Friends and acquaintances ask me all the time “what does it take to get involved in the Information Security world,” and the answer is inevitably another question, “are you sure you want to do that?” The main reason for the growing interest in security is most likely the fact that it is one of the fastest growing industries and it therefore pays very well. Because the demand for qualified security professionals outstrips the number of employees available, there has been a fast salary growth in the industry, something which has received much attention from the rest of the IT industry.
As the laws of supply and demand are at work and salaries are rising, those of us working in Information Security are certainly reaping larger and larger financial benefits, which is something we can hardly complain about. The industry has seen a constant and reliable rise in salaries across all security roles, from entry-level analyst to CISO positions. The security job market has grown at twice the rate of all the other IT jobs and a recent Cisco study concluded that there is currently a shortage of 1 million security jobs in the world.
This financial benefit is in fact the largest factor driving job interest in the industry; of course there are other factors as well, such as keen interest in hacking, technology and secure development practices, but generally speaking they tend to be secondary for most industry candidates.
Candidates’ eyes get brighter especially when they see salaries of security management roles, with the upper band for CSO/CISO roles easily crossing above $200,000 per year.
Of course, the salary picture is only a partial image of what the industry has to offer. In reality the high salary is often linked to, and dependent on the industry, organization and the various frameworks under which the roles operate. Heavily regulated industries like banking, healthcare and government are more likely to pay more, but that is not always the case. Even experienced professionals like myself have encountered job opportunities paying well below the low end of the curves presented above.
These roles end up being presented by human resources employees who may not be aware of the going market rates for skilled professionals; or could very well be a calculated effort on the part of the organization to attempt to bring on board someone who may not be aware of his or her own worth on the job market.
This means that the salary number alone should not be the only factor when considering jumping on the Information Security bandwagon, especially if you are not young enough to invest the years required to achieve a level where you can indeed have the expectation to be paid well. Having 15 or 20 years of security experience will certainly allow you to demand more in terms of financial compensation, but you should be aware that you will have to spend a lot of years, perhaps in not so pleasant environments in order to get to that point.
The Bad and the Ugly
With all the high salaries and even some glamor associated with security, there are some negative aspects to the job. They are often projected as stressful situations, security breaches and sometimes even being outright “thrown under the bus” for minor issues which could be easily handled in any other environment. The way in which security team is treated in an organization fluctuates wildly depending on the culture of the company, the environment and even geographic location. Security folks often jokingly say, “We are the fall guys.”
Stress can be a major factor in how a security job can turn from perfect to ugly in just a matter of weeks or months. Even a small security incident can snowball into a stressful situation for an entire team and can cause major headaches if incident response procedures are not clear and the organization is not handling the incident appropriately.
The expectation in any organization is that “No breach is acceptable under any circumstance,” which is in fact an unrealistic expectation. Good security professionals work under the assumption that “we have already been owned” and make decisions accordingly. Unlike any other industry, when mistakes are made by the security team, the axe is usually the first tool to come out of the management closet.
Take healthcare for example, an industry where people’s very lives are at risk. A recent study claims that between 220,000 and 400,000 patients die in hospitals every year due to preventable mistakes. In virtually every case of a physician’s mistake leading to a death, virtually nothing happens to the physician. His or her career continue unabated, they learn from their mistakes and move on along with whatever emotional or financial consequences. That is not the case with security professionals as breaches often result in firings, reprimands, suspensions or in rare cases even government fines.
The firing of Target’s CIO is a prime example of how security breaches have become the modern ritualized seppuku even for leaders who have taken steps to implement good security measures while making mistakes in other areas.
It is quite rare for organizations to have security procedures locked down and tested on a regular basis, so when things go off the rails, you may not necessarily have a calm and composed atmosphere you imagine having while reading your procedures.
In addition, most mature organizations may have an internal political structure that can either aid or strangle the security team. Here we have the example of Home Depot, an organization with a culture allowing for the outright neglect or disdain for sound security practices, where incompetent leaders are promoted rather than fired. Former Home Depot security employees said the security staff turnover was extremely high and the management staff ignored virtually any sound advice, the management philosophy being, “we sell hammers.” This culture of purposeful neglect led to a massive breach which cost the company about $63 million.
If you end up working in a place where politics drive decision making (where is this not happening), you could suffer the consequences of decisions made by management without regards to the primary technical or operational security needs, making your job much more difficult than it has to be.
Being part of Information Technology could also be a big problem as you could become a liability to the IT organization. There is a school of thought which advocates that Information Security should be independent in an organization, with its own reporting structure, or report through the Risk, Audit or Financial departments, rather than IT. When security is within IT, conflicts of interest would inadvertently arise. IT is also inherently a highly technical department, which means that there will be an unhealthy imbalance towards technical controls, at the expense of a healthy risk management methodology centered around the needs of the business.
Unfortunately, Information Security continues to be seen largely as another branch of IT, which means that if you want to start on this path, you will likely have to start in an entry-level IT position, such as IT technician, technical support analyst or something similar. Such a position will give you the opportunity to eventually focus more on security and learn organically as you grow through the ranks of IT.
If you have the drive and personality to take on the challenges I have discussed here, the security world is for you, but if you are easily annoyed and not willing to jump these major obstacles which you will most certainly encounter in your career, choose another path. It will save you a lot of heartache and long nights.