IT Security: Heating Up or Cooling Down?
Is IT security heating up or cooling down? Well, it’d be difficult for it to get much hotter than it has been. In CertMag’s most recent Salary Survey, published at the end of 2006, U.S. information security specialists reported earning $93,500 a year on average, a rise of nearly $15,000 from just two years before. That makes it, by far, the highest-paying specialization in IT.
Much of the reason for this was a slew of new regulations affecting information security such as the Sarbanes-Oxley Act of 2002, the provisions of which act to combat financial malfeasance.
“That got senior management all of the sudden aware of it, and so there was a big move to bring in people who could do information security programs — that was what was heated it up,” said Ed Zeitler, International Information Systems Security Certification Consortium [(ISC)2] executive director. “But now they’ve had the experience with these reports and all the paperwork that goes into meeting these regulations, and they’re realizing how much effort they really need to put into it. What’s happening is some of that information security group that was created is moving back into the IT group, and so disappearing from sight, which gives the impression that it’s cooling down a little bit, but it isn’t — it’s moving the technical people into the IT function.”
Zeitler said he feels IT security is both heating up and cooling down. As evidence that it’s still hot, he points to a worldwide workforce survey (ISC)2 conducts annually in which it asks respondents who is responsible for information security in their company.
“The CIO typically is the main guy, and the CISO for a few, but this year, the CEO got labeled as responsible for information security by about 25 percent,” Zeitler said. “That was totally new — the CEO had hardly ever scored before.”
Nevertheless, Zeitler said much of the hysteria with which Sarbanes-Oxley was met has died down.
“Consulting companies made a bundle on that deal,” Zeitler said. “That was big business. I can’t even imagine the amount of money that went into major corporations complying with SOX. But I think that has passed.”
The aftermath of all this, the real lasting result, is the awareness of information security it created in the executive suite. The degree of this effect depends on the corporation, however.
“If you’re a manufacturing company, your focus on information security is not nearly as critical as a financial company, where information is the product of a company,” Zeitler said.
IT security might be “cooling down” as it becomes more a matter of standard procedure, Zeitler said.
“There’s going to be consolidation in the industry,” Zeitler said. “Products are coming out now with security embedded in them that didn’t have that before. And so the stand-alone security products that we see now are getting absorbed into manufacturers’ new products.
“It got enough attention that people are looking at costs and what it takes to do it and realizing it has to be baked in — it can’t be one of these bolt-on deals any longer.”
So, while security will remain as important as it is now, it might be less visible going forward and more likely to be handled by general IT professionals than flashy security specialists.
“A system administrator, for example, is going to be doing a lot of security, as opposed to having a specialist do it, because the security will be baked into the operating system and its parameters are maintained by the system administrator,” Zeitler said.