Information security recruitment: How to move on in turbulent times
by Ruth Jacobs - Information Security Recruitment, Barclay Simpson - Friday, 17 April 2009.
Not surprisingly given the economic backdrop, the information security recruitment market has slowed. The first obvious signs of this downturn were evident from the third quarter of 2008 in the financial services sector. It has subsequently spread with recruitment freezes and lower vacancy generation as fewer vacancies are back filled. Fewer security practitioners are voluntarily entering the recruitment market, fearful of moving jobs during an uncertain time. However, overall more candidates are registering due to threat of or actual redundancy.

Although unemployment in the UK is now rising rapidly, information security is not as badly hit as other areas. It has become a business critical function and information security is no longer purely tied to IT. IT is an area where costs are often first cut during downturns. Therefore, we have not seen, nor are we anticipating, the high number of unemployed security practitioners as occurred in 2002 after the dot com bust.

There are some areas in information security that are more badly affected than others. As expected the banking sector has been worst hit, with a high number of redundancies and few banks actively recruiting. The UK banking industry appears to be in the process of being nationalised and in the US three of the five leading US investment banks no longer exist as independent entities and two do not exist at all. For those working in the sector it will be a difficult time to move on as opportunities are very limited. More unfortunate are those who have been made redundant and are now facing the prospect of finding a new position during the recession.

There are areas of the information security market where recruitment is less affected, most noticeably in the public sector. Many major consultancies and systems integrators continued to recruit during 2008 for security practitioners to work on long term government projects. This slowed somewhat from the final quarter of 2008, but we anticipate recruitment in this area will continue during 2009. Most commonly the skills required are security architecture and design, security risk assessment and security policy development.

Identity Management has been a skill in demand over the last two years, although demand is slowing since the Sarbanes Oxley compliance that was driving it has mainly been completed. PKI is likely to be an area where we should see new demand, partly due to the Transglobal Secure Collaboration Program (TSCP) which uses IdM and PKI. In addition following the high profile data losses of the last two years, the number of encrypted hard drives in the UK is set to increase. It is now a UK government requirement and we also anticipate the private sector to follow, hence we expect to see new roles in PKI this year.

Penetration testing has been an area that in recent years has boomed. Generally there has been consistent demand primarily from the consultancies that offer this service and also from some end-users who directly employ penetration testers. However, there has been a slow down as the bulk of employers of pen testers, boutique as well as global consultancies, have become more cautious. Also many security practitioners have a fear (though most often perceived as opposed to real) about moving jobs during a recession. As a result less penetration testers are leaving their positions, resulting in fewer roles to backfill.

Managed Security Services (MSS) and Security as a Service (SaaS) are market areas which are less likely to be negatively affected by the recession. While companies do not wish to spend IT budgets on new technologies and implementing, integrating, configurating and managing those technologies in-house, it makes financial sense to outsource. There has been more recruitment in these areas in the last year, and we expect it to continue at all levels from senior management though to hands-on operational roles.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th