By Jon-Michael C. Brook, Principal, Guide Holdings, LLC
The security industry is understaffed. By a lot. Previous estimates by the Ponemon Institute suggest as much as 50 percent underemployment for cybersecurity positions. Seventy percent of existing IT security organizations are understaffed and 58 percent say it’s difficult to retain qualified candidates. ESG’s 2017 annual global survey of IT and cybersecurity professionals suggests the biggest shortage of skills is in cybersecurity for at least six years running. It’s a fast moving field with hacker’s crosshairs constantly targeting companies; mess up and you’re on the front page of the Wall Street Journal. With all of the pressure and demand, security is also one of the best paying segments of IT.
Cybersecurity is a different vernacular, with a set of acronyms and ideas far outside even its information technologies brethren. For the gold standard as a security professional, the title to have is the Certified Information Systems Security Professional (CISSP) from the ISC2 (isc2.org). The requirements grow increasingly strict since my testing in 2001. Not lax, mind you, but five-year industry minimums and certified professional attestation gives the credential even more heft. There is an associate version available, the Associate Systems Security Certified Practitioner (SSCP) that eliminates the time and sponsorship minimums and would be appropriate for someone new to the field.
Adding to the professional shortages are new IT delivery methods, a la cloud computing. Amazon Web Services is the giant in the space, offering several certifications for cloud architecture and implementation. Microsoft and Google round out the top three. These, too, are hot commodities, as cloud is a relatively nascent industry and not very well understood. Layer security onto the cloud platform, and you find certifications such as the Cloud Security Alliance’s Certificate of Cloud Security (CCSK) and, again, the ISC2’s Certified Cloud Security Professional (CCSP). In 2017, Certification Magazine listed cloud security certifications as some of the highest salary increases available to an IT professional.
One caveat to all of the excitement of underemployment: recruiters, headhunters and hiring managers. Position requirements are sometimes outlandish or poorly vetted, such as the requisition asking for 10 years of cloud and 20 years of security experience. Amazon Web Services started in 2006. Microsoft Azure and Google Compute Platform were seen as cannibalistic to existing revenue streams. Even five years of cloud industry experience is a lifetime, and the industry moves so fast that AWS’s Certified Solutions Architect (AWS-ASA) requires re-certification every two years vs. the standard three for the rest of IT. They, too, have a security exam recently out of beta, the AWS Certified Security Specialty, though it requires one of their associate certifications first.
If you have the appetite for learning, add privacy to the mix. The number of industry vertical regulations (healthcare’s HIPAA, Payment Card Industry’s PCI-DSS, finance’s FINRA/SOX, etc…) and regionally specific requirements (EU’s GDPR) have the International Association of Privacy Professionals (IAPP), offering eight Certified Information Privacy Professional (CIPP) certifications. As an IT professional in the US, the Certified Information Privacy Technologist (CIPT) and CIPP/US are probably the most attainable and attractive.
Jon-Michael C. Brook, Principal at Guide Holdings, LLC, has 20 years of experience in information security with such organizations as Raytheon, Northrop Grumman, Booz Allen Hamilton, Optiv Security and Symantec. He is co-chair of CSA’s Top Threats Working Group and the Cloud Broker Working Group, and contributor to several additional working groups. Brook is a Certified Certificate of Cloud Security Knowledge+ (CCSK+) trainer and Cloud Controls Matrix (CCM) reviewer and trainer.