Security Job Bubble????

paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
I often read a lot of postings on this forum from people who express an interest and desire to become an information security professional. I imagine there is some allure to the field because of the preception of prestige, higher compensation, and a tinge of excitment.

Over the past 2 years or so, I have wondered if the growing number of companies that offer security services and the high demand created by regulation has created some kind of temporary bubble, similar to the demand for web developers during the dot-com bubble.

I read this article last week which I thought echoed some of the same sentiments that I have:

Money talks, but at what cost? - SC Magazine

At some point, I imagine that the supply of professionals in information security will equalize with the demand. While I wouldn't discourage anyone from entering the field, as in all professions, it's always a good idea to have understand the time horizon for skillsets and set proper expectations for the future.


  • redzredz CISSP-ISSAP, ISSEP, ISSMP, CAP (& others) Member Posts: 265 ■■■□□□□□□□
    Not to the dotcom extreme. Government regulations aren't going away - PCI, HIPAA, FedRAMP, et al - these are all here to stay (in some form or another). These effectively force human jobs, and a lot of them. There's also wider variety in security specializations than in web development. Eventually, the supply and demand gaps will get a lot smaller, but I don't think it'll "burst". With constantly changing threatscapes coupled with the moving target of what is possible and what is considered secure, I think that it will probably "very slowly deflate over a very long period of time".

    Ask a developer how hard it is to program a moving target. If they've been doing freelance work for any period of time, they've probably wanted to string up several clients by their Achilles tendons. That alone requires either absolutely incredible advances in machine learning, or human interaction. I don't see having to take a cut in compensation any time between now and my eventual retirement (or bloody death at the hands of an enraged developer)... but I also have expertise and experience in several areas outside security.

    So, short answer: yes. The gaps will get smaller, the compensation will decrease, and the allure will fade. This will probably have as much to do with the inbound workforce as the increases in security technologies (SEIM, anyone?).
  • networker050184networker050184 Mod Posts: 11,962 Mod
    I agree with redz. It's simple supply and demand. As the supply of candidates grows to meet the demands the compensation will certainly fall. I see this being more of an issue with the entry level arena than the technical expert area and it will be more of a gradual thing than a 'burst' so to speak.

    As fast as technology changes those that keep their skills current on the cutting edge will always be in high demand though. Keep learning or get left behind just like any other sector of IT or technology.
    An expert is a man who has made all the mistakes which can be made.
  • Master Of PuppetsMaster Of Puppets Member Posts: 1,210
    I have been thinking about the same thing for a some time now. While there is huge demand for security, I think in the next five years it is not only going to stabilize but also get really competitive. There won't be a desperate need for security pros on the market for very long. Everything that breathes nowadays wants to do security. Don't be fooled, this is not only in the US. Some people are talking about saturation of the market and people having a hard time getting a job but I don't see it, this is a bit extreme at least for now.
    Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
  • ThrasymachusThrasymachus Registered Users Posts: 3 ■□□□□□□□□□
    Just as a general thought, the need for security stems from a threat which imposes on the security of the said employer. Threats to the digital, cyber, etc (buzz word) corporate world will not be going away anytime soon. Most jobs could be easily outsourced and then staffed by any entity that proves itself to be trusted, that however is the key to the whole situation. Until security becomes complacent we will see suspicion and distrust amongst employers.
  • it_consultantit_consultant Member Posts: 1,903
    I have a similar concern for when all of these government contractor IT types are looking for jobs; I sense a bubble coming on.
  • powmiapowmia Users Awaiting Email Confirmation Posts: 322
    Information Security, or Information Assurance? Two completely different things. IA is definitely in a bubble. Though, as much as I would love to see the self-licking ice cream cone, that is IA, melt... I think we're stuck with it.
  • redzredz CISSP-ISSAP, ISSEP, ISSMP, CAP (& others) Member Posts: 265 ■■■□□□□□□□
    Are you saying things like HIPAA and PCI should be revoked and all security should be left to the best judgement of all the pure and kind companies that have historically always act in the best interest of their clients?

    I think I'm misunderstanding what you're saying... especially since IA encompasses InfoSec...
  • powmiapowmia Users Awaiting Email Confirmation Posts: 322
    Yes, you are misunderstanding what I'm saying. I did say that we're stuck with it. If it didn't serve a legitimate purpose, we wouldn't be.

    While the policies and procedures need to be in place, and need competent people assuring that sound practice is followed; Too many large organizations have created internal IA empires that have policied networks into such an inadequate state that "availability" has been forgotten.

    DoD IA:

    I will write a policy, stating, "you must have a policy." You will have a policy, since that's the policy. Because of this policy, I will have a job writing policies... self-licking ice cream cone.

    HIPAA, PCI-DSS, SOX, whatever... they are all there for a reason. It's the 20 levels of hierarchy that butcher the interpretation of these policies before someone puts fingers on the keyboard.
  • powmiapowmia Users Awaiting Email Confirmation Posts: 322
    Although, apparently security transcends technology.
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    Perhaps, but 'security' entails many spaces - Analysis, Engineering, Risk, Access Management, Pen testing, management, etc.

    Additionally, like anything else, you'll have the competent faction and everybody else. The former won't be affected badly IMO. In fact the result could be the opposite if companies are vetting properly.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    Some good thoughts...

    I do agree that it is a simple matter of supply and demand. The unknown is what will impact that ratio. As technology matures, the demand for information security profesionals will change. My example about dotcom software developers was to relate the type of technician required in the early days of web development - there were little or no web frameworks so web development required very different skills. Today - web development can be done with scripting skills that is highly commoditized.

    The suggestion of SIEM's, App vulnerability scanners, static code analysers in security will change the makeup of what is considered an infosec professional.

    Bubble is probably is bit of a drastic, attention-getting term.

    I suspect that one of the first things that will likely impact salaries, in the US, at least, is the labour arbitrage that is starting to occur in security.
  • redzredz CISSP-ISSAP, ISSEP, ISSMP, CAP (& others) Member Posts: 265 ■■■□□□□□□□
    I should've guessed this from your name, but yes, DoD IA is a catastrophic mess of bureaucracy, much like the rest of the federal government (Hello, sequestration).

    Most private companies that don't have successful IA eventually stop having success, because unlike the federal government they can't go trillions in debt and continue to function. Without successful IA, there's no measure or goals for successful InfoSec - meaning you're spending money with no way to tell if you're over- or under-spending.

    As someone who's either worked or professionally consulted at every level of management for organizations ranging from 8 to 400,000 people, I can assure you it is mostly "better-but-still-not-very-good" outside of the Federal Government.
  • powmiapowmia Users Awaiting Email Confirmation Posts: 322
    I use the DoD as a reference, since it drives the point home. I work for integrators.. so I see outside that bubble. "better-but-still-not-very-good"... I agree with that.
Sign In or Register to comment.