The old adage that the only thing that's constant is change certainly applies to the world of information security. Whether it's the ever-shifting threat scenarios or the technologies designed to thwart them, new developments seem to be happening all the time.
Because of the dynamic nature of the security discipline, the skills organizations and their security programs need are also continually changing.
We checked in with a number of security executives, industry analysts and recruitment specialists to find out what they see as the most in-demand skills today and in the coming months. Here are some areas they noted.
Whether it's through bring-your-own-device (BYOD) or company-provisioned products, businesses are increasingly relying on mobile workforces. Mobile computing and communications have introduced new vulnerabilities and threats, and finding people with the know-how to address these will become increasingly important.
"The higher you go up the mobility stack--network up to operating system and finally up to application security--the harder the security skills and technologies are to understand," says Tyler Shields, senior analyst at Forrester Research Inc.
"The lower layers of the stack are a bit more commoditized and have tools that can help automate some of the security controls and auditing," Shields says. "Application security flaws are generally one-off type flaws that require significant reverse engineering and coding skills to successfully discover and exploit. In general the application security arena is one of the most difficult to find subject matter experts. Mobile security is also in short supply due to the young age of the technology."
Big data and data science skills such as advanced analytics are in demand in a number of specialty areas, and security is not exception. People who can make sense of security-related data that's being gathered from multiple sources will likely be in demand for some time.
"We look beyond traditional IT and security skills. For example, it's really important to have a good view on data analytics and privacy," says Siobhan MacDermott, Utilidata's CISO at Utilidata, a company that provides software specifically for the utilities industry.
It's even better if people have analytics skills focused on a specific sector. "As cyber security and privacy converge, it's important to ensure that we're staying on top of trends in our industry," MacDermott says. "Being in the utility space, we have developments that are heading our way in smart grids, for example, and we're looking to hire people today for a future skill set."
While data analytics for security is not new, it's getting increasingly more important, says James Yang, director of disaster recovery and IT risk management at Cummins Inc., a provider of engines and related technologies.
"The market has started demanding IT security professionals to have the business acumen to understand business-prioritized risks, correlate what seems to be isolated concerns into identifiable patterns and trends, and have the ability to communicate risk in the holistic manner," Yang says.
The security skill set most in demand is the security analyst, who conducts the integration and testing, operation and maintenance of systems security, says Hord Tipton, executive director of the International Information Systems Security Certification Consortium Inc., (ISC)², a global, not-for-profit organization that provides education and certification for information security professionals.
"In addition, a security analyst possesses significant, higher-order skills and has a deep understanding of all business systems, knowing what information an organization cannot afford to lose," Tipton says. "They are proficient in cyber threat analysis and in identifying and assessing the capabilities and activities of cyber criminals or foreign intelligence entities."
They may also analyze threat information from multiple sources and disciplines, Tipton says, synthesizing it and placing it into context while drawing insights about the possible implications.
As organizations move more traditional back-end applications to the Web, the demand has grown for individuals with application security skills, says Jay McLaughlin, CSO of Q2, a provider of software for the financial services industry.
"These individuals have strong security and development knowledge and can bridge the growing gaps in the [systems development lifecycle] process," McLaughlin says. "From a CSO perspective, most are concerned about improved intelligence-- specifically around potential threats and incident detection."
With more and more companies in the news publicly disclosing breaches, "the odds of a company facing this reality--well, let's just say the fear is real," McLaughlin says. "Organizations need security professionals who can help them get ahead of these threats."
Security architects and investigators
Security architects define how security strategies, solutions and practices need to evolve to keep up with both the changing threat landscape as well the changing business environment, with the adoption of bring-your-own-device/mobility, cloud, big data, and other emerging areas, says Sujata Ramamoorthy, director of Global Information Security at Cisco Systems.
"Understanding threats and risks in this complex environment that spans multiple products, providers and users and then determining solutions to appropriately manage the risks with investment protection is very challenging," Ramamoorthy says.
