Is there a disconnect between demand for security jobs and certifications?

Security experts are in demand, and there aren’t enough skilled cybersecurity pros out there to fulfill current employer demand, according to a story published this week by my colleague Jaikumar Vijayan.

The piece cites research from employment firm Burning Glass and finds demand for cybersecurity professionals over the past five years grew 3.5 times faster than demand for other IT jobs – and about 12 times faster than for all other jobs. It also noted IT security professionals are making about $12,000 more annually than employees in other types of computer-based jobs.

More from Jaikumar’s story:

Burning Glass said its report is based on a study of job postings for cybersecurity professionals placed by U.S. businesses and government agencies over the past five years.

In 2012, there were more than 67,400 separate postings for cybersecurity-related jobs in a range of industries, including defense, financial services, retail, healthcare and professional services. The 2012 total is 73% higher than the number of security jobs posted in 2007, Burning Glass said.

By comparison, the number of job postings for all computer jobs grew by about 20% between 2007 and 2012. Posting for all jobs grew by only 6% during the period.

The two most sought-after jobs by employers were information security engineers and security analysts. Close to one in three of all computer security jobs advertised last year were for information security engineers. Nearly 25% of the job postings were for security analysts.

This particular research is IT-specific, but a feature story this month from CSO contributing writer Lauren Gibbons Paul looked at what skills are in demand for all security professionals now.

Among the “hot security skills” for 2013 are fluency in the IT side of physical security, business and financial acumen and advanced data-protection expertise.

Up for debate is the importance of security certifications to employers and to practicing security pros. Burning Glass said in it’s research that over the past two years the number of jobs requiring a Certified Information Systems Security Professional (CISSP) certification has jumped from 19,000 to more than 29,000.

But I hear a lot of grumbling about certifications and their value from sources. Even in the comments section of Jaikumar’s story, you will see comments questioning the CISSP in particular.  In fact, last week, at RSA, my colleague Bill Brenner attended a session specifically revolving around the industry value of security certifications.

As Bill wrote:

These days, one cert in particular is a favorite punching bag: the CISSP, administered by (ISC)2. In recent years, I’ve heard several industry friends brag about letting theirs expire.

So, in one set of research, we have numbers that claim there aren’t enough skilled security professionals out there to fill the vast number of positions that demand their expertise. On the other hand, there is (at this point mostly anecdotal) concern that some certifications are out of date and no longer necessary.  Is one factor influencing the other? Are employers misguided to seek employees who only hold these industry-specific certifications? Are they missing a valuable pool of talent by requiring these courses and certifications? How valuable are the certifications you hold to you?

Your thoughts welcome in comments or by email at jgoodchild@cxo.com