From the time he was 9, Daniel Kowalski, now 23, knew cybersecurity was going to be his thing. Captivated by the stealth work of hackers in commercials and in his favorite movie, Live Free or Die Hard, Kowalski nurtured his fascination with security from a young age, pursuing multiple IT and security certifications during high school and earning a degree in computer criminology at Florida State University.
After graduation, Kowalski moved through a couple of generic IT contract gigs — each providing some basic exposure to security — and landed an official role in his chosen field in less than a year: He's now an information systems security engineer at defense contractor Harris Corp. "My future lies in security," says Kowalski. "As far as where I want to be in security, it's too early to say — I've not yet specialized in anything, but I've touched on everything."
Kowalski's future should be pretty bright given that security now ranks among the hottest IT career tracks. Computerworld's 2015 IT Salary Survey reveals that there's strong demand for security professionals. Three-quarters of security pros participating in the survey said they'd been approached by headhunters in the past 12 months, and 71% said they felt their job was secure or very secure.
Read the full report: Computerworld IT Salary Survey 2015
The spate of recent high-profile hacks at companies like Target and Sony Pictures has been a serious wake-up call for management about the importance of a robust IT security program. "The emergence of the cloud and the recent security breaches have been the perfect storm to drive demand for security roles," says Matt Leighton, director of recruitment at Mondo, a digital marketing and technology recruitment firm.
At least four out of 10 job requisitions coming across his desk are for security-related positions, he adds. "It's probably the hottest skill set we are working on today, and we're now seeing [salaries] catch up with demand."
Research by Robert Half Technology confirms that security talent is in demand. The IT recruitment firm's 2015 Salary Guide for Technology Professionals says demand for skilled workers will exceed supply in the overall IT job market "for the foreseeable future" and names security as one of three disciplines — along with mobile and big data — in which that gap will be especially large. There's especially strong demand for data security analysts, systems security administrators, network security administrators, network security engineers and security managers, according to the RHT report.
Not surprisingly, employers are willing to loosen the purse strings in order to fill security-related jobs. In Computerworld's IT Salary Survey, security management positions like chief security officer and information security manager saw the highest reported increases in pay from 2014 to 2015, with average total compensation for those job titles rising 6.7% and 5.3%, respectively.
In fact, nearly three-quarters of survey respondents with security titles reported an increase in total compensation from a year ago, with an average bump of 6.2%. In comparison, 68% of all respondents reported that their total compensation had risen in the past year, and the average increase was 3.6%.
The trend is welcome news to Bobbi Jo Pickar, who has spent 27 years as an IT security professional, holding various technical and managerial roles. "In the past, management hasn't given us enough credit and they didn't realize how much a security organization could save a company or government by doing things right," says Pickar, who now serves as an information security specialist/computer systems security analyst at Lockheed Martin. "Now that they understand how much risk could cost, they are starting to take a much more proactive approach."
The pros and cons of constant change
The spotlight on security and the increasingly malicious nature of cyberattacks have created new opportunities for security pros, and those factors have helped turn security into a satisfying career, says Kevin Fred, a senior information security consultant who's now working as a principal security engineer for a large payment processing company in Cincinnati. Security has gained lots of new job descriptions, including C-level positions that didn't exist years ago, and security roles have increased in stature across the board.
"We're in an elevated spot — in any company across every industry, infosec is held in higher esteem because we're the protectors of the crown jewels," he says. "There's a lot of prestige and satisfaction that comes along with that."
Also satisfying to Fred and other security professionals is the dynamic nature of the field: As threats evolve, there's an endless stream of new material to master. The constant change appeals to Tim Pospisil, IT security supervisor for Nebraska Public Power District, who has been in IT for eight years and has done security work for almost half of that time.
"I work in nuclear, which is the best of 1960s technology, and [security] is not," he says. "Security is definitely cutting-edge. You're always having to adapt to something new, whether it's new vulnerabilities or new ways hackers are exploiting the network. It forces you to constantly be on your toes, and it keeps you fresh."
However, Pospisil warns that the constant change can be a drawback. "You don't ever feel like you get downtime or get a chance to catch a breath," he says. "And there's always the fear that you're going to miss something and become a logical target."
The other big negative is that security is hardly an organizational favorite, so those in the field need to be prepared to deal with the occasional irate user who doesn't like being denied access to a particular website or being required to follow a bunch of protocols. "We're kind of like the IRS of the organization — no one really likes us," Pospisil says. "It's one of those necessary evils: People recognize [security's] value, but you're generally not their favorite person."
The right mix of skills
Those realities mean a certain mix of experience, skills and personality traits are required to succeed in security. Being a self-starter and active learner is critical, Pospisil says. Also key are good communication skills and hands-on security experience.
In addition, technical certifications can be a bigger deal in security than they are in other IT-related fields — a trend confirmed by Foote Partners, an IT staffing research and advisory firm. The Feb. 27, 2015, edition of Foote's IT Skills Demand and Pay Trends Report shows strong growth in the market values of 69 information security and cybersecurity certifications in 2014, with average gains of 3.7% in value in the last three months of the year.
The security certifications most in demand among IT professionals were those related to auditing, hacking and forensics. Beginner security certifications, like the CompTIA Security+ accreditation, also enjoyed an uptick in popularity — a possible indication that more people are focusing on infosec as a career choice, says David Foote, chief analyst and co-founder of Foote Partners.
Computerworld's 2015 IT Salary Survey yielded a similar finding: Training programs involving security skills were the No. 1 pick among IT professionals pursuing certifications.
While certifications and hands-on experience are important, people skills and knowledge of the business can really make a security professional stand out, says John Becker, chief governance officer at Phenix Energy Group, where he oversees computer security, compliance and governance.
"This isn't just about certifications and security — you need IT security people who can talk about the risks," he explains. "It's a much more complex and multifaceted role than other IT work." It also doesn't hurt if someone is intrinsically paranoid: "We want people who really don't believe anything they hear," Becker adds.
If you're up to the challenge, there are a number of steps you can take to open doors to a job in security. Making a commitment to continuous learning — reading, participating in webinars, staying up to date on industry trends and studying recent data breaches — is a must. It would also be a good idea to pursue any number of basic and specialized security certifications.
If you can't land a security-centric job right away, you can get some basic training by lining up IT roles that provide some exposure to security functions like intrusion detection or application testing. And you can raise your profile as a security expert by sharing security information and recommendations with your colleagues. If you do that, people will come to respect your opinion and will eventually start to rely on your expertise, says Mondo's Leighton.
"Most companies don't have a security engineer — most have a systems administrator that they hope takes care of the security aspect," Leighton says. "By bringing information to the CIO and making recommendations, you position yourself as the resident expert."