Security Certification Survey: The high-stakes information security workplace
This feature first appeared in the Summer 2019 issue of Certification Magazine. Click here to get your own print or digital copy.
Security workers have always had an important role in society, but the pay and various working conditions haven’t always been above reproach. In the pre-imperial legions of the old Roman Republic, for example, sentries watched the perimeter of the fortified camps every night. A soldier who fell asleep while performing sentry duty could be (and typically was) summarily executed.
One of the most famous security initiatives in history, the building of the Great Wall of China, provides another illustration. During its earliest period of construction, beginning about 221 B.C., the Great Wall was raised by the hands of soldiers, convicts, and peasants, some 400,000 of whom are believed to have died on the job and been unceremoniously interred within the wall itself.
It’s a much better time, in 2019, to be a security worker, particularly for those who work with computers and use their skills to defend virtual, not physical, boundaries and battlements. The U.S. Bureau of Labor Statistics estimated last year that there are already 100,000 jobs in the United States for “information security analysts,” or individuals who “plan and carry out security measures to protect an organization’s computer networks and systems.”
Growth in the field over the next 10 years is projected at 28 percent, meaning that an estimated 28,500 more jobs will be created just in the United States by 2026 — a level of expansion described as being “much faster than average.” The pay is pretty good, too: BLS research pegs the median annual salary for information security analysts at $98,350, or $47.28 per hour.
What you don’t know can hurt you
Even without the looming specter of being executed or worked to death, information security workers have a tough row to hoe. In the course of our recent Security Certification Survey, we asked the more than 420 certified information security professionals who responded to rate their level of agreement with a series of statements about security operations at businesses and other private organizations.
One of the biggest challenges in the field is a people problem. Nearly 83 percent of those surveyed either agree (47.3 percent) or strongly agree (35.6 percent) that enterprise security staffs are too small. The neutral “neither agree nor disagree” middle ground was staked out by 12.7 percent of respondents, leaving a few ticks more than 4 percent who disagree (3.6 percent) or strongly disagree (0.7 percent) that security staffs are too small.
Staffing shortages, however, don’t tell the whole story. A perhaps equally telling issue is the general lack of individual security smarts. Slightly more than 75 percent of those surveyed either agree (44.9 percent) or strongly agree (30.3 percent) that employees not hired for technology jobs tend to lack adequate basic information security training.
Even people who are trained to work with computers and information technology (IT) tend not to know as much about security best practices as they should. Three out of every four survey respondents either agree (52 percent of those surveyed) or strongly agree (23.1 percent) that security training of IT personnel on enterprise staffs — those who perform specific IT functions — is not adequate.
The result is that security staffs aren’t just contending with outside attacks, but must also continually guard against gaps in the security awareness of their coworkers.
Equipment and spending
On top of manpower challenges and a general lack of security training, most of the certified information security professionals who responded to the survey believe that organizations are bogged down by sketchy software, hardware, and policy protections. More than 62 percent of respondents either agree (48.9 percent) or strongly agree (13.9 percent) that enterprise security controls are lacking.
That’s compared to just 12 percent who either disagree (9.9 percent) or strongly disagree (1.8 percent) that controls are not up to snuff. (A further 25 percent of those surveyed signaled a perhaps lesser degree of dissatisfaction with the status quo by choosing to neither agree nor disagree.)
Old or aging security technology is also a hindrance. Nearly 60 percent of those surveyed either agree (47.1 percent) or strongly agree (11.3 percent) that enterprise security controls are outdated. Some organizations, it would seem, are keeping up with changes, as indicated by the 14 percent of respondents who either disagree (12 percent) or strongly disagree (2.2 percent) that controls are outdated. (The remaining 27 percent of respondents took no position.)
There is money being invested in security technology, but most certified security professionals don’t seem to feel that security spending is either carefully thought-out or adequate to address problems. Nearly half of survey respondents either agree (28.9 percent) or strongly agree (17.6 percent) that money for enterprise security measures is spent unwisely, while just 15 percent either disagree (9.9 percent) or strongly disagree (5.5 percent). (Thirty-eight percent took a neutral position.)
A more serious problem concerns the amount of money being spent, as opposed to whether it’s been well-invested. A worrisome 73 percent of those surveyed either agree (42.5 percent) or strongly agree (31.1 percent) that there is not enough money being spent to install or improve security measures. Just 8 percent either disagree (7.3 percent) or strongly disagree (0.7 percent) that not enough money is being spent, while 18 percent neither agree nor disagree.
Information security professionals have a variety of duties and responsibilities. Some design and install security infrastructure, while others are charged with actively monitoring computer and network activity. Some specialists are involved in determining and defining policy documents, while others test and examine existing protections.
There’s quite a bit of work to be done, and only so many hours in the day. Are we pushing the current workforce too hard? About half of those we surveyed either agree (32.7 percent) or strongly agree (15.4 percent) that they are overworked. A little less than onethird (29 percent of respondents) took a neutral position, while the remaining 22 percent disagree (19.9 percent) or strongly disagree (2.9 percent) that they have too much on their plate.
For most certified information security professionals, the tasks they perform are complex and engaging. A solid 77 percent either agree (54.1 percent) or strongly agree (23.3 percent) that their work is challenging, with a further 13 percent taking a neutral position. That leaves just 9 percent who either disagree (8.5 percent) or strongly disagree (1.1 percent) that they are engaged and stimulated by their work.
We did ask one question that touches on the broad issue of compensation. Generally speaking, are certified information security professionals satisfied with their current salary? About 44 percent either agree (38.6 percent of respondents) or strongly agree (4.8 percent) that their current salary is satisfactory, while 22.8 percent took a neutral view. The remaining one-third either disagree (24.3 percent) or strongly disagree (9.6 percent) that their current salary is satisfactory.
Certification = employment
Certification is a long-established pillar of the information security realm, with many security credentials requested by name in employment listings. You don’t have to be certified to get a job: 56 percent of those surveyed were not required to have a security certification when hired for their current job. Forty-four percent, on the other hand, did have to meet a certification requirement in order to start work.
Even in cases where certification is not required, however, it could be a factor in any hiring decision that gets made. Asked to estimate the impact of certification on being hired at their current job, 52 percent of certified information security professionals said it was either influential (21.4 percent) or very influential (31.9 percent), with an additional 20.7 percent reporting that certification was at least somewhat influential.
It’s also true that many choose to get certified with an eye on future employment. Setting aside the popular rationales of gaining skills and increasing compensation, we asked those surveyed to name the two most important benefits of getting a certification.
Three of the top four responses are directly employment-related. The most popular choice is “Gain qualifications for a future job,” followed by “Improve or confirm qualifications for my current job.” “Gain greater confidence in my own skills,” narrowly edged ahead of “Become eligible for positions of greater responsibility with my current employer.”
Workplace and education
Every business or organization has to grapple with information security-related challenges in 2019. To judge by our survey audience, however, a sizeable chunk of the information security jobs available are focused in three workplace sectors: government (17 percent of those surveyed), computer or network consulting (13.1 percent), and financial services (11 percent).
Other popular employment sectors include education (7.4 percent of respondents), software (6.4 percent), aerospace (6 percent), and health or medical services (also 6 percent).
For teens and young adults who are considering information security as a potential career, definitely don’t rule out higher education. Among survey respondents, 34.9 percent pursued their formal education far enough to hold a bachelor’s degree, while 34.6 percent went one step further and claimed a master’s degree.
There’s more information to come from our survey. Over the coming months, we’ll be posting additional findings online at CertMag.com, where you can also find ongoing dispatches from our 2019 Salary Survey.