Educational Background

Security professionals need to be able to deploy, manage and monitor the software and hardware that security vendors provide. Hands-on experience and industry or vendor certification count for much more than any particular academic degree, says Pradeep Aswani, president and chief executive officer of VPN Dynamics, a company that provides security training.

“Certification can get someone a job,” Aswani says. “Folks who have been certified don’t need to have a computer science or engineering degree.”

But they do need to have some knowledge of networking — the TCP/IP (Transmission Control Protocol/ Internet Protocol) suite. Expertise in security has to be built from the network foundation.

Gurinder Singh, a Check Point certified systems associate believes that certifications and accreditations notwithstanding, work experience is the crucial element when seeking a job as a security professional. Singh, a senior network engineer at Cacheflow Inc. stresses that certifications are an added benefit that provides a higher chance to get a job, but only if a candidate has had had practical work experience.

For security professionals looking to add to their skill set, two possible certifications are available. They may be vendor specific. For example, Check Point Software’s certification gives a professional detailed knowledge and practical experience in Check Point’s security framework. A Check Point-certified systems associate can work in the IT department of any company that uses Check Point’s products.

On the other hand, certifications can be industry specific such as the CISSP accreditation. The certified Internet security service professional is one who has been certified by the International Information Systems Security Certification Consortium. This is a recognized industry standard, Aswani says, and the consortium publishes the courseware for the training and examination. Another elaborate and complex certification is the SANS (Storage Area Networks Security) certification. This deals with forensics and intrusion detection and management.

Arvind Narain, senior vice president of product and service development for McAfee, a division of Network Associates, concurs saying candidates can distinguish themselves by certifications and accreditations. Narain explains that in the current economic environment, software developers with technical certifications and degrees in engineering or computer science will have a better chance to get a job with security vendors. Aswani believes that most security professionals are not certified, but this is bound to change because companies will constantly demand higher expertise as security breaches become increasingly vicious and more frequent.

Characteristics of the Current Security Space

Narain stresses that a security professional needs to be vigilant at all times because managing security is not an eight hour a day job. Vincent Gullotto, who heads the specialized AVERT (Anti-Virus Emergency Response Team) team at Network Associates that has researchers in five continents and roughly 16 countries believes that security professionals especially those in specialized teams as his, need to be workaholics because the threats are not limited by geographical boundaries.

“Five years ago we lived in a benign world and that has changed,” Narain asserts. “Now 85 percent of viruses come via e-mail.”

Huge layoffs haven’t made things easier for companies because employees vent their frustrations by hacking into corporate sites, Aswani claims. His theory seems to be confirmed by Information Security Magazine’s current survey. It suggests that “insider” security breaches occur more often than external or “outsider” ones, but companies continue to spend more on battling external factors than tightening their internal security systems.

“In a layoff economy you are tempting fate with poor security,” declares a survey respondent.

Yet, the problem isn’t resolved once a company installs a firewall, anti-virus software or URL filters. Continuous monitoring and maintaining contact with vendors who provide newer versions of software and patches are keys to staying ahead of the game.

“In security, you are only as good as your last update,” Narain quips.

Salary Structure
A study conducted by The Broadmoor Group, a Dallas, Texas-based executive search firm, found that annual compensation for top corporate information systems security executives can reach as high as $500,000. At the entry level, a security professional can make anything from $120,000 to $150,000, Aswani says. From the developer perspective, a security engineer can expect a salary between $50,000 and $150,000, depending on technical knowledge and work experience, according to Narain. The salary levels may be an indication that security professionals may witness a surge in demand for their services.

“The threat is real and has to be managed in near real time,” Narain says.