For this reason, Melk believes CIOs should begin to build security capabilities among their existing staff rather than solely seeking external candidates to fill these needs. "We've got to do more than simply increase salaries or benefits," he says. "Businesses need to find ways to fill the gap by nurturing internal talent."
In fact, DICE is working to identify skill commonalities between an array of IT and security positions, and then developing a skills map that can help professionals create a plan for filling the gaps. "The good news is there are a lot of related jobs where folks in various roles could move into a security role," Melk says. "When you look at typical skills for various titles like assistant security engineer, security auditor, IT security project manager, all these skills are consistent with the baseline requirements of roles like network security or intrusion detection," he says.
What stands in the way is a lack of understanding about the exact skills required to move to a particular position, and the quickest way to get there. "We're trying to make the journey as short and as inexpensive as possible," he says. "While going back and getting a degree is a clear path, it's not the only option."
Don't assume you need to go back to school
Indeed, while the bar for entry into a security position may be difficult to overcome, never before have so many learning resources existed, says Combs, whether through free online classes, certifications and becoming part of a security community. From SANs, to ISACA, to Information Systems Security Association (ISSA), to ISC2, to the Open Web Application Security Project (OWASP) and beyond, there are many highly active security organizations that offer both training and a community of people that can share ideas.
Getting involved with OWASP, Bellanger says, "is the best vector for getting hired and receiving the best advice for certifications."
Martin-Vegue advises starting by taking a free online class on security fundamentals through a provider like Coursera or EdX, and then determining which sub-field would make the most sense to pursue. "Once you get a good baseline down, find stuff that interests you and gets you excited about information security and begin to specialize," he says.
Frost & SullivanMelk agrees that online courses are a great option to grow skills, especially when employers don't offer training. "You can take courses on your own without going back and getting a bachelor's or masters in cyber security."
Once you have a sense of which direction you want to head into, certifications are a good choice, as they continue to be highly regarded in the security field, Martin-Vegue says. "People say they don't prove anything about real-world skills, but the truth is, hiring managers do look for them," he says. "Even if you think they're pointless, if you want to get a job, you have to have your certifications."
In particular, the CISSP certification offered by ISC2 has essentially become table stakes for higher level positions, while CRISC from ISACA is essential for risk management, he says. In other cases, such as reaching higher than an entry-level job working with firewalls, it would be a good idea to get a vendor certification from Cisco or Juniper.
+ ALSO: How to tell if a move to IT security is right for you +
Meanwhile, in software development, becoming an SSDLC certified practitioner will prove your chops in application security, Bellanger says.
Know what you're getting into
There is a downside to the security profession, however, in the form of stress and burn-out. "At security conferences in the U.S., a major topic is depression, and it's starting to be talked about in the field," Martin-Vegue says. "If you feel you can't deal with the work stress and burn-out, [pursuing a security career] might not be the best idea."
The reason for this phenomenon, observers say, is the attitude of many companies toward the security function. That is if a breach occurs, it's assumed that someone in security didn't do their job. In the case of a highly public breach, "it's very disruptive, both for customers and the people who work there," Martin-Vegue says. "People get fired, the stock price takes a hit, you lose public trust. If you're the guy behind the keyboard, assessing security controls for the year leading up to that, it's really serious."
In addition to always being on the hot seat, the security function is often perceived as being separate from the business, Bellanger says. The business doesn't always appreciate the delays caused by placing security controls around an initiative, and yet, if something goes wrong, security is blamed. "It can be a very lonely, siloed position," he says.
This situation is bound to change over the long term, he says, as security becomes a full part of the business development cycle. "When security is fully embedded and in synch with the business, you'll have a lot less stress on the security team," he says. "The business needs to realize it's going to get hacked at some point. Right now, there's a lack of understanding that pushes it to find someone to blame."
Still, Combs says, "a security career requires you to have strong chops in various areas." With continuously changing technology, evolving threats, new regulations and the constant fight for security budget, "you never reach that point where your work is done." In the ISC2 survey, even though more than three-quarters of respondents said they are satisfied with their current position, the industry experienced a staff turnover rate of almost 20 percent last year, the highest rate of churn (ISC)2 has ever recorded.
Follow your passion, not the money
So while the demand -- and the dollars -- may be an attraction to the security field, it shouldn't be the only driver. On the positive side, the security profession is a great place to be part of a community, Bellanger says, especially compared with the software development world. "Security practitioners are an amazing, close-knit community that works well together," he says.
In some ways, you'll know if security is for you if you're the kind of person who has the desire to understand how things work, or how to break -- and then -- fix them, Combs says. "There are a disproportionate number of artists, musicians, creative people and asymmetrical thinkers who've come into field," he says. "It really comes down to personal desire and an interest in understanding what's underneath the surface and not accepting things at face value."
Brandel is a freelance writer. She can be reached at marybrandel@verizon.net.
This story, "So, you want to be a security pro? Read this first" was originally published by Network World.