Information security recruitment: How to move on in turbulent times

Not surprisingly given the economic backdrop, the information security recruitment market has slowed. The first obvious signs of this downturn were evident from the third quarter of 2008 in the financial services sector. It has subsequently spread with recruitment freezes and lower vacancy generation as fewer vacancies are back filled. Fewer security practitioners are voluntarily entering the recruitment market, fearful of moving jobs during an uncertain time. However, overall more candidates are registering due to threat of or actual redundancy.

Although unemployment in the UK is now rising rapidly, information security is not as badly hit as other areas. It has become a business critical function and information security is no longer purely tied to IT. IT is an area where costs are often first cut during downturns. Therefore, we have not seen, nor are we anticipating, the high number of unemployed security practitioners as occurred in 2002 after the dot com bust.

There are some areas in information security that are more badly affected than others. As expected the banking sector has been worst hit, with a high number of redundancies and few banks actively recruiting. The UK banking industry appears to be in the process of being nationalised and in the US three of the five leading US investment banks no longer exist as independent entities and two do not exist at all. For those working in the sector it will be a difficult time to move on as opportunities are very limited. More unfortunate are those who have been made redundant and are now facing the prospect of finding a new position during the recession.

There are areas of the information security market where recruitment is less affected, most noticeably in the public sector. Many major consultancies and systems integrators continued to recruit during 2008 for security practitioners to work on long term government projects. This slowed somewhat from the final quarter of 2008, but we anticipate recruitment in this area will continue during 2009. Most commonly the skills required are security architecture and design, security risk assessment and security policy development.

Identity Management has been a skill in demand over the last two years, although demand is slowing since the Sarbanes Oxley compliance that was driving it has mainly been completed. PKI is likely to be an area where we should see new demand, partly due to the Transglobal Secure Collaboration Program (TSCP) which uses IdM and PKI. In addition following the high profile data losses of the last two years, the number of encrypted hard drives in the UK is set to increase. It is now a UK government requirement and we also anticipate the private sector to follow, hence we expect to see new roles in PKI this year.

Penetration testing has been an area that in recent years has boomed. Generally there has been consistent demand primarily from the consultancies that offer this service and also from some end-users who directly employ penetration testers. However, there has been a slow down as the bulk of employers of pen testers, boutique as well as global consultancies, have become more cautious. Also many security practitioners have a fear (though most often perceived as opposed to real) about moving jobs during a recession. As a result less penetration testers are leaving their positions, resulting in fewer roles to backfill.

Managed Security Services (MSS) and Security as a Service (SaaS) are market areas which are less likely to be negatively affected by the recession. While companies do not wish to spend IT budgets on new technologies and implementing, integrating, configurating and managing those technologies in-house, it makes financial sense to outsource. There has been more recruitment in these areas in the last year, and we expect it to continue at all levels from senior management though to hands-on operational roles.

Other areas of growth for 2009 include companies looking to recruit their first Information Security Officer, usually a stand alone post with no direct reports, reporting into the COO, Head of Risk or CIO. Such roles have been created due to PCI compliance, FSA regulation and to counter the reputational risk of data leakages. Also following data leakages, the Hannigan Report which highlighted improvements such as increased encryption, penetration testing and a raised awareness of information security across government departments, should create more roles in the public sector. In addition the private sector has responded to this by investing in privacy personnel and aligning with ISO 27001 which is also likely to create new business critical positions. The contract security market, although previously experiencing a slowdown has begun to pick up and is likely to continue to do so, particularly in the public sector.

Overall 2009 will see a decline in the creation of new vacancies and as such the pool of redundant information security practitioners will increase. However as information security is essential to business many positions are secure and back filling of certain open roles will need to occur. Whilst information security will not be as badly affected as other areas, any upturn in recruitment generally does not occur until a recession is over. It is hard therefore to predict how long the market will remain subdued.

For security professionals entering the recruitment market, we would recommend increasing their marketability by undertaking professional certifications desired by prospective employers such as CISSP, CISM or ITIL. Depending on the type of role undertaken, it may also be useful to pursue vendor certifications. For example if a security practitioner is looking for a hands-on technical role involving Check Point firewalls it would be beneficial to gain the CCSE and CCSA certifications, and equally to gain more certifications from other vendors’ products they work with. The technologies most highly rated in the security industry and most commonly used are generally the ones security professionals should aim to certify in first, so long as they are relevant to the type of role they will be seeking.

It is important to remember that a CV is what determines in the first instance whether a candidate is invited to interview, either with a potential employer or with a recruitment agency. During the recession agencies and employers will be receiving an unprecedented number of CVs so it is crucial a CV is written to a high standard. This does not mean keeping it to two pages, but it does mean clearly and succinctly providing all the relevant skills and experience for the specific role for which you are applying. It may mean candidates need to have two or more CVs that focus on different skill areas, such as one for security consultancy opportunities and one for security management positions.

Preparation for interviews is absolutely essential and it is surprising how often this is overlooked. Many people spend hours studying for exams, and years for a degree, which help get the interview request, but do not put the time in to prepare for the interview. It is key to set yourself apart from other candidates, to show interest in the company and knowledge of their business. We suggest researching the company’s website gaining information about their business and if possible the division in which the role will be based. Try to find out some information on the people who will be conducting the interview and importantly the type of interview to assist with specific preparation. If it is a technical interview or test try to find out what areas it is likely to involve so you can study in advance. If you are likely to undergo psychometric or aptitude tests, undertake some practice tests that can be found on the internet. If it is a competency type interview then you can prepare for this by anticipating the type of questions you are likely to be asked and preparing your best answers.

Don't miss