The other big negative is that security is hardly an organizational favorite, so those in the field need to be prepared to deal with the occasional irate user who doesn't like being denied access to a particular website or being required to follow a bunch of protocols. "We're kind of like the IRS of the organization -- no one really likes us," Pospisil says. "It's one of those necessary evils: People recognize [security's] value, but you're generally not their favorite person."
The right mix of skills
Those realities mean a certain mix of experience, skills and personality traits are required to succeed in security. Being a self-starter and active learner is critical, Pospisil says. Also key are good communication skills and hands-on security experience.
In addition, technical certifications can be a bigger deal in security than they are in other IT-related fields -- a trend confirmed by Foote Partners, an IT staffing research and advisory firm. The Feb. 27, 2015, edition of Foote's IT Skills Demand and Pay Trends Report shows strong growth in the market values of 69 information security and cybersecurity certifications in 2014, with average gains of 3.7% in value in the last three months of the year.
The security certifications most in demand among IT professionals were those related to auditing, hacking and forensics. Beginner security certifications, like the CompTIA Security+ accreditation, also enjoyed an uptick in popularity -- a possible indication that more people are focusing on infosec as a career choice, says David Foote, chief analyst and co-founder of Foote Partners.
Computerworld's 2015 IT Salary Survey yielded a similar finding: Training programs involving security skills were the No. 1 pick among IT professionals pursuing certifications.
While certifications and hands-on experience are important, people skills and knowledge of the business can really make a security professional stand out, says John Becker, chief governance officer at Phenix Energy Group, where he oversees computer security, compliance and governance.
"This isn't just about certifications and security -- you need IT security people who can talk about the risks," he explains. "It's a much more complex and multifaceted role than other IT work." It also doesn't hurt if someone is intrinsically paranoid: "We want people who really don't believe anything they hear," Becker adds.
If you're up to the challenge, there are a number of steps you can take to open doors to a job in security. Making a commitment to continuous learning -- reading, participating in webinars, staying up to date on industry trends and studying recent data breaches -- is a must. It would also be a good idea to pursue any number of basic and specialized security certifications.
Sign up for CIO Asia eNewsletters.