Information security specialists have it a little better than other IT professionals in today's tight job market, but not by much. That's according to Jim Wade, senior vice president and chief information security officer at financial services firm KeyCorp in Cleveland.
The pay is slightly higher, Wade says -- maybe 10 percent more than for other IT positions at comparable levels -- and a high-quality candidate, especially in the senior-level ranks, should have no problem finding interested employers.
To become a top-ranked information security specialist, you have to make the right moves. Here are some tips to help you manage your information security career.
Get the right certifications, says Wade. There are three types: vendor- and technology-specific, skills-based, and knowledge-based. You'll likely need all three at different places in your career.
When you're first starting, he says, knowledge of a specific technology, like firewalls, is good for operations jobs. The next step, demonstrating a skill such as intrusion-detection expertise, earns you entry into specific projects. When you want to move into management roles, a broad-based certification, like Certified Information Systems Security Professional (CISSP) or Certified Information Security Auditor, is the way to go. (Wade is also president of International Information Systems Security Certification Consortium Inc., a professional standards group for the security industry and the body that oversees the CISSP test.)
The better certifications account for the fact that information security is a continual learning process, says Kerry Anderson, vice president and information security officer at Boston-based FMR Corp., the parent company of Fidelity Investments. So look for ones that require continuing education credits to maintain your status. They indicate that you stay up to date in this changing field. Ones that require you to demonstrate on-the-job experience are also more valuable to employers, she says.
Consider earning a graduate degree in information security, says Wade. Look for programs that combine technical training with business strategy courses; today's security professional has to be as savvy about corporate financial goals as he is about Unix security holes. Two places to check out: Purdue University and Idaho State University.
Increase your disaster recovery and risk management skills, says Kenneth Davis, director of information security at Allstate Insurance Co. in Northbrook, Ill. People with disaster recovery skills are vital to businesses because they keep operations running in an emergency. A need for people with risk management expertise arises out of recent government regulations that require businesses such as financial services firms and health care providers to protect personal data.
Build a home laboratory, says Tom Baltis, manager of risk management at Allstate. Readily available freeware or shareware versions of many commonly used technologies put such a lab within the means of most people, he says. This gives IT professionals the opportunity to acquire knowledge of the underlying theories and uses of security tools -- skills that transfer regardless of the actual product used.
Give something back to the information security community, says Wade. The best way to do that, he says, is to work with standards bodies and professional organizations to develop best practices and enhance the common body of knowledge.
Get on a project working with strategic partners, such as vendors, service providers and customers, Wade says. This gives you valuable experience in an area of growing importance: providing adequate levels of security when the risks arise from connecting to systems outside your infrastructure.
Consider an internship in IT security if you're still in school, says Wade. Not only will you get practical, real-world experience, but you'll also make valuable contacts for your postgraduation job search.
- Johnson is a Computerworld contributing writer. You can reach her at email@example.com.