Of all the high-demand areas in IT, security stands out at the top. According to DICE, the number of security jobs skyrocketed by more than 40% from 2014 to 2015, to 50,000 openings, compared with 16.8% growth the year before.\u201cSecurity jobs are growing at a far more rapid pace than other areas of technology, which are also growing rapidly,\u201d says Bob Melk, president at DICE.Meanwhile, in a 2015 survey by ISC2, 62% of respondents said they lacked adequate security staff, and 45% cannot find qualified candidates. In five years, the organization says, the shortfall in the global information security workforce will reach 1.5 million.The inability of many companies to fill these jobs is only driving up salaries \u2013 as well as IT professionals\u2019 interest in developing the skills to fill these jobs. \u201cIt pays well and is in high demand,\u201d says Julie Oates, senior technical recruiter at Mondo. \u201cThere are so many jobs out there, and there will be more and more.\u201dHere are some insights to help IT professionals take advantage of the shortage \u2013 as well as some reasons it might not be the right move for you.\u2022 Don\u2019t worry if you don\u2019t have specific security experience.Much of the demand today is focused on roles that require several years of experience, such as senior security software engineers, Oates says. Such roles can demand upwards of $200,000, she says. The ISC2 study also reports that the highest job growth will be for security engineers and architects.At the same time, there is still a wide array of security needs, says Julien Bellanger, co-founder and CEO at Prevoty, an application security monitoring and protection company. \u201cSo many different types of skillsets are in demand for security, and no single person can field all these roles,\u201d he says. \u201cYou need a very large team to cover all the bases,\u201d including people who understand what\u2019s going on with the network and network traffic, the hardware appliances, the applications and the business logic of the applications.\u201dTony Martin-Vegue, risk manager at a Bay Area financial services institution, agrees that information security is \u201ca huge and widely varied field that includes programmers, risk managers, PR experts who can talk to business professionals in terms they understand, people who understand human behavior and even people with an economics background. \u201cIf you have an economics degree or understand finance, I\u2019d hire you as a risk manager even without security expertise because that\u2019s all economics and finance is, is understanding risk.\u201dSimilarly, he says, someone with a background in psychology would have the needed insights to understand why, for example, someone would click on a phishing link and how to deter that behavior. \u201cYou need a baseline of cyber or information security knowledge, but you can still use what you already know to educate yourself,\u201d Martin-Vegue says. \u201cYou\u2019re not starting from scratch.\u201d\u2022 Think long term The greatest need in the foreseeable future is in the realm of software and application security, according to observers. \u201cThe greatest problem we face is related to insecure code and poor software development processes,\u201d says Jeff Combs, vice president of talent management at ISE Talent, an executive search and recruitment firm dedicated to information security professionals. \u201cPeople have been developing software for 50 years or longer, but we\u2019ve only been paying attention to issues related to software security in the last 10 years.\u201d For younger IT professionals considering a future in security, software engineering and coding is where the majority of opportunities \u2013 and challenges \u2013 will exist, he says.Even now, the gap in supply vs. demand is wide, says Bellanger, especially as there is little training available in this domain, and talented developers might be more likely to flock to the likes of Google or the next Facebook rather than a job in security. \u201cWe get asked all the time, \u2018Do you have any good application security people you can send our way?\u2019\u201d he says.Two types of people are needed in this area, he says: program managers and actual practitioners. Businesses would be best off if they hired a program manager internally and then used that role to bring others onto the security team to help train and guide them.From application security, IT professionals can grow into many other areas, like architecture security or learning more about the cloud, Bellanger points out, while other choices \u2013 like network or hardware security \u2013 might be more limiting. \u201cIf I had to make a choice today and was 18 years old, I\u2019d go into application security or be part of a DevOps security team,\u201d he says.\u2022 Don\u2019t under-value your current skills. According to Martin-Vegue, if you\u2019re a systems, network or database administrator, \u201cyou really are 75% there for certain types of information security sub-fields,\u201d such as ethical hacking, penetration testing and information assurance positions. Professionals with these backgrounds understand things like how systems work and how users access them, he says, \u201cso it\u2019s not a leap to go from setting up users, to checking compliance with standards and frameworks. It would be easy to segue if you already have that baseline.\u201dIn fact, Combs says having this type of background can be a real strength. \u201cTo be good in security, it\u2019s important to have a strong foundation in systems administration, network engineering or software engineering,\u201d he says. \u201cAlthough there are many aspects that aren\u2019t technical, understanding how things work at the ground level or under the hood is what gives people the credibility and knowledge to build upon to be successful over the long run.\u201d\tFor this reason, Melk believes CIOs should begin to build security capabilities among their existing staff rather than solely seeking external candidates to fill these needs. \u201cWe\u2019ve got to do more than simply increase salaries or benefits,\u201d he says. \u201cBusinesses need to find ways to fill the gap by nurturing internal talent.