Sunday, January 04, 2009

Security career snapshot - January 2, 2009

Now that the holiday break has ended and everyone is heading back to work, it seems like a good time for information security professionals at every level to take stock of available opportunities and chart a course for the new year.

Is it safer to stay put, or move?

While there's an abundance of forecasts available that predict where 2009 is headed, most are discouraging, few will turn out to be correct, and there doesn’t seem to be a method for sorting between the good and bad estimates that’s any more trustworthy than the estimates themselves.

Instead, I'd argue that it makes more sense to take a second look at the current role, the financial health of the organization, external opportunities, and the stability of the regional and national economy ... and plan according to current actualities.

To cut through that uncertainty, I spent some time over the break going through online job postings to compile a snapshot of security jobs that are currently open and available. I looked at job titles, years of experience required, expected regulatory / compliance background, certifications, and the most active hiring locations. This snapshot won’t show hiring trends for 2009, but my hope is that it’ll at least make a decent starting point for figuring out where the holes in the resume are, and which types of work assignments today may open doors for the next role.

I started with a query of security jobs using an aggregator site, and randomly selected a subset of 200 for analysis. I downloaded each full post directly from the offering website and parsed them locally using some scripts. Below are some of the high points. The margin of error on the survey should be plus or minus 7%. If you want a detailed look at the approach, or the data itself, just drop me a line.

Here’s what I found:

Most common job titles
A bit less than half of all security job openings are for the role of engineer, analyst, or administrator. Managers jobs appear less than 5% of the time, and director level only 1%.

Without more information it's tough to be definitive, but the numbers could imply a couple of things: first, that security organizations may be flattening right now as managers hire more staff; and second, that “individual contributor” roles may have more mobility across organizations than leadership positions. It’s also possible that management roles are filled through other means (internal candidates, etc.) more frequently than staff positions are.

Position title Number of postings Percent
Engineer45(22.5%)
Analyst30(15.0%)
Administrator14(7.0%)
Manager9(4.5%)
Consultant9(4.5%)
Architect5(2.5%)
Director2(1.0%)


Years of experience expected for each role
Across all positions, five years was the median level of experience required. Only 30% of positions expected two or fewer years of prior relevant work history. One interesting fact was that out of 41 postings with a specific requirement, that requirement was described 21 different ways (e.g. 1 to 4 years, 2 or more, 4-6 years, etc.) It seems the industry has generally standardized on which certifications and skills are expected, but not the level of experience associated with those skills that represent appropriate minimum requirements.

Years of experience requiredNumber of job postings
0 to 13
2 or more10
3 or more3
4 or more2
5 or more12
6 or more3
7 or more2
8 or more1
9 or more1
10 or more5


Most common regulatory / compliance keywords
Not every posting specifically cited regulatory requirements or security framework experience. But for those that did, the following are the most commonly listed:

Regulatory or governance requirementNumber of postings
Federal Information Security Management Act (FISMA)14
Code of practice for information security management (ISO 17799/2701/2702)12
Sarbanes-Oxley (SOX 404)12
Payment Card Industry Data Security Standard (PCI DSS)12
Health Insurance Portability and Accountability Act (HIPAA)7
Gramm-Leach-Bliley Act (GLBA)3


Most common certifications
As of early 2009, candidates with a security certification have an edge over non-certified candidates, but certification is not usually a make-or-break requirement. Less than half (47%) of all security job postings examined had listed certification as a requirement; around 20% described certification as “required” or “highly desirable.”

CISSP is the most commonly listed credential, although it often is provided as one of several examples e.g. “Professional security certification such as CISSP, CISM, GIAC, CCNA, CCSP, CCNP, MCSE, Security+, Network+.”

Security Certification (n=94)Number of postingsPercent
Certified Information Systems Security Professional (CISSP)48(52.7%)
Other (Cisco, etc.)12(13.2%)
Certified Information Security Manager (CISM)11(12.1%)
Certified Information Systems Auditor (CISA)10(11.0%)
SANS Global Information Assurance Certification (GIAC)10(11.0%)


Most active hiring locations
Finally, the top ten states (and Washington D.C.) listed by frequency of job posting:

StateNumber of postings (n=200)
California32
Virginia32
Maryland24
Washington D.C.17
Texas11
Massachusetts11
New York8
New Jersey6
Illinois6
Pennsylvania4


So if you're a Security Engineer with a CISSP and five or more years experience in your current role, with a strong background in FISMA, SOX and ISO 17799 who lives in the Washington D.C. area ... relax ... even in the midst of this economic mess, it looks like the world is still beating a path to your door. For the rest of us, though, we probably have some work to do.

Best of luck to everyone trying to improve their skills and find the right organizational fit in 2009. I hope this was helpful; if you have questions about specific skills, opportunities or regions not listed in this overview that you haven't been able to ferret out using the job search engines - let me know and I'll help if I can.

1 comment:

Technically Speaking Radio said...

I came to your blog via your post on linkedin.

Wow, Jeff. You did a great job on your analysis.

A side question regarding a different post: Why don't you have your Twitter idea in your twitter security analysis post.