"The market has started demanding IT security professionals to have the business acumen to understand business-prioritized risks, correlate what seems to be isolated concerns into identifiable patterns and trends, and have the ability to communicate risk in the holistic manner," Yang says.
The security skill set most in demand is the security analyst, who conducts the integration and testing, operation and maintenance of systems security, says Hord Tipton, executive director of the International Information Systems Security Certification Consortium Inc., (ISC)², a global, not-for-profit organization that provides education and certification for information security professionals.
"In addition, a security analyst possesses significant, higher-order skills and has a deep understanding of all business systems, knowing what information an organization cannot afford to lose," Tipton says. "They are proficient in cyber threat analysis and in identifying and assessing the capabilities and activities of cyber criminals or foreign intelligence entities."
They may also analyze threat information from multiple sources and disciplines, Tipton says, synthesizing it and placing it into context while drawing insights about the possible implications.
As organizations move more traditional back-end applications to the Web, the demand has grown for individuals with application security skills, says Jay McLaughlin, CSO of Q2, a provider of software for the financial services industry.
"These individuals have strong security and development knowledge and can bridge the growing gaps in the [systems development lifecycle] process," McLaughlin says. "From a CSO perspective, most are concerned about improved intelligence — specifically around potential threats and incident detection."
With more and more companies in the news publicly disclosing breaches, "the odds of a company facing this reality — well, let's just say the fear is real," McLaughlin says. "Organizations need security professionals who can help them get ahead of these threats."
Security architects and investigators
Security architects define how security strategies, solutions and practices need to evolve to keep up with both the changing threat landscape as well the changing business environment, with the adoption of bring-your-own-device/mobility, cloud, big data, and other emerging areas, says Sujata Ramamoorthy, director of Global Information Security at Cisco Systems.
"Understanding threats and risks in this complex environment that spans multiple products, providers and users and then determining solutions to appropriately manage the risks with investment protection is very challenging," Ramamoorthy says.
Security investigators are also becoming critical for companies looking to detect and respond to attacks in a timely fashion, Ramamoorthy says. "Attacks can come from multiple directions both inside and outside the enterprise, and it takes skilled engineers to design comprehensive detection mechanisms and analysts/investigators to comb through all the sources of information to find the needle in the haystack," he says.
Point-of-sale security is a hot area for employment, Shields says. "The need for these skills is being driven by the transition of cyber criminals from traditional PC attacks to mobile and point-of-sale system attacks," he says.
Sign up for CIO Asia eNewsletters.