General skills include:
- The ability to multi-task
- A keen eye for detail
- Strong organizational skills
- The ability to thrive in fast-paced, high-stress situations
- The ability to communicate network security issues to peers and management
Possible education/certifications that a company might require are:
- A B.S. or M.S. in Computer Science or related field, or equivalent experience
- One to three years of industry experience in an information security function.
- Certified Information Systems Security Professional (CISSP)
- CISA – Certified Information Systems Auditor (CISA)
- CEH – Certified Ethical Hacker (CEH)
- CISM – Certified Information Security Manager (CISM)
- ISSAP – Information Systems Security Architecture Professional (ISSAP)
- ISSEP – Information Systems Security Engineering Professional (ISSEP)
The IT security engineer is also expected to know compliance standards such as ISO 27000, ISO 9001 and FedRAMP.
Industry specific requirements
Experts say that, as is usually the case in information security, the core skill and qualification requirements apply to all industries. The differences are generally in regard to compliance.
Eric Cissorsky, senior IT security specialist at UBC, says that since he works in healthcare, “my primary concern is HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health) compliance.
“Other industries may be more concerned with requirements such as PCI-DSS (Payment Card Industry-Data Security Standard) for those taking payment over the Internet or FISMA for the government sector,” he says.
Chris Clark, Principal Security Engineer at Synopsys, says the need for different “soft skills” can vary by industry and company culture. “An individual's ability to cope with the stresses and rigors of each industry and the job role within that industry can vary greatly,” he says. “A candidate with excellent technical acumen may not have the soft skills necessary to transition from health care to let's say education or finance and vice versa. If you can show your ability to adapt you are ahead of the game.”
How to attract the best
According to Indeed, the average salary for a security engineer in the U.S. is $103,620. Other sources report the range to be as low as $60,000 to more than $200,000 a year.
Money is important to good candidates, but they also want to know the company supports their work. “Without a doubt, the most important thing I look for in an employer is a serious commitment to infosec from the executive level,” Cissorsky says. “Many organizations talk a good game when it comes to infosec, but lack follow through, so I look for policies and processes that show the organization is serious. Beyond that a meaningful commitment to continuing education is very important to me.”
Clark says that while perks such as unlimited vacation days, educational stipends and free lunch are nice, even they will go only so far, “before the real questions need to be addressed: Am I valued? Does the company care about my contribution and well being? What is next? Can I grow? These are just some of the questions that if a company can address they stand a much better chance of culling and keeping the best and brightest,” he says.
Sign up for Computerworld eNewsletters.