Security investigators are also becoming critical for companies looking to detect and respond to attacks in a timely fashion, Ramamoorthy says. "Attacks can come from multiple directions both inside and outside the enterprise, and it takes skilled engineers to design comprehensive detection mechanisms and analysts/investigators to comb through all the sources of information to find the needle in the haystack," he says.
Point-of-sale security is a hot area for employment, Shields says. "The need for these skills is being driven by the transition of cyber criminals from traditional PC attacks to mobile and point-of-sale system attacks," he says.
Many of the recent high-profile security compromises have been in the point-of-sale space, Shields notes. "Securing these hardware devices and the software that runs on them takes additional security skills that most general network security engineers do not yet possess," he says.
Hacking experts/penetration testers
The idea of hiring hackers might generate controversy in certain quarters, but people with such knowledge can be valuable to some organizations.
"We're seeing two trends when it comes to new security skills emerging," says John Reed, senior executive director of Robert Half Technology, a provider of professional staffing services. "The first is the demand for ethical hacking. Basically, this is just hiring hackers to do penetration testing on your network to uncover vulnerabilities and then advising organizations on how to correct the issue."
The other trend is an increase in demand for IT forensic examiners, "basically a person who can track down where an intrusion or hack has come from and exactly what has been compromised," Reed says.
Security programs will need people with the skills to help educate users about security risks and vulnerabilities, says John Pescatore, director of emerging trends at The SANS Institute, a research and educational organization. This includes professionals who are good at talking people into doing things they never really did own their own, he says.
"I think we'll see continued growth in demand for people with the soft skills' to increase the effectiveness of user awareness and education--what SANS calls securing the human side," Pescatore says.
There are two main reasons for this, Pescatore says. One is that attacks are becoming much more targeted, "and as we've seen in the recent Target and eBay breaches, the target is increasingly people with access--very targeted phishing campaigns," he says. These are conducted not just through email but through phone and social media as well.
Another reason is "the old security awareness way of posters in the lunchroom and annual watch this video' didn't work and never will," Pescatore says. "But as people start using smartphones and cloud services at home, there are ways to relate to that use and help them think about reducing their own risk in using these services--versus always focusing on the company's risk. That seem to have better results in changing some user behavior."
How to find the skills you need
One thing about information security that a lot of people agree on is that there's a big need for skilled professionals.
"Most of the demand is across the board; there is a shortage of skilled security people, security people who can actually do' security versus pass a multiple-choice test on security," says John Pescatore, director of emerging trends at The SANS Institute, a research and educational organization.
"We believe hands-on skills training and certification is key, and the demand for our courses--both in person and online--seems to bear that out," Pescatore says.
SANS is working to bring together CISOs to support a program called VetSuccess, where returning veterans with cyber security skills are mentored in private industry so they can have successful careers and increase the overall size of the cyber security talent pool.
SANS also has other programs, such as CyberAces, that works with high school and community college students with high aptitude for technical achievement in information security, to discover their talents, develop their passion and determine where their talent can best be nurtured, Pescatore says.
Enterprises and recruiters should look toward engineers and programmers that show an interest in the security field, says Tyler Shields, senior analyst at Forrester Research Inc. "Having the development and debugging background will help them to quickly transition into high level security practitioners," he says.
Another interesting source of security talent will come from the quality assurance (QA) department, Shield says. "QA is already adept at testing and analyzing products and code for bugs and errors," he says. "The primary difference between QA and security assessment is the intent of the attack. In QA they just want to find bugs, while in security they want to find security exploitable bugs."
Regardless of where the talent comes from, organizations will clearly have a need to recruit people with a variety of security-related skills.
"Building a strong cyber defense means building a workforce that has the skills to handle the vast majority of threats to data, like malware or hackers seeking financial information," says Hord Tipton, executive director of the International Information Systems Security Certification Consortium Inc., (ISC)², a global, not-for-profit organization that provides education and certification for information security professionals
"It takes skill and manpower to root out these threats and the proper tools, in the form of secure applications and software code," Tipton says. "We also need well-trained and certified people who are capable of recognizing and mitigating threats. A key component of raising awareness for enterprise users is to know what threats they are facing."