• Think long term
The greatest need in the foreseeable future is in the realm of software and application security, according to observers. "The greatest problem we face is related to insecure code and poor software development processes," says Jeff Combs, vice president of talent management at ISE Talent, an executive search and recruitment firm dedicated to information security professionals. "People have been developing software for 50 years or longer, but we've only been paying attention to issues related to software security in the last 10 years." For younger IT professionals considering a future in security, software engineering and coding is where the majority of opportunities - and challenges - will exist, he says.
Even now, the gap in supply vs. demand is wide, says Bellanger, especially as there is little training available in this domain, and talented developers might be more likely to flock to the likes of Google or the next Facebook rather than a job in security. "We get asked all the time, 'Do you have any good application security people you can send our way?'" he says.
Two types of people are needed in this area, he says: program managers and actual practitioners. Businesses would be best off if they hired a program manager internally and then used that role to bring others onto the security team to help train and guide them.
From application security, IT professionals can grow into many other areas, like architecture security or learning more about the cloud, Bellanger points out, while other choices - like network or hardware security - might be more limiting. "If I had to make a choice today and was 18 years old, I'd go into application security or be part of a DevOps security team," he says.
• Don't under-value your current skills.
According to Martin-Vegue, if you're a systems, network or database administrator, "you really are 75% there for certain types of information security sub-fields," such as ethical hacking, penetration testing and information assurance positions. Professionals with these backgrounds understand things like how systems work and how users access them, he says, "so it's not a leap to go from setting up users, to checking compliance with standards and frameworks. It would be easy to segue if you already have that baseline."
In fact, Combs says having this type of background can be a real strength. "To be good in security, it's important to have a strong foundation in systems administration, network engineering or software engineering," he says. "Although there are many aspects that aren't technical, understanding how things work at the ground level or under the hood is what gives people the credibility and knowledge to build upon to be successful over the long run."
Sign up for CIO Asia eNewsletters.