How to Succeed in a Two-Faced IT Security Job Market

More companies are hiring CSOs and moving security tasks in-house. But that doesn't always mean more jobs (article and 3 audio clips).

More companies have hired CSOs and CISOs in response to an ever-increasing regulatory compliance load. They are spending less on outsourcing as economic conditions prompt them to handle more security tasks in-house.

On the surface, such a trend would look like a great opportunity for IT security job seekers. But according to several IT security practitioners, that's not exactly the case. Still, there are lessons job seekers could learn from current events that could ultimately help their careers along.

In a recent series of conversations with CSOonline, IT security practitioners said they have indeed seen evidence more companies are bringing in CSO-level people to confront a dense web of security regulations and the growing threat of data security breaches [see Lessons of ChoicePoint, 4 Years Later for examples].

At the same time, they acknowledge an economy mired in recession is forcing companies to bring in-house a wider array of security tasks they once entrusted to third-party providers.

"When I first started working here, we were using a mix of vendors [to handle certain security tasks], but today, since I'm here and because of the economy, we are trying to do more in house," said Mauricio Angee, senior manager, IT security and compliance and CSO at Universal Orlando. In the beginning there was no security staff per se, and he was a one-man operation. But now he has four security specialists working under him, handling such tasks as firewall and IDS management.

  • Listen to the full conversation with Mauricio Angee HERE
  • But Angee's situation doesn't mean a rosy security job market in the larger picture.

    George Moraetes, a Chicago-based information security executive and enterprise architect, has seen first-hand evidence in his work as a consultant that companies are trying to cut corners and give the CIO or CTO the additional task of security so new hires aren't needed.

    "More CSOs and CISOs exist in the much larger companies, but go down to the small- and medium-level businesses and you see them giving people two hats. The CIO ends up being the security guy. I've recently talked to one CTO who is having to double as security administrator and he hates it," he said.

  • Listen to the full conversation with George Moraetes HERE
  • The job picture also depends on geography.

    Pete Hillier, an Ottawa-based CISSP and CISO, said there have been fewer CSO positions created in Canada because that country isn't grappling with as much regulation as the United States. "The need for compliance tends to mean more CSOs," he said.

  • Listen to the full conversation with Pete Hillier HERE
  • Hillier also sees a flip side to what's going on. While companies may be cutting back on security outsourcing, the result isn't always the need for more IT security hires. That's because newer security technology allows companies to do more in-house AND do it with fewer people.

    "Technology is becoming easier to use, and so less becomes more," he said. "Where five people used to be required to run a security ops center, it can now be done with two or three people."

  • SLIDESHOW: Inside a Global SOC
  • Though Moraetes and Hillier paint a grayer picture of how these trends are impacting the security job market, Angee sees a brighter future for job seekers who are willing to watch and learn.

    "When I first got started security was an afterthought," he said. "The demands of compliance have made companies better at security. And in my current role, the CIO has given me a seat at the table with a lot of visibility."

    His advice to job seekers: If you see an opening for a CSO or CISO, read the job description carefully before diving in.

    "I've seen more CSO job postings, but the descriptions often involve managing switches and doing what an engineer does," he said. That being the case, make sure the position is really about the higher-level, strategic planning and business-minded tasks that define the true CSO role, he advises.

    Copyright © 2009 IDG Communications, Inc.

    Make your voice heard. Share your experience in CSO's Security Priorities Study.