Would you trust a carrier with your security services? Surprisingly, the answer may well be "yes." More than half of the companies I work with say they're using managed or carrier-based security services. Typically, these are basic services such as firewall management or IDS/IPS. And pretty much nobody has fully outsourced security management; typically these "commodity-management" services operate in conjunction with in-house security.
But most folks say they'd consider expanding their use of managed and carrier-provided security services. Why? The top driver is a lack of skills internally. "The thought was that we could do it just as well ourselves, but it's been made abundantly clear that's not the case," says one IT executive.
Why are folks having trouble rounding up the skills? A key reason is the high -- and increasing -- cost of security specialists. Senior-level security staffers command as much as US$250,000 per year, due to a chronic shortage of such individuals. The typical senior-level security staffer makes US$100,000, and the typical junior-level staffer makes US$62,500. By "senior-level" security person, we're talking a certified information systems security professional (CISSP) or above, someone whose responsibilities focus primarily on policy development and architecture. (A junior-level person is more likely to concentrate on things like log auditing or task management.)
There's a wide degree of variation, though -- both regionally (workers on both coasts command slightly higher salaries than in the heartland) and in terms of ranges (only about 20 percent of the companies I work with are paying more than US$140,000 for a senior security specialist).
But the bottom line is that there are more senior-level security jobs than people, and as a result, companies are willing to pay a premium for the right skills. "They had to break the bank to get me," says a senior executive of his company -- and he's paying his team of top-tier security people US$240,000 per year.
If reading this inspires you to consider shifting fields, you may first want to ponder a few other issues. First is that skills shortages generally respond well to market forces; a few years ago, when routing was a rare discipline, Cisco Certified Internet Engineers commanded top-dollar salaries, but as the number of CCIEs increased, the average salary declined. So shifting your technical focus probably won't pay off in the long term -- if that's all you do.
That said, what does pay is a willingness to assume both risk and responsibility. Increasingly, the top-level security specialist in many organizations is a member of the board -- which means he or she is personally liable for attacks. Moreover, security is gradually morphing into an overall "risk-mitigation" specialty -- which means security teams are doing more, and wielding more authority, than ever before. And the assumption of risk and responsibility doesn't get commoditized as rapidly as technical skills -- so doing so is a good long-term bet.
The bottom line? If you're willing to invest in acquiring a new skill set and assume additional risk and responsibility, consider focusing on security services. If not -- look to the carriers and MSPs to enhance your company's security.