Industry experts differ on what makes an IS pro or SysAdmin marketable and valuable, but agree on areas of growth. Expertise in application testing, code review, mobile/wireless security, IP communications for rich media, spam and spyware, remote access, voice and date (including VOIP), and Linux goes a long way in today's market place.
The challenge to job security and prosperity in these areas comes from current hiring and business practices. Many companies are still looking to reduce costs and maximize efficiency, operating quarter to quarter, often without a clear understanding about the long-term financial impact of security or the lack of it.
While some companies understand the need to invest in security professionals and protect critical data, networks, and privacy, others see security strictly as overhead without revenue contribution. That lack of a clear ROI often leads to budget cuts, downsizing, and view system administrators as a commodity. Many have jumped on the IT outsourcing bandwagon, although security areas haven't been impacted as hard as others.
Whether trying to avoid having
Bob Blakley, Chief Scientist of Security and Privacy for IBM Tivoli in Austin, Texas feels that it is very rare for an organization to outsource security. "It makes people nervous," he said. "You'll be held responsible if something goes wrong."
Blakley sees a big demand in keeping up with the accelerated pace of development. "Security expertise is in short supply," said Blakley. He stressed the need for formal training such as Microsoft certification or becoming a CISSP.
"Systems Administrators become a commodity when they themselves do not grow," says Michael R. Higgins, Chief Security Officer for Tekmark Global Solutions, LLC in Edison, NJ. "Those who look at their job description and perform their assigned duties without ever venturing out for new experiences and knowledge will find themselves a commodity and perhaps replaced down the line."
"Proficiency in technical communications is important, especially in security, where things are complicated," says Blakley. He advises Systems Administrators and security professions to make their skills apparent so others can value them. He suggests developing expertise and a profile, particularly in open-source development activities in security technology.
Another value-add is an ability to put things into a business context, and fully understand the deployment environment. "Customer centricity is the most valuable thing to bring to the table," says Dario Zamarian, ServGate's VP of Products and Corporate Strategy for ServGate of Milpitas, CA. He believes that there are multiple ways to do security, and an essential professional can understand and recommend what functionality needs to be applied. True value is when customer and vendor come together.
Mark Giglietti, CEO of PrecisionIT in Belmont, MA, agrees. "Going in and just fixing and deploying is less important than the decision making," he said. Systems administrators and security tech professionals must be able to perform cost-benefit analysis to make and justify recommendations, and be able to speak with management.
Experts and hiring managers differ in what they value. Dow Williamson is the director of communications for (ISC)2 of Vienna, VA, a non-profit international organization dedicated to training, qualifying and certifying information security professionals. He stressed that a brand-agnostic common body of knowledge and a compendium of industry-best practices is essential for today's information security professionals. "Vendor neutral needs to be matched-up up with vendor specific certifications," said Williamson.
Williamson says that a strong academic background, such as a Masters degree in Information Security will continue to be in high demand, as will professional certification. (ISC)2's flagship certifications are the Certified Information Systems Security Professional (CISSP) and the Systems Security Certified Practitioner (SSCP). Practitioners succeeding in meeting the standards of knowledge and requirements of each certification are acknowledged as professionals in the field of information security. Many companies and government agencies are requiring CISSP and SSCP certifications in recognition of the skill and experience that supports the certifications.
While certifications may give an IS professional an edge for being kept instead of downsized, their value depends on the company and culture. Alex Rosenbaum of NetMacros in Reston, VA believes that education is as important as experience because it shows an ability to learn.
Rosenbaum says an IS professional must be able to understand underlying concepts and why the technology is being applied. He also cautioned against focusing on a single vendor or application. An ability to design solutions is essential.
Trench time and true operational experience is often valued higher than education or certifications. "A CISSP is excellent, but it measures book smarts," says Nick Brigman, Vice President of Product Strategy for Red Siren of Pittsburgh, PA. He places a high value on military experience and training, highly regards a GIAC Security Expert (GSE) from The SANS Institute.
Red Siren looks for job candidates with a deep, diverse background and a clean record. Brigman explained that this is especially important today as organizations are looking into backgrounds of their own employees and vendors.
This economy offers little job security, but it does hold many opportunities for strategically prepared SysAdmins and IS Pros. Security will only grow in importance, and professionals that combine the right mix of best industry practices, specializations, broad knowledge, and multiple certifications and credentials won't just survive, they may even prosper.
ABOUT THE AUTHOR:
Jon Boroshok is an accomplished strategist and freelance writer in Groton, Mass. His articles and columns have appeared in The Boston Globe, The Christian Science Monitor, Crain Communications, ZDNet, CMP Publications, and TechLiving magazine.
This was first published in September 2004