What's new, what's next, how you can develop skills that will make your employer much happier, and maybe move up in the local company food chain, with better ability to survive the next two years.
As the markets continue to decline, unemployment continues to go up, and money gets tighter, it is time once again to take your own career in your own hands, and work getting you skills in line with high demand high paying skills.
Much of this data is based on what is happening in the local job market (Seattle) along with some sanity checking looking at the job market in Boston, San Antonio, Silicon Valley and other hotbeds of entrepreneurial ship or a focus on established companies and startups. Two years ago I wrote a similar article on what the Top 10 Information Security Skills that employers are looking for, happily, many of these skills are still in demand, but there have been some major changes to the original list, and here they are.
1. Web 2.0 Architecture Information Security - as companies become more diverse into web 2.0 technologies, delivering audio and video components, along with the idea of allowing customers to post comments, make suggestions, and otherwise interact with the company at internet speeds, we are going to see an increase in SQL injection attacks, spam, malware linked spam, porn, and other things that just do not look good on the company's web site. Being able to understand how Web 2.0 works, (and moving into Web 3.0 now is also not a bad idea), how Java, ASP.NET, Flash/Flex, Ruby On Rails (RoR), and other programs work together, what the common flaws are gold already, and there should be much more demand for understanding the architecture of web 2.0, and how all things interrelate to each other.
2. Code Walking - being able to understand the problems with code on any platform, and in any language (although the recommendation here is to focus on PHP, Java, and C# for general company positions, and RoR (Ruby On Rails), Ruby, PHP, and other less commonly used languages for startups) will also be a great way to improve your information security skills the next few years. As more things become web centric, understanding the way that code behaves, how the glue behaves, and what the common programmer mistakes are will help out not just you, but your company, and in general information security.
3. Cloud Computing - this is a big one, and would be number one if the components of cloud computing were not numbers 1 and 2. Cloud computing in relationship to monitoring, legal compliance, management, and all the other skills that need to be in place to work in, monitor, and maintain a highly distributed computing environment are just as important as number 1 and number 2, but keeping on top of the components in cloud computing is part of the process. When you don't own the hardware or operating system, how do you maintain compliance structures in place, and how well can you monitor what is happening at the application level?
4. Cyber Warfare/Cyber Crime - Even though this is an election year, the need for people skilled in forensics, attack, defense, active defense, and a host of other skills that fall under Cyber warfare and crime will be a very good way to go. It is highly unlikely that criminals and terrorists are going to go off the internet willingly if at all. Learning how to protect government resources, critical infrastructure resources, and corporate resources in an increasingly dangerous internet environment will also be a good way to keep going. The better part is that tie these skills in with a certificate like the CISSP (which is becoming mandated to work on government IA projects) and you might just land that cushy government job.
5. Mobile/Planted Devices - what are the new malware attacks against mobile devices, and how to secure them when they interact with the planted physical devices in your data center. Boundaries, planning, architecture, and understanding of Bluetooth, wireless, mobile phone systems, data convergence, and application support are all going to be more important as we take our computers mobile, and how we will all work well with each other at the end of the day is increasingly important.
6. Education - believe it or not, education is becoming one of those top 10 skills, information security has become so complex that a process of "lifelong learning" has to be in place to keep pace with how things are moving in the industry. It is no longer viable to just sit back on your bachelors/masters/certificate and think that the world has stopped because you reached a milestone in your career. Information security is something you have to stay on top of, or get turned into digital road kill.
7. Risk Management Skills - in 2006 this was 9th on the list, and has moved up (and is the only one from the 2006 list to make the cut to this list). Risk management is becoming more important given all the changes in how things are done within the company, and on the internet. A person, who can succinctly work out the risks and rewards for the company and explain it so that everyone understands, wins the game.
8. Business and Technical Skills - if you get the business and you have some very good technical skills then this is another game winning skill. Being able to talk to a business person and a system administrator at the same time will seriously help your career as well as win you favor if you can remain impartial in whatever argument is happening corporate side this week.
9. Copyright and Fair Use - if you can understand the changes that are happening in copyright and fair use, in a web 2.0 world, and can advise, understand the risks, and work out policies/procedures to help the company, then this is one of the skills to have. While copyright is arcane in how it has been applied over the last few years, with degradations in fair use, time shifting, and general use of web sites, if you can work in this field as a technical representative (what can and cannot be done on the technology side, programming side, or management side) to help keep the company from running into some serious copyright/intellectual property issues, this is another must have skill.
10. Understanding and being able to work within the "Security Mirage" - sometimes it takes a signature to get someone to understand the seriousness of their decisions if they abandon all common sense. Information Security is far from perfect, how we do things in the industry are far from perfect, from lying sales weasels, to intercompany politics, to some downright bad decisions made at all levels, including in the information security department, learning to manage expectations, reality, and capability will go a long way to helping you out in the future. Reject FUD, reject the "chicken little syndrome" do your best to work from facts, and where the facts are fuzzy, then state it like that. Your reputation relies on how well you can communicate just the facts, and help managers make better decisions than they are doing now. And if it comes down to being ravaged by the bad person by management who made the very bad decision, make sure that there is an escape route.
Overall, as the market changes, the technology changes, and the approaches to information security changes over time, keeping up to date is important. There is nothing worse than having outdated skills, because that seriously limits your ability to find work elsewhere, or at all if you get the dreaded pink slip.
About the Author:
Dan Morrill runs Techwag, a site all about his views on social media, education, technology, and some of the more interesting things that happen on the internet. He works at CityU of Seattle as the Program Director for the Computer Science, Information Systems and Information Security educational programs.