Security services: the high cost of skills and staffing

Security services: the high cost of skills and staffing
Security services: the high cost of skills and staffing

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

By Johna Till Johnson
Network World
Eye on the Carriers

Would you trust a carrier with your security services? Surprisingly, the 
answer may well be =E2=80=9Cyes.=E2=80=9D More than half of the companies I work with 
say they=E2=80=99re using managed or carrier-based security services. Typically, 
these are basic services such as firewall management or IDS/IPS. And 
pretty much nobody has fully outsourced security management; typically 
these =E2=80=9Ccommodity-management=E2=80=9D services operate in conjunction with 
in-house security.

But most folks say they=E2=80=99d consider expanding their use of managed and 
carrier-provided security services. Why? The top driver is a lack of 
skills internally. =E2=80=9CThe thought was that we could do it just as well 
ourselves, but it's been made abundantly clear that's not the case,=E2=80=9D 
says one IT executive.

Why are folks having trouble rounding up the skills? A key reason is the 
high =E2=80=94 and increasing =E2=80=94 cost of security specialists. Senior-level 
security staffers command as much as $250,000 per year, due to a chronic 
shortage of such individuals. The typical senior-level security staffer 
makes $100,000, and the typical junior-level staffer makes $62,500. By 
=E2=80=9Csenior-level=E2=80=9D security person, we=E2=80=99re talking a certified information 
systems security professional (CISSP) or above, someone whose 
responsibilities focus primarily on policy development and architecture. 
(A junior-level person is more likely to concentrate on things like log 
auditing or task management.)

There=E2=80=99s a wide degree of variation, though =E2=80=94 both regionally (workers on 
both coasts command slightly higher salaries than in the heartland) and 
in terms of ranges (only about 20% of the companies I work with are 
paying more than $140,000 for a senior security specialist).

But the bottom line is that there are more senior-level security jobs 
than people, and as a result, companies are willing to pay a premium for 
the right skills. =E2=80=9CThey had to break the bank to get me,=E2=80=9D says a senior 
executive of his company =E2=80=94 and he=E2=80=99s paying his team of top-tier security 
people $240,000 per year.

If reading this inspires you to consider shifting fields, you may first 
want to ponder a few other issues. First is that skills shortages 
generally respond well to market forces; a few years ago, when routing 
was a rare discipline, Cisco Certified Internet Engineers commanded 
top-dollar salaries, but as the number of CCIEs increased, the average 
salary declined. So shifting your technical focus probably won=E2=80=99t pay off 
in the long term =E2=80=94 if that=E2=80=99s all you do.

That said, what does pay is a willingness to assume both risk and 
responsibility. Increasingly, the top-level security specialist in many 
organizations is a member of the board =E2=80=94 which means he or she is 
personally liable for attacks. Moreover, security is gradually morphing 
into an overall =E2=80=9Crisk-mitigation=E2=80=9D specialty =E2=80=94 which means security teams 
are doing more, and wielding more authority, than ever before. And the 
assumption of risk and responsibility doesn=E2=80=99t get commoditized as 
rapidly as technical skills =E2=80=94 so doing so is a good long-term bet.

The bottom line? If you=E2=80=99re willing to invest in acquiring a new skill 
set and assume additional risk and responsibility, consider focusing on 
security services. If not =E2=80=94 look to the carriers and MSPs to enhance 
your company=E2=80=99s security.

All contents copyright 1995-2007 Network World, Inc

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. 

Site design & layout copyright © 1986-2015 CodeGods