Monday, July 23, 2012

InfoSec Job Postings - What Are Employers Telling Us?

The inimitable Brian Krebs has a series of interesting blog posts where he's interviewed several IS luminaries about "breaking into" Infosec fields. The advice in these articles is great and ranges from the technical to the somewhat philosophical (I especially like Schneier's prescription of - STUDY, DO, SHOW). You can check it out here:

In addition to this excellent advice, we can also learn a great deal from IS employers via the job postings they provide AND the aggregate data indicators these posts contain concerning the knowledge, skills, certifications, and aptitudes sought for various roles. To achieve this viewpoint, I've compiled data from over 150 IS job postings(US only) looking at the weighted repetition of categorical qualifications for several popular InfoSec roles (see interactive charts below). In addition to satisfying my own unhealthy compulsion to quantify things, there were some interesting take aways.

Analyzing the Data: Observations and Findings

#1: Communication Is Critical (aka Try To Act Normal)

While communication skills are frequently cited in professional postings as desired, with InfoSec positions this seems to be true without exception. As evidenced in collected data,
the ability to write and speak clearly to non-technical audiences about IS issues is a critical skill for almost every job role. I'm sure several readers have experienced the reality warp
that comes with wrestling technically complex issues, engagements, or investigations for prolonged time periods. While it may not be fair, employers expect and value that even if you
have been huffin packet dumps and subsiding on pocky sticks and energy drinks for a week that you can still retain the ability to speak "human" to your customers and to senior leadership. Go figure...

#2: Education Is Important AND Work Experience Is Essential

Almost all of the Information Security positions list a Bachelor's degree as a minimum requirement for eligibility, but beyond this the lion's share of your value to potential employers hinges on the
years of relevant experience you've had in some role within IS. The clear message here is that employers desire educated IS professionals with real world experience. You shouldn't expect to
come right out of school and get a job unless you have professional experience and achievements that clearly demonstrate your proficiencies.
For this reason, internships are highly recommended way for students to couple education with "in the trenches" IS challenges.


I'm going to avoid the "CISSP certification debate" here. For better or worse, the findings of this review reinforce that CISSP is clearly the de facto IS certification regarded by employers as
offering professional "bona fides". It's obvious that having this certification can open doors in several IS job roles that otherwise might be closed by HR resume bots. One of the reasons for such
universal regard of CISSP is that you have to at least 5 years of working experience in IS roles (or equivalent education, certification, + experience) to qualify to take the exam (experience again).
If you already meet the requirements for eligibility to sit for the CISSP, its pretty clear that there are some substantial hiring benefits for taking the time to achieve this credential.

#4: Programming Isn't Just For Programmers

Another finding lurking in the aggregate data is that employers clearly value and place emphasis on Information Security Professionals who can offer scripting and programming experience. One
reason for this importance may be the growing critical role of AppSec for many organizations. Having security professionals on staff who can speak "apples to apples" with developers presents
considerable value towards not only identifying risks/problems but also participating in the fix.

#5: Security Clearance Gateway

The large need for high-quality security services within the federal sphere really is driving valuation for more professionals with top secret or higher clearances. Achieving these clearances often
involves extensive background review that can take several months. As a result, those who already have the necessary clearances are very valuable to employers who serve federal customers.


If you are considering a career in Information Security, then it helps to realize that the field is very specialized and the total body of knowledge represented by the varied job roles is greater than any
one person can master in a lifetime. Therefore there is real value to be able to focus your efforts on those skills, knowledge, and aptitutdes that give you the greatest flexibility, opportunities,
and satisfication. Also remember, that the skills of yesterday may not be the skills of tomorrow. You need to integrate continual learning into your daily habits.
Learn something new within your field everyday!

No comments:

Post a Comment