Help wanted: Agencies expect to hire more info security pros in 2010

ISC(2) survey finds agencies expect stable or increased IT security budgets

Federal government is a good place for information security professions during the current economic downturn, with relatively stable budgets, rising wages and growing employment opportunities, according to a recent survey by ISC(2) (the International Information Systems Security Certification Consortium).

Nearly 75 percent of government respondents received salary increases in 2009, more than half expect no change in information technology budgets this year and nearly 20 percent expect budgets to increase, and about 60 percent expect to hire new security employees this year.

“The results from our latest career impact survey show that in a very difficult economic environment, organizations are placing an even higher value on the work that information security professionals do," said W. Hord Tipton, the consortium’s executive director.

ISC(2) conducted a survey of 2,980 professionals worldwide in December and January, and extracted data on 688 U.S. government respondents.

One third of the government respondents worked in organizations with total security budgets of $5 million or more. Forty-four percent said security budgets remained stable last year compared with 2008, while another 40 percent said they had decreased. For this year, 52 expect IT security budgets to remain stable and about 28 percent expect to see a decrease. About 20 percent expect an increase.

About half the respondents said that the economic downturn has not posed increased security risks to their organizations, with the remainder being split between seeing increased risk and not being sure.

Of 175 respondents who said they had hiring responsibilities, 58 percent said they expected to hire information security staff in the coming year. Most of them expect to hire just one or two people, although 14 percent expected to hire 10 people or more.

ISC(2) government affairs director Marc H. Noble said the nature of the hires is being determined by the current regulatory environment, which requires certification and testing of IT systems. Sixty-one percent of those who said they are hiring new staff said they are looking for certification and accreditation expertise, while 43 percent said they looking for recruits who are well-versed in information risk management.

“The use of continuous monitoring and risk management to replace the C&A process is likely in the future, but the results of this survey show that the future isn’t here yet,” Noble said.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

The 2014 Federal 100

Get to know the 100 women and men honored this year for going above and beyond in federal IT.

Reader comments

Thu, Mar 25, 2010

Here again GCN fails to understand anything about C&A. C&A is the instantiation of the risk management framework when done as prescribed.... READ NIST and understand what it is. It is not a fill out the paper form and call it good although many agencies treat it as such. Read 800-37 you'll notice the final phase of the C&A IS CONTINUOUS MONITORING. This isn't new... why anybody thinks this is something that hasn't been prescribed before is astonishing. Here's the issue.. if you haven't been able to get agencies to do this in the past... what makes you think they will move to do it now? SANS saying you should do it? OMB needs to stop relying on the private industry to supply a tool for a solution and understand the real issue. CUT FUNDING for insecure systems that cannot PROVE disciplined SDLC and operational assurance.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above