Companies Pay Premium for IT Security Specialists

Demand for highly trained and certified IT security professionals is surging to levels not seen since the post–9/11 hiring frenzy, forcing CIOs and IT managers to pay more for certified IT workers and adjust their IT budgets to meet the increased security expectations of their customers and their executive management teams.

In the past six months, pay for IT security certifications rose 2 percent–the first increase in more than a year–according to a report issued this week by IT workforce research firm Foote Partners.

Whether it’s vendor–sponsored certification from the likes of Cisco, IBM, HP, Microsoft and Oracle or independent organizations such as the International Information Systems Security Certification Consortium or the SANS Institute, companies are fighting among themselves to keep and attract systems administrators and database analysts who have the ideal blend of technical expertise and security acumen.

"In the past, we’d ask CIOs if their companies were taking steps to strengthen security in the wake of high–profile identity and data theft incidents and about 34 percent of them weren’t," says David Foote, the report’s author. "They need highly skilled people to deal with deadly security issues but some of them seemed to be ignoring the problem. That’s odd because IT usually never ignores anything."

In the immediate aftermath of the 9/11 terrorist attacks, IT organizations bolstered their stables with certified security specialists to protect their systems from possible attacks on their physical infrastructure as well as their business–critical information networks. But as time went on, business reality set in and changed their focus to hiring IT specialists who were highly trained in vendor–specific applications and systems like .NET or Java or UNIX and not necessarily security–specific certification.

But with every new and more insidious data or identify theft incident, customers who don’t want to end up on the front page of the New York Times or the Wall Street Journal are demanding higher levels of security certification from their vendors as well as their suppliers.

Just this week, Fidelity National Information Services revealed the personal information of more than 2.3 million people had been stolen from its database by a wayward employee. The breach occurred at Certegy Check Services, a company that handles check and credit card monitoring for merchants and casinos.

In January, thieves made off with more than 45 million credit and debit card numbers from retailer TJ Maxx in the largest personal data breach ever recorded. And in April, a disk containing information on 2.9 million people went missing from the Georgia Department of Community Health.

"Organizations are swamped with customers asking for help," Foote says. "Nobody wants to be the next TJ Maxx and so they’re demanding security certification from their vendors."

The increased pressure for certified IT workers isn’t limited to the private sector.

In December 2005, the Department of Defense laid out its demands in something called Directive 8570, a policy requiring all Defense Department IT workers and contractors to obtain commercial certification under ISO/IEC standard 17024.

"For last few years, we saw that certifications were losing their value," Foote says. "The only segment of premium pay for certification that’s improving is in IT security."