Companies Need Security Pros With More Varied Skills

By David Foote

Computerworld |

Companies think about their security practices a lot like we think about going to the dentist. We have to go, but we don't want to; we'll put off painful yet necessary gum surgery on the gamble that our teeth won't one day fall out. But then we see someone with no teeth and become frightened enough to schedule an appointment. And flossing is not unlike changing our user passwords: We're supposed to do it regularly, and it certainly makes good sense, but . . .

Corporate security is at a crossroads. Companies must stop fiddling around and take a hard line on what's negotiable and nonnegotiable for protecting their most valuable assets. Amid all the latest news about privacy, hacked networks and virulent electronic "love letters," a more interesting story is what's been happening in security-related employment. It has one of the widest supply-and-demand gaps of any IT job category: Employers report vacancy rates as high as 90%.

But here's the worst part: Employers aren't really sure what they should be looking for in hiring security professionals. Meanwhile, Rome burns.

While knowledge of the technical side of security is obviously a big factor in filling these positions, here are equally critical success factors in both high- and low-level security jobs: being adept at corporate politics; possessing business skills and aptitudes; having good relationship management skills; and being able to market, sell and negotiate outcomes. That's because we desperately need to motivate managers to take on security with the same vigor they reserve for, say, new product development. You can't do that with a bunch of techies running security, which is the case in many places.

Security professionals will always need to master newer technologies for protecting IT systems. But they're under increasing pressure to understand their company's entire business and pinpoint the security breaches that are most threatening to the bottom line.

In the next few years, security managers will need to focus on complying with new security and privacy regulations in health care and finance; developing stronger user-awareness policies; addressing a bigger basket of security issues, especially the growth of wireless access; running business-to-business exchanges; and defining the role of application service providers.

Companies should be recruiting a breed of security professional who possesses softer skills, including a positive attitude, diplomacy, patience, attention to detail, tenacious abstract problem-solving ability and a strong will. This will help them gain visibility and acceptance in selling hard-line ideas.

As for technical areas, security pros now need network engineering and operations skills, regardless of their specialization. New security niches - forensics and intrusion detection, for example - are hot, and having a niche certification is desirable.

But employers must scrutinize job candidates for how they work with others, on teams and with customers, since that's important in cutting through resistance and raising security mind share. And why shouldn't they hire reformed hackers, who have pure tech skills, tenacity and creativity? Casting a wider net will narrow the security employment gap and update the function.

Corporate debates on policies relating to security standards, user awareness, remote/wireless access, acceptable authentication methods, risk management, privacy trade-offs and outsourcing need expediting. This will be done only with a more astute, hands-on security team that speaks to the business persuasively, knows how to finesse a corporate agenda and has the chops.

David Foote is founder and research director of Foote Partners LLC, an IT workforce research firm and security management consultancy in New Canaan, Conn. Contact him at dfoote@footepartners.com.

Security Risk and Reward

Stories in this report:

IT Leadership

Bing’s AI chatbot came to work for me. I had to fire it.