The continued growth of virtualization, cloud infrastructures and mobile computing will drive the demand for IT security talent in 2012. The challenges in these operating schemes should create opportunities in just about every area of IT security: application security, security architects, security analysts, security engineers and network security. Within these broad areas, our staffing and consulting company is seeing demand for professionals experienced in secure hosting, application-level firewalls, VPN protection, network intrusion detection, access management, security appliances, content scanning and penetration testing.
In fact, the more broad your experience, the better your prospects for securing a good position and advancing in the field. Rather than looking for a professional to fill just one of these roles, customers want to hire IT security people capable of wearing two or three different hats. And while the skills I’ve listed are certainly part of getting the security job done today, clients needing new security talent don’t simply ask us to “find me someone with ‘xyz’ skill set.” Instead, they’re increasingly looking for solution-oriented professionals who understand the role and importance of information security in meeting the company’s strategic objectives. As well, they’re looking for personalities: people capable of communicating effectively in client facing situations – with both internal and external customers, depending who the IT organization is set up to serve.
Virtualization, the cloud and mobility create opportunities for IT security professionals because the technologies themselves present their own complex sets of security issues.
Malware is a particular problem in virtualization. As described in the National Institute of Standards and Technology (NIST) “Guide to Security for Full Virtualization Technologies,” security in a virtualized infrastructure depends on the security of the individual components, such as the hypervisor, host operating system, guest systems, applications and storage. But, available management tools don’t provide complete visibility into the operations of virtualized systems. For example, there’s no way to monitor traffic between virtual servers on the same physical host. This makes traditional intrusion detection methods ineffective on virtual servers. And it means that malware can spread from one virtual server to another by exploiting the ease with which information can be shared among servers.
Another security challenge arises from the highly dynamic nature of virtualized environments. A major benefit of virtualization, after all, is the ability to create or duplicate entire servers, allocate resources almost instantly, and to move data among multiple virtual servers, as in clustering or failover solutions. But that means undetected malware and viruses also can be replicated, and then exploit the comparatively weak or difficult-to-maintain boundaries between servers.
Further, virtual firewalls, segregation of data on separate physical servers to avoid compromise, and virus protection – especially against today’s virtual-aware malware – are just a few of the security approaches being applied in virtualized infrastructures. Because every major OS can be virtualized, the need for security provides opportunities for IT talent who can work across multiple platforms and in multiple environments.
In cloud computing, the top security challenge this year will be access management, as businesses try to make applications and services more secure – even as they make them more available. IDC predicts that as many as 80 percent of all new commercial apps will be deployed from cloud platforms in 2012. Forrester Research, meanwhile, says that by the end of this year, the average cloud customer will be using more than 10 different cloud apps.
Organizations we work with are taking a variety of approaches to access management. Some are emphasizing multifactor strong authentication solutions that combine something you know (typically username and password) with something you have (a physical item, such as a card or token). Others are interested in public key infrastructure (PKI) approaches, which bring with them the need for simple and effective key management strategies. Critical in all of this is making security and authentication as easy and non-disruptive for the user as possible. So people who can approach the development and implementation of security solutions with the user experience in mind will be highly valued.
Of course, the big story in IT, and the widest security frontier, is mobility. Annual sales of smartphones and tablets now outnumber PCs. Laptops, quickly becoming irrelevant, are giving way to tablets as the preferred information access tool for mobile workers. And if the enterprise won’t issue the device, then employees will use their own. Bring your own device (BYOD) is just one facet of the growing consumerization of IT – but a big contributor to growing security concerns.
An enterprise-issued device can be locked down, secured with device-level encryption, or remotely wiped when lost or if a log-in attempt fails a certain number of times. It also can be subject to policies that tell employees the organization will be monitoring all data communication on the device. Those options may not be as readily available on employees’ own devices, so approaches similar to cloud security – especially strong authentication for access to corporate email and data – might be called for.
More important than tactical skills in any particular security technology, enterprises need professionals with the strategic insight and ability to develop overall mobile device management policies and solutions. The talent called for here is the ability to assess genuine data security risks while understanding the enterprise’s need to support an increasingly mobile workforce.
Beyond the purely security focus, there are some tremendous solutions opportunities in mobility. In banking, in particular, whoever can be first to build a comprehensive financial app for a tablet – by which I mean iPad – is going to be a big winner. An executive dashboard into real-time business intelligence could also be highly marketable.
The future of IT is clearly in mobility. IDC is calling 2012 the “year of mobile ascendancy,” with 85 billion mobile apps expected to be downloaded, and spending on mobile devices generating more revenue than the mainframe market. That’s why I strongly recommend computer science or IT students to study or specialize in mobile technology, where demand for talent currently outstrips supply.
Organizations today are seeking to increase capacity utilization and to reduce operating costs through virtualization, open access to applications, and services to both employees and outside partners by moving resources to the cloud. As well, enterprises must support a workforce on the move by delivering information through mobile solutions. In 2012, they’re counting on IT professionals to help them be nimble, flexible and secure in the face of changing markets.