\u201dIn fact, DICE is working to identify skill commonalities between an array of IT and security positions, and then developing a skills map that can help professionals create a plan for filling the gaps. \u201cThe good news is there are a lot of related jobs where folks in various roles could move into a security role,\u201d Melk says. \u201cWhen you look at typical skills for various titles like assistant security engineer, security auditor, IT security project manager, all these skills are consistent with the baseline requirements of roles like network security or intrusion detection,\u201d he says.What stands in the way is a lack of understanding about the exact skills required to move to a particular position, and the quickest way to get there. \u201cWe\u2019re trying to make the journey as short and as inexpensive as possible,\u201d he says. \u201cWhile going back and getting a degree is a clear path, it\u2019s not the only option.\u201d\u2022 Don\u2019t assume you need to go back to school. Indeed, while the bar for entry into a security position may be difficult to overcome, never before have so many learning resources existed, says Combs, whether through free online classes, certifications and becoming part of a security community. From SANs, to ISACA, to Information Systems Security Association (ISSA), to ISC2, to the Open Web Application Security Project (OWASP) and beyond, there are many highly active security organizations that offer both training and a community of people that can share ideas.Getting involved with OWASP, Bellanger says, \u201cis the best vector for getting hired and receiving the best advice for certifications.\u201dMartin-Vegue advises starting by taking a free online class on security fundamentals through a provider like Coursera or EdX, and then determining which sub-field would make the most sense to pursue. \u201cOnce you get a good baseline down, find stuff that interests you and gets you excited about information security and begin to specialize,\u201d he says. Frost & SullivanMelk agrees that online courses are a great option to grow skills, especially when employers don\u2019t offer training. \u201cYou can take courses on your own without going back and getting a bachelor\u2019s or masters in cyber security.\u201dOnce you have a sense of which direction you want to head into, certifications are a good choice, as they continue to be highly regarded in the security field, Martin-Vegue says. \u201cPeople say they don\u2019t prove anything about real-world skills, but the truth is, hiring managers do look for them,\u201d he says. \u201cEven if you think they\u2019re pointless, if you want to get a job, you have to have your certifications.\u201dIn particular, the CISSP certification offered by ISC2 has essentially become table stakes for higher level positions, while CRISC from ISACA is essential for risk management, he says. In other cases, such as reaching higher than an entry-level job working with firewalls, it would be a good idea to get a vendor certification from Cisco or Juniper.Meanwhile, in software development, becoming an SSDLC certified practitioner will prove your chops in application security, Bellanger says.\u2022 Know what you\u2019re getting intoThere is a downside to the security profession, however, in the form of stress and burn-out. \u201cAt security conferences in the U.S., a major topic is depression, and it\u2019s starting to be talked about in the field,\u201d Martin-Vegue says. \u201cIf you feel you can\u2019t deal with the work stress and burn-out, [pursuing a security career] might not be the best idea.\u201dThe reason for this phenomenon, observers say, is the attitude of many companies toward the security function. That is if a breach occurs, it\u2019s assumed that someone in security didn\u2019t do their job. In the case of a highly public breach, \u201cit\u2019s very disruptive, both for customers and the people who work there,\u201d Martin-Vegue says. \u201cPeople get fired, the stock price takes a hit, you lose public trust. If you\u2019re the guy behind the keyboard, assessing security controls for the year leading up to that, it\u2019s really serious.\u201dIn addition to always being on the hot seat, the security function is often perceived as being separate from the business, Bellanger says. The business doesn\u2019t always appreciate the delays caused by placing security controls around an initiative, and yet, if something goes wrong, security is blamed. \u201cIt can be a very lonely, siloed position,\u201d he says.This situation is bound to change over the long term, he says, as security becomes a full part of the business development cycle. \u201cWhen security is fully embedded and in synch with the business, you\u2019ll have a lot less stress on the security team,\u201d he says. \u201cThe business needs to realize it\u2019s going to get hacked at some point. Right now, there\u2019s a lack of understanding that pushes it to find someone to blame.\u201dStill, Combs says, \u201ca security career requires you to have strong chops in various areas.\u201d With continuously changing technology, evolving threats, new regulations and the constant fight for security budget, \u201cyou never reach that point where your work is done.\u201d In the ISC2\u00a0survey, even though more than three-quarters of respondents said they are satisfied with their current position, the industry experienced a staff turnover rate of almost 20% last year, the highest rate of churn (ISC)2\u00a0has ever recorded.\u2022 Follow your passion, not the money So while the demand \u2013 and the dollars \u2013 may be an attraction to the security field, it shouldn\u2019t be the only driver. On the positive side, the security profession is a great place to be part of a community, Bellanger says, especially compared with the software development world. \u201cSecurity practitioners are an amazing, close-knit community that works well together,\u201d he says.In some ways, you\u2019ll know if security is for you if you\u2019re the kind of person who has the desire to understand how things work, or how to break \u2013 and then \u2013 fix them, Combs says. \u201cThere are a disproportionate number of artists, musicians, creative people and asymmetrical thinkers who\u2019ve come into field,\u201d he says. \u201cIt really comes down to personal desire and an interest in understanding what\u2019s underneath the surface and not accepting things at face value.\u201dBrandel is a freelance writer. She can be reached at firstname.lastname@example.org.