Hiring Trends: Information Security Bucks the Recession - David Foote, Foote Partners
This is the posture of David Foote, CEO and chief research officer of Foote Partners, an IT workforce research firm.
In an exclusive interview, Foote discusses:
Foote has long been one of the nation's leading industry analysts tracking, analyzing, and reporting on IT workforce management and compensation practices, trends and issues. His columns, articles and contributions appear regularly in dozens of publications. As Foote Partners' CEO and Chief Research Officer since 1997, David leads a senior team of experienced former McKinsey & Company, Gartner, META Group, and Towers Perrin analysts and consultants, and former HR, IT, and business executives, in advising governments and corporations worldwide on increasing performance and managing IT's impact on their businesses and customers. Prior to co-founding Foote Partners in 1997, David was an analyst and consultant with Gartner and META Group, co-founding and directing META's executive service for Chief Information Officers and leading the firm's IT Human Capital Management and Compensation research practices.
TOM FIELD: Hi this is Tom Field, Editorial Director with Information Security Media Group. We are talking today about the IT workforce, and we are talking with David Foote, Co-Founder, CEO and Chief Research Officer with Foote Partners, an IT workforce research firm. David, thanks so much for joining me today.
DAVID FOOTE: You bet Tom.
FIELD: Just to get us started here, why don't you tell us a bit about yourself, about your firm and exactly what you do?
FOOTE: Well, we are bunch of analysts that come out of the big analyst firms. We have been around for about 12 years. I worked as a partner in another group. Our focus is mainly, in a nutshell, on the execution of the IT organization versus the recommendations on the purchasing of hardware, middleware, software. We look very much at the world from what happens once you have these purchases. This largely becomes an issue of workforce. So, we have developed a lot of independent research, benchmark research, that I will be drawing from today, and that involves a group of about just over 2,000 companies in the U.S. and Canada and covering close to -- I think we are up to about 89,000 IT workers, and we publish benchmark research on them, and we also look to this group for a lot of our analysis and what is happening out there in the markets, as we test some of the data that we are seeing. So, it allows us to draw a lot of inferences about trends in the market -- hard data and empirical data.
FIELD: Now, I have seen some of your compensation surveys, and they indicate that pay for IT security skills and certifications has continued to rise, despite the recession. What do you see as driving that rise?
FOOTE: Well, you know the easy answer might be compliance, and you would be partially correct. But you would be missing most of what we see as the main drivers. There has been a big shift, particularly in budgets, from external threat defense to protecting data assets, and this has obviously created a big shift in the demand for the kind of skills and people you need to be doing this. In fact, in a CSO/CISO survey that we do twice a year, data security now has come up as the number one issue for security decision makers. And if you look at budgets right now, you have got IT budgets this year that are down about between 7 and 9 percent, depending on what analyst firm you look at, but it is interesting that security budgets this year are basically flat, and part of this is because the percent of the IT operational budget devoted to security was 7.2 percent in 2007, but now in 2009 it has risen to 12.6 percent.
So, we have taken a larger chunk of the IT budget, which even if that is declining, that keeps security again at pretty much a flat point. We are going to spend about as much money this year as last year.
But I would say that the role of the security organization has changed very much from sort of a support infrastructure role to much more of a central business-centric view. It now isn't just about operations in the business; it is about protecting brands, protecting corporate reputations, protecting finances. And if you look at what the problem has been there, it has been a very high rise in high-volume thefts of credit card information, Social Security numbers, personal data, the rising costs of these breaches, the fact that these breaches have started to trigger state disclosure laws that have brought damaging publicity, damaged brands and reputations of companies. If you look at at least five threats I know, which perimeter-focused security misses, it seems these trusted relationships between partners and users where we heard back starting in late 2005 and the beginning of 2006. We put out an alert about this to our various customers, that we saw that it wasn't so much compliance that was driving a lot of demand for skills; it was the fact that customers of companies were starting to get very nervous about the data that they had in the systems and going across the networks of some of their providers.
