles, coverage, and that managers claim that they look at certifications to validate skills. If you look closely, those certs follow behind the idea of looking for experience. (I have to admit, reading the report, it made me wonder if the objective was to favor certifications, but you can make your own assessment.)
An article on the HomelanSecurityNewsWire.com web site, which has some real evidence of the demand exceeds supply argument. In particular, this article sites competition with the private sector for security engineers and that the candidates currently filling the technical security jobs simply aren't technical.
Well, that's the news - some new Cisco specialty certifications, plus some seemingly good news on the job front if you're interested in network security. But I can't resist the urge to ask you all. Do you see it happening locally? Do you buy this idea that the demand exceeds the supply of network security engineers? Weigh in with written comments, take this poll, and join in.