The good news for qualified information security professionals at the C-suite level is that it is pretty difficult to be unemployed.
Earlier this year, the Bureau of Labor Statistics (BLS) reported that unemployment in that sector had "spiked" to 3 percent in the fourth quarter of 2012, although the rate for the entire year was all of 0.9 percent. In general, 4% is considered full employment.
While the BLS says those numbers aren't entirely reliable, since the sample size is too small, the comparison with a national unemployment rate of 7.3 percent is still dramatic. Infosec management is a seller's market; those who are qualified don't have to look too hard for work.
What is good for the individual is not good for industry, however. The downside is that it is tough for enterprises to hire qualified IT security professionals. Stroz Friedberg, an intelligence and risk management consulting firm, predicted recently that the supply of chief information security officers (CISOs) will not meet the demand in 2014.
Ed Stroz, cofounder and executive chairman of the firm said that prediction doesn't come from a statistical survey, but from 14 years of consulting for "a diverse set of clients. The need for a CISO is often on the agenda," he said.
The shortage extends below the C suite as well. Marc Noble, director of government Affairs for (ISC)², chairman of the Cybersecurity Credentials Collaborative (C3) and former CISO at the Federal Communications Commission (FCC), told BankInfoSecurity earlier this year that in the past his program had been hampered for almost a year, "due to the inability to find quality candidates to fill information security positions."
In an interview, Noble said he believes the shortage is due in part to the rapid evolution of the threat landscape. "It takes time to identify and understand new technologies, the vulnerabilities they present, and how best to adapt security controls to meet evolving threats. Implementing those controls adds an additional layer of complexity," he said.
To meet that demand requires people who are, "highly adaptable in learning and applying new skills, technologies, and procedures in order to manage a dynamic range of risks. As it stands, IT organizations simply can't keep up. The attackers are always 10 steps ahead of us," he said.
Besides being able to handle that dynamic range of risk, Stroz said that good CISOs have to be much more than technicians. They need to be experts in the mission and operation of a business in general, including marketing, finance and the legal environment. Most organizations, he said, "want somebody who is effective in the role but also understands the company and industry. And often they come up with description for a person that is very rare or doesn't exist."
Sign up for CIO Asia eNewsletters.