They started to make noises about this to salespeople, who got that message to executives, and they were saying 'Look, we have got a problem, and we may lose some marketshare, we may lose over this issue of our products and services or the way we do business not being secure enough.' So it began coming out of this sort of operations area to this whole other area of protection of business assets and ultimately revenues.
I would also put in this group of threats that perimeter-focused security is missing and that has created a new demand for additional security skills. You know, web applications, vulnerabilities; over 50 percent of all reported vulnerabilities are in web application vulnerabilities. You have got a lot of missing devices, laptops, mobile device and such that will cause security problems; we know about a lot examples about this. You have got customer malware running under the radar to establish signatures right now. And you have got social engineering and basic user ignorance and company ignorance about Web 2.0 threats.
So you have got a lot of things that have transpired over a period of time, and way back in 2006, although with our customers that we saw basically a big change in demand for people and skills, particular skills that was going to hit in about the Fall of 2007, and in the meantime that is exactly what happened and it has been carrying through.
Since October of 2008 when Wall Street sort of imploded, security certifications have gained 1.3 percent in value in our survey. Overall, the 190 certifications we surveyed have lost 2.8 percent in value, so clearly security certifications are going in a completely opposite direction of the rest of the certifications that are out there. And I mention this because in the certification business those are heavily infrastructure certifications, networking systems and not security, so we tend to see changes in security labor issues and pay showing up in that area versus the non-certified, but it is also showing up in non-certified.
FIELD: So, David, when you look at those skills and certifications related to security, which ones would you single out as perhaps providing the largest employment opportunity for skilled workers right now?
FOOTE: Well, we have a hot list that we publish that takes into account what we are seeing in terms of changes in pay, which is an indication of the difference between supply and demand. As demand grows greater, then supply can go up in value, but you have a number of other things you have to look at. You have to look at budgets, what people are spending, how line-item spending has changed, you have got to talk to a lot of people too and we are out there talking to 2,000 companies.
Now on this list, 25 of what we think are the hot certifications right now, eight of those are security, and specifically the Incident Handler Certification from SANS, the SANS Institute, the GIAC, CISCO Certified Security Professional, we have got two more SANS certifications, Forensic Analysts, Intrusion Analysts and Internet Manager, we have the EC Counsel Certified Hacking Forensics Investigator, we also have on that list the CWMP, used to be called [indiscernible], a Certified Wireless Security Professional and we have got the Security Certified Network Architect Certification as well.
So we have got some real evidence> We can't go into a lot of detail on this, but I can say that some of these certifications I mentioned to you a moment ago are up in pay between 9 and 25 percent in the last six months, and in this recession that is big, big news.
FOOTE: To have anything growing in value in such a short amount of time -- some of those in the last three months are up over 10 percent.
FIELD: So, David, what areas of security do you think are going to see the greatest increase let's say over the next six to 12 months?
FOOTE: Well if you look at pay, again, there is a gap between supply and demand, but it is clearly forensics analysis, it is internet handling analysis and security architecture (which is another one I didn't mention before), ethical hacking, network security and security management. If you look at our workforce demand survey, which is another bit of research we do, not just specifically in security but in all of IT, the ones that we pulled out that relate to security show very much a demand now and through the end of the year and probably into the first quarter of 2010 are as follows: forensic identity and access management intrusion detection and prevention systems, penetration testing, threat and vulnerability assessment (although that is probably going to be outsourced and probably going to be a third-party thing; some companies will do it internally, but many are going externally to do these independent assessments), you have got litigation support, you have got e-discovery, you have got disc and file level encryption solutions, you have got data protection, or as some people call it data loss prevention, you have got application security ... and you have got this whole area of governance, compliance and audit, what we call GRCA, which is governance, risk management, compliance and audit.
There is an interesting certification that has just come out, it is new and it hasn't been around long enough to track as far as pay is concerned, but it is called the Certified Governance and Enterprise IT certification, which is trying to bring certified people in this area in GRCA. So I have just mentioned a few of them to you. There are some more, but I think those are the general areas of growth right now.
FIELD: Aside from direct information security, what are some of the related areas that are also showing strong pay demand trends? It sounds like you are touching upon some of those in terms of soft skills and business.
FOOTE: Yeah, but I would answer your question in the time that we have in the following way. You know web application security, your secure software development, the idea of proactive security programs spanning an entire application's life cycle; this is really big. There are a number of skills that I could cite to you ... there are all of these specific skills relating to web application security. This is coming in in a very big way.
Part of it is driven by obviously our president's interest in digital records and electronic medical record systems. The skills that will be needed in that are in access control, data integrity, data loss prevention, application security to challenges... You have got securing their virtualized environment ...
You have got a lot of network security issues. I mentioned some of them before -- wireless, mobile, that continues to be a drum beat that has affected pay in demand. You have got architecture that is affected in our data. In our most recent data, the interest in security architecture in addition to all of the other architecture that we have network, information, data, enterprise architects, applications architects, now we have got an interesting in large demand for people who are can construct proper security architectures. And you have got a number of other areas, I just mentioned a few right there, but suffice it to say that in general there has been a real broadening of the view of what security means in organizations.
And, again, going back to this idea that it is now grown from beyond external threats to the fact that when you come right down to it, a lot of security threats are internal in organizations. And we are seeing that most recently what is in the national news stories is that is what has been happening, connected with angry workers about to be laid off or having been laid off. We have got a whole new set of concerns.
FIELD: One last question for you David. We have got some experts, as you know, that are saying that the recession has bottomed out, and others are saying it is going to be some time before the job market improves. Based on what you see, what do you think the market will be for information security professionals and IT jobs in general?
FOOTE: Well, if you have been watching the month to month press releases from the Department of Labor and the Bureau of Labor Statistics, where they track unemployment in the country, something really interesting happened in July that I haven't seen happen or occur in the last five months prior to that.
There are five bellwether categories of IT employees, and security is certainly part of this group. In the Bureau of Labor Statistics employment situation numbers, every month since February there has been a net loss of 3,000 to 11,000 IT workers in this country a month. All of the sudden in July there was a net gain of 7,400; there was literally a swing of 15,000 employed people from a loss of 7,600 in June to a gain of 7,400 in July. Overall, something--there seems to be a thaw in this economic winter, at least in July, for IT workers.
I know that a number of companies are hiring not just security people, but a lot of them are looking to hire a number of IT workers. Or let's just say they are rearranging their workforce so they have the correct skills in place, and that is driving part of this. It is not simply budget reductions, but the fact that we need to have a sort of a different constitution to our workforce from the point of view of skills available to do the work at hand. Certainly security is part of that as I have just said, but will this sudden July surprise that we have seen, will that continue? Is that a trend now?
I am not prepared to say that, so talk to me in September or October, and if we see more of this, where we have overall losses in the employment in this country, but we are starting to see numbers in the black for IT, then I will tell you that you probably have a trend. And then I would begin to tell you what I think security numbers might be, and the others we will have to process a little more of our benchmark research before I am willing to put a stake in the ground on that.
FIELD: Excellent. Well, David, I know we have only scratched the surface of what you have to offer. Where can some of our listeners go to find out more about some of the research that you have done and some of the trends that you are seeing?
FOOTE: Well, we are available at www.footepartners.com, and we put a lot of research up on our site. If you are lucky enough to be on one of our mailing lists, about every two to three weeks we send out research alerts, and we have no problem putting a lot of trend data in any of those. And that is available to anybody who wants to participate; it is just basically an option on our site. And of course we have more than 140, 150 research reports that are all benchmarked reports having to do with the IT workforce that are updated every two months and made available to the general public.
FIELD: Very good. David, I appreciate your time and your insight today.
FOOTE: Thank you.
FIELD: We've been talking with David Foote of Foote Partners. For Information Security Media Group, I'm Tom Field. Thank you very much.