Careers & People
4/11/2016
03:50 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

How To Raise Your Salary In Cybersecurity

The hot skills most in demand today for jobs: threat intelligence, security software development, cloud, auditing, and big data analysis.

Cybersecurity salaries continue to rise as organizations grapple with an increasing shortage of cyber talent. Given the current climate, job-hopping might seem like a way to earn more money in the short term.

However, developing the necessary skills that are in demand and showing how security adds value to your organization is a surer way of improving your salary in the long run, industry experts say. 

“Certainly as an industry as a whole [security] salaries are going up,” says Philip Casesa, director of product development and portfolio management with (ISC)², a non-profit organization that provides education and certification for security professionals.

Consider these statistics: The average median chief information security officer (CISO) salary is $204,000, according to SilverBull, an IT and cybersecurity recruiting firm. The average annual salary among the security professionals surveyed inThe 2015 (ISC)2 Global Information Security Workforce Studyis $97,778 -- a 3% increase from when the survey was conducted in 2013.   

Meanwhile, cybersecurity job postings tend to advertise a 9% salary premium over IT jobs overall, according to Burning Glass Technologies’ report, Job Market Intelligence: Cybersecurity Jobs, 2015. The average cybersecurity professional earns $83,934, compared with $77,475 for IT positions.

“If you are in information security and you are not getting raises, it might be time to look at organizations around you that are looking for your skill set. You should easily make salary jumps there,” Casesa says.

But changing jobs every year is not something infosec folks should be aspiring to do as professionals, although it is common, especially given the many job vacancies popping up. “You could job-hop all the time as a quick way to make more money. But organizations will soon realize that there is no loyalty and that will end part of your career,” Casesa warns.

“I don’t recommend necessarily jumping places to make a quick buck.  I recommend you plot out your career to figure out what you want to do and really become the best you can at that, especially if those skills are hot,” Casesa says.

Some hot skills in demand include threat intelligence/security operation center professionals, security software and security infrastructure developers, cloud specialists, cybersecurity/IT auditors, and big data analysis, security experts say.

Casesa offers several ways cybersecurity professionals can increase their salaries:

 

Get certified: “I think certification in an of its self is an indicator of an employee’s willingness to apply disciplines and practices to lean in on a job as well as show dedication to the industry and their job skills,” he says.

That doesn’t mean that security pros who don’t have certifications are less skilled. There are many people who advance their careers, make a lot of money, and have deep technical skills, but don’t need or have a certification to define them. But for the most part, in order to stand out in a market where it is hard to make a name for yourself, certification is one way to do that, he says.

Cybersecurity jobs are highly certificated, according to Burning Glass data: More than one in three (35%) of all cybersecurity positions calls for at least one of the major certifications such as Certified Information Security Professional, Certified Information Systems Auditor, Certified Information Security Manager, Systems Security Certified Practitioner, and GIAC Security Essentials.  


Only 23% of overall advertised IT jobs request an industry certification.


Develop deep expertise in skills most in demand: Being a generalist won’t win you the highest salary in the long term unless you are going to try to become a CISO. Those are tough jobs to get. Even then, a lot of CISOs come from a deep background in one area or another – they are not typically generalists over their