Robert Stroud, international president of ISACA
Just as security tactics have changed, so too has security leadership.
In the past, security was typically IT's domain, "part of something you did in infrastructure or in networking," Jethi says. Today, more companies have a chief security officer (CSO) or a chief information security officer (CISO) who's explicitly responsible for security.
"Increasingly they are no longer part of the CIO organization but they are a separate, independent entity that is responsible for cybersecurity and often reporting directly to the COO or the CEO of the company," Jethi says. "It never got relegated to that level of significance or importance" until the nature of threats changed dramatically "and you started seeing a lot more visible impacts to customers, businesses, and executives."
Benway agrees. Today a majority of ACSC's member organizations which Benway acknowledges tend to be relatively mature in their security development have a CISO, and most have established specific security teams. "I have seen a definite trend toward establishing specific security teams vs. IT being dual-hatted with IT operations and security," he says.
UMass is a good example. "The day-to-day running of the technology is in our IT department," Wilson says. "But looking at the policies, looking at the risks, looking at the threats, looking at incidents or indicators of a compromise -- that's a dedicated security team. That's how we've done it."
Benway also notes a more recent organizational trend: the convergence of what were once separate and independent enterprise risk management and security departments. "That again is a reflection of the recognition that cyber security is a business problem and not just a technology problem," Benway says.
These changes require more manpower at all levels, industry watchers say. On the technical side, system complexity has created a need for security admins. Years of accumulating security products have left companies with dozens of products to support, oftentimes from vendors that have gone out of business or been acquired. Companies need people to maintain those systems and secure the infrastructure, Jethi says.
On the strategic side, "you need people who can do more than configure rules and policies and 'keep the bad guys out.' You need data scientists. You need people with different backgrounds. You need people who can look at large quantities of data and can analyze trends and are good at spotting anomalous behaviors in those data patterns," Jethi says. "That's a very different skill set than somebody who can configure equipment."
If there's a silver lining, it's for qualified job hunters. Their options abound. According to tech careers site Dice, job postings for security professionals are up year-over-year, with cybersecurity up 91% and information security up 48%.
Sign up for CIO Asia eNewsletters.