http://www.networkworld.com/columnists/2007/071707-johnson.html
By Johna Till Johnson
Network World
Eye on the Carriers
07/17/07
Would you trust a carrier with your security services? Surprisingly, the
answer may well be “yes.” More than half of the companies I work with
say they’re using managed or carrier-based security services. Typically,
these are basic services such as firewall management or IDS/IPS. And
pretty much nobody has fully outsourced security management; typically
these “commodity-management” services operate in conjunction with
in-house security.
But most folks say they’d consider expanding their use of managed and
carrier-provided security services. Why? The top driver is a lack of
skills internally. “The thought was that we could do it just as well
ourselves, but it's been made abundantly clear that's not the case,”
says one IT executive.
Why are folks having trouble rounding up the skills? A key reason is the
high — and increasing — cost of security specialists. Senior-level
security staffers command as much as $250,000 per year, due to a chronic
shortage of such individuals. The typical senior-level security staffer
makes $100,000, and the typical junior-level staffer makes $62,500. By
“senior-level” security person, we’re talking a certified information
systems security professional (CISSP) or above, someone whose
responsibilities focus primarily on policy development and architecture.
(A junior-level person is more likely to concentrate on things like log
auditing or task management.)
There’s a wide degree of variation, though — both regionally (workers on
both coasts command slightly higher salaries than in the heartland) and
in terms of ranges (only about 20% of the companies I work with are
paying more than $140,000 for a senior security specialist).
But the bottom line is that there are more senior-level security jobs
than people, and as a result, companies are willing to pay a premium for
the right skills. “They had to break the bank to get me,” says a senior
executive of his company — and he’s paying his team of top-tier security
people $240,000 per year.
If reading this inspires you to consider shifting fields, you may first
want to ponder a few other issues. First is that skills shortages
generally respond well to market forces; a few years ago, when routing
was a rare discipline, Cisco Certified Internet Engineers commanded
top-dollar salaries, but as the number of CCIEs increased, the average
salary declined. So shifting your technical focus probably won’t pay off
in the long term — if that’s all you do.
That said, what does pay is a willingness to assume both risk and
responsibility. Increasingly, the top-level security specialist in many
organizations is a member of the board — which means he or she is
personally liable for attacks. Moreover, security is gradually morphing
into an overall “risk-mitigation” specialty — which means security teams
are doing more, and wielding more authority, than ever before. And the
assumption of risk and responsibility doesn’t get commoditized as
rapidly as technical skills — so doing so is a good long-term bet.
The bottom line? If you’re willing to invest in acquiring a new skill
set and assume additional risk and responsibility, consider focusing on
security services. If not — look to the carriers and MSPs to enhance
your company’s security.
All contents copyright 1995-2007 Network World, Inc
Received on Fri Jul 20 03:07:14 2007