Information Security

In the light of the events taking place in Ukraine, I would like to write about the political situation in the country, my conclusions and views on what is happening, but a professional blog is not the best place to do so. For this reason, let’s leave political views for personal communication and consider such an area as information security.

Not so long ago, several articles have been noticed on how important security is for companies, and the market lacks specialists in information security and information protection. Here is one of such articles.

As the expert of the given sphere, I was interested really whether it is so? In my subjective opinion, this has little to do with reality. And the reality is that the statistics on the number of applicants for one vacancy and the level of wages for the first quarter of 2013 in Ukraine for information security specialists is not at all pleasing.
Reference to the report.

As you can see, information security specialists are one of the lowest paid specializations in IT. And I would even say that this information is not only not pleasing, but even depressing. I am glad that IT outsourcing is one of the few industries that is still alive in Ukraine. It would be very sad to go to school, for example, by calling for a geography teacher and get 200 dollars.

So why is there a situation when on the one hand there is a lot of noise about hacking, the need to protect the resources of companies and lack of specialists, and on the other hand, relatively low wages and single vacancies?

The specialty “Information Security” or “Information Security” is presented in Ukraine by a small number of technical universities. Until recently, there were less than 10 of them for the whole Ukraine. Even if each department prepares several groups per year, and do not forget about the part-time students, it is about 500 people per year. Not so much for a country with a population of 45 million.

A person. When I graduated from the KPI in 2010, I graduated with a degree in Information Security in Computer Systems and Networks from the Master’s degree program of the hospital, which was about 15 people. Not much at all.

Speaking of qualifications, here is the curriculum of bachelors in the field of information security. I have not found some disciplines in it, but nevertheless it gives an idea of what a student of this specialty teaches for the first 4 years. And the masters have been studying for 6 years.

In the curriculum there is a majority of disciplines, which are taught by future programmers at the Faculty of Applied Mathematics and especially at the Faculty of Informatics and Computer Science at the KPI. So, I have not noticed any critical difference in programs and their complexity.

Now let’s see how many applicants apply for one vacancy (according to the portal among information security specialists this figure is 15. More only for CIO/CTO position – 21. While for programmers this figure reaches 1.

I understand that the sample may not reflect 100% of the reality, but nevertheless it shows that the difference is in order.

Now let’s compare the salary of an information security specialist and a programmer.

In Kiev, the salary of a novice information security specialist starts from 300 (state office) and up to 700 dollars. For programmers the level of salary starts not lower than 700 dollars.

Experienced information security specialist gets 1000-1500 dollars. The skilled programmer in 2-2,5 times more.

The head of information security gets 1.5 – 3 thousand dollars and almost never more. The salary of the Tim. leader of programmers starts with 2 500 and the rate can reach 5, and even 7 thousand dollars. Not so long ago, friends were even looking for a linear programmer with very specific knowledge of 7,000 dollars.

Those for whom the money is not the last point in the motivational program, it is worth thinking about who to study for… But it is necessary to take into account that the market is overheated and whether it will last with such growth for another 5 years, while you will learn it is difficult to say. But we are not talking about programmers, but about information security specialists.

The demand for specialists and their salaries is dictated by the interest of companies in these specialists. And the state of the companies is the state of this or that market segment.

It is obvious that the largest security services in banks, insurance companies, holdings and audit companies are available. But now in Ukraine these companies, to put it mildly, are not in a favorable position. But a reasonable question may arise – why wasn’t the salary of security specialists huge until 2008, when the banks were on the horseback?

The second reason is the service orientation of security units. They simply do not earn money for the company, but spend it. And any owner does not feel sorry for those who spend money.

In this case, in order to show their usefulness, security personnel need to either frighten the TOPs with scary fears (it’s our risks), or inflate security incidents, or rely on the requirements of regulators, international standards and standards of parent companies, mandatory for implementation.

But all this does not make the security department a profit-making unit, and essentially does not change the attitude of management (unless it is inherently paranoid).

And the absence of strict information security requirements and standards, insignificant value of information and, as a consequence, senselessness of its protection, personal agreements of directors with other market participants

and absence at the companies of any really important commercial secrets giving them the competitive advantage (except for black accounting) for the majority of the companies, allows or to transfer functions of information safety on IT, or to take one expert on safety on which and to transfer on it all duties entirely.

An additional “joy” of information security employees is the subordination of physical security in the company or IT department.

The first option is depressing, because most of the physical security personnel are from the security forces and are very unfamiliar with information technology in principle, let alone understand their architecture and apply their capabilities.

And the most effective method is “thermo-rectal cryptanalysis” and other methods of psycho-physical influence. Although it should be noted that among them there are very strong psychologists and negotiators. Especially, former employees of “Alpha” and “GRU”. The level of training is the highest. But, nevertheless, such specialists are extremely seldom at the front line of information technologies.

The second option is to report to the IT director. Everything here is a little easier on the one hand and more complicated on the other. These people are well acquainted with IT technologies and have knowledge of information security. But their main task is to make sure that the systems work, not their security.

And when choosing between security and implementation speed, priority will most likely be given to implementation speed at the expense of security. The point of intersection can be fault tolerance, which is also an interest of the IT department, but not as a matter of confidentiality.

There are also examples of subordination of security to audit, card business, etc. But in general, more than 70% of companies, information security does not report to a direct head of the board or director. This in turn raises a lot of additional questions (if not sticks in the wheels) for information security employees.

Even in cases when subordination of information security to the direct head of the company, and he or she in every possible way expresses his or her support to the tasks of security, first of all, the management in reality will patronize the business processes of the company, and only after that will support.

I believe that this is the right approach (there is no money in the company – no company, then security will not be necessary). But it is necessary to keep in mind that the direction of information security will be in the second tier in importance, and most likely even further.

To this should be added the need for information security staff to deal with tasks that may contradict the principles of some people. This includes analysis of employees’ actions, collection of information, preparation of memos, conducting investigations, etc.

If you look at career prospects, then here too, everything is bright to a certain level. After the head of information security you can become:

  • The head of all security in the company.
  • Advisor to the CEO.

If you work hard, you can head up the IT department.
It’s worth considering that physical security officers are a priority for all security. However, economic security is usually singled out separately.

And applicants for a post of the IT director often, in sufficient quantity and with more profile knowledge.

To it it it is necessary to add that after 40 years experts on information safety are demanded less and less as it is required to watch constantly over technologies which change.

In other CIS countries the situation is approximately similar, only Moscow provides a higher level of salary.

What to do in this situation?

It is possible to consider a variant of training of the given specialty in Ukraine (it is desirable on the budget, while such possibility is available), delivery of the international certificates and departure for work to the USA, Australia or Great Britain.

There are a lot of questions about the work visa and job search, but also the salary level is quite different – an average of about $ 100,000 per year. This is a good pay even in relation to the standard of living in these countries.

The second option is to become a strong application-level technician and work remotely, also for Western customers.

In addition, bright heads with good education in the field and a bias in technology are beginning to be in demand in Ukraine by international companies, for example, “Samsung” has moved a lot of issues related to security in the Ukrainian office. But the payment, as you know, Samsung, has not left too different from the average Ukrainian in the region.

The third option is to study purposefully and go to the dark side of the force. The shadow market of hacking is constantly growing, there are a lot of e-currencies, many banks go online. But it is necessary to understand that with the growth of the market responsibility for crimes of this type grows.