Security Manager's Journal
By C.J. Kelly
NOVEMBER 07, 2005
My decision to stay in my current job for quality-of-life reasons
provoked emotional responses from several readers. Some of those who
wrote to me about that column [QuickLink 57182 ] had made similar
decisions. But a few, after reading about how I turned down multiple
job offers, asked, "Where are all these jobs you keep talking about?"
I felt compelled to do a little research on the information security
job market and present the results here.
First, I did an unscientific survey of the publicly posted jobs. In my
case, most of the jobs I've had have come from personal referrals, so
when I'm looking, the first thing I do is contact my network of
friends and colleagues. However, I have found that searching the job
boards gives me a sense of the types of jobs that are out there, who's
hiring and approximate salary ranges.
I set out to answer five questions with this research:
1. How many security jobs are out there?
2. What types of security jobs are out there?
3. What requirements do employers have for certifications and degrees?
4. What parts of the country have more security jobs than others?
5. What are the salary ranges?
Whenever I'm contacted by a recruiter looking for security
professionals, I point him in the direction of the International
Information Systems Security Certification Consortium Inc., or (ISC)2,
which offers the Certified Information Systems Security Professional
(CISSP) certification. When I checked its site, the (ISC)2 had over 80
security job postings, many with multiple positions, for the month of
October. The positions ran the gamut from salespeople to technical
security engineers, executives and consultants. The companies
advertising for security professionals were located all over the map,
including Canada, England, Saudi Arabia and California. Eighty didn't
seem like a very big number, though, so I surfed to some of the major
Each job board has its own way of making searching easier, but by
searching for "CISSP" for October, I got the following results: Dice,
645 matches; HotJobs, 1,000; CareerBuilder, 713; Monster, over 800
There were plenty of job postings from the Big Four consulting houses
looking for security types to do audit work, traveling 100% of the
time for $40 per hour or less. For a qualified security professional,
that's practically minimum wage. Working for one of the Big Four looks
good on your resume, gives you a lot of experience (primarily in IT
audit) and makes you an expert in dealing with airports, hotels and
rental car companies. I would exclude the big consulting companies.
They charge exorbitant prices, but very little of that goes to the
consultant who does the job. I also think companies would do better
hiring full-time security people and internal auditors. (No offense to
you Information Systems Audit and Control Association types; I am also
The biggest problem with searching was finding the right security job
description for me. There's no real agreement on what constitutes a
security engineer as opposed to a security analyst or a security
architect. Executive positions (director level and above) aren't
always posted, but those that are seem to be fairly clear about
Types of Jobs
The answer to the question about the types of jobs out there: You need
to know what you are best at and look for jobs that match your skill
set. There are plenty of opportunities, though many of them are ill
defined. Many companies don't really know what they want and need, so
you have to keep knocking on doors until you find one that swings open
As for certifications and degrees, my first conclusion is that you
should finish that bachelor's degree if you haven't already done so.
Not too long ago, technical people were hired based on a particular
skill set, not necessarily on formal education. But the trend now is
toward demanding that sheepskin, and a bachelor's degree seems to be
the minimum requirement for a large number of posted jobs. In many
cases, a master's degree is desired. I also found that employers want
degrees to be supplemented by a string of technical certifications.
The bar seems to be rising.
The CISSP is a very popular and highly regarded certification, but the
SANS Institute also offers an excellent certification series that's
highly respected. As Linux becomes more mainstream, Red Hat
certifications are growing in importance. Microsoft offers the MCSE+
security certification. And let's not forget Cisco. There are many
certification programs, but these are on the short list. They are all
valuable, each with a different emphasis. The trick is to find the
openings that fit your certifications and skills, and just keep
knocking on those doors.
In the U.S., the West and East Coasts appear to have more security
jobs than other parts of the country, and they pay more -- sometimes
two to three times as much. Just remember that the cost of living
matches those increased pay scales. I noticed that the job boards all
have ways of doing area or metro searches, so with a little practice
you should become fairly proficient at searching various locales for
particular kinds of jobs.
As for salaries, they've been all over the map in recent years, and
employers seem to be hesitant to post anything specific about them.
Just remember to value yourself and your skills in advance so that
when you are contacted by a prospective employer, you will be
confident in your market value. Remember, it's not about the money.
It's about doing what you love where you love to do it.
What do you think?
This week's journal is written by a real security manager, "C.J.
Kelly," whose name and employer have been disguised for obvious
reasons. Contact her at mscjkelly at yahoo.com, or join the discussion
in our forum: QuickLink a1590 
To find a complete archive of our Security Manager's Journals, go to
Earn your Master's degree in Information Security ONLINE
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.