Gartner: Future IT security jobs to focus on risk management strategy

By Linda Tucci, Senior News Writer 01 Jul 2009 | SearchCIO.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

More on risk management The Bourne Identity: A CISO sheds light on risk management mind-set IT risk moves higher on security radar, report finds

Indeed, for dyed-in-the wool techies, the fun's done. Maturing technologies and services will co-opt much of the hard technical work of protecting the enterprise, and the demand for low-level proficiency will largely be filled overseas in cheap labor markets, they said.

In a series of keynote sessions, speakers drove home the point that instead, IT security professionals increasingly will be asked to act as advisers to senior business management on risk management strategy.

"Can you effectively report to senior management what the overall current risk position is of your organization, at least within the scope of IT? You will be asked to," said Gartner Inc. analyst F. Christian Byrnes.

If security technologists hope to thrive, Byrnes said, they will need to master disciplines more typically associated with the business: risk management, relationship management and process management. Understanding the business -- the mantra for aspiring CIOs -- is a prerequisite for chief security information officers, too. Security executives will need the written and oral communication skills to translate information risks into imperatives that business management can grasp and act on -- and ultimately own.

Two scenarios for security pros and risk management strategy in 2016

The future laid out by Byrnes assumes that the rate of new threats requiring new technologies for detection or prevention will decline by 2013, leading to an overall reduction in demand for on-site technical security staff by 2016.

"What does that mean? Well, an increase in demand for staff with surface-level knowledge of security technology, but perhaps a decreased need for technical depth, at least for many of the technologies that currently exist," Byrnes said. "The most growth for technology people will be for outsourcers in low-wage locations."

A second scenario for 2016, as described by Gartner analyst John Pescatore, assumes that the information security threats are at least as complex as they are today, if not more so. In this future, internal users pose the biggest risk to the enterprise through their use of hard-to-control technologies, from cloud computing to crowdsourcing, that leave the enterprise vulnerable to attack or manipulation. This in turn will prompt more regulations, keeping security professionals gainfully employed.

But even in this second scenario, the way that information security does its job will change, Pescatore said.

Information security jobs that are fading

So, which IT security jobs will stay and which will fade? According to Pescatore, many staffing positions will indeed be outsourced -- or adapted to reflect the entwinement of IT and business processes. The vulnerability researcher of today will be replaced by Vulnerability as a Service by 2016. The

I've seen this increasing trend of having to become more of a manager and less of an engineer. Ben Greenberg security engineer, Hogan & Hartson LLP

firewall/intrusion prevention expert will be supplanted by a communications search manager, responsible for keeping all the enterprise's communications secure, not just the network. The event monitoring staff will be supplanted by Incident Reporting as a Service. Penetration testing will become business process security testing. Instead of data classification, companies will require usage monitoring of sensitive data. Demand for security architects will peak in 2015, as that role migrates into enterprise architecture teams.

Ben Greenberg, a security engineer at law firm Hogan & Hartson LLP in Washington, D.C., who attended the session, expressed dismay at the direction his profession is taking.

"I am a geek and always will be. I've seen this increasing trend of having to become more of a manager and less of an engineer," Greenberg said.

The hands-on work of the security engineer has given way to researching solutions and telling others what to do, he said. For example, Greenberg and colleague Wesley Hinkle, also a security engineer, recently analyzed intrusion prevention systems for the firm's two dozen offices, an implementation, in fact, that's slated to be outsourced to a managed security provider.

Was there anything he found enticing about becoming a business-savvy manager of risk? "The salary appeals to me; everything else I find repulsive," Greenberg said.

Tags: Enterprise risk management,  Enterprise information security management,  IT staff development and retention,  CIO career development and career paths,  Strategy: Take stock of your risks,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise risk management Email archiving solutions and strategies for enterprise CIOs For CIOs, email deletion scandal shows need for email retention policy Swine flu preparedness: Business continuity during an H1N1 outbreak Talking swine flu and Conficker with the CIO of the CDC Tips from the CDC's CIO on H1N1 flu preparedness Tips for business continuity and contingency planning for swine flu Enterprise risk management quiz for CIOs Enterprise risk management solutions for CIOs Business continuity plan needs the right leader, metrics to succeed How CIOs are enabling business activity monitoring with existing tools Enterprise information security management Talking swine flu and Conficker with the CIO of the CDC Network access control: Security advice for enterprise CIOs Evaluating network access control: NAC policy enforcement matters Enterprise risk management quiz for CIOs Network access control now addresses multiple needs Enterprise risk management solutions for CIOs Avoiding gotchas of security tools and global data privacy laws Security standards to help manage compliance for those federal funds Information security and IT governance guides for CIOs CIO turns to identity and access management to solve business problem IT staff development and retention IT staff retention likely to become an issue in economic recovery Gen X, not Gen Y, leads adoption of social technologies in workplace CIO management mistakes that can harm CIO careers, cause IT failures Effective ITIL project leadership: Plan-Do-Check-Act Swine flu -- not hurricanes -- leads disaster recovery agenda Outsourcing IT jobs: Do U.S. companies and workers stand a chance? Hit the ground running and make people your priority Integrated business intelligence strategy spans app, BI developers 10 ways to keep your IT job in this recession How to organize and train your staff for BPM project success

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary GRC (governance, risk management and compliance) software  (SearchCIO.com) sustainability risk management (SRM)  (SearchCIO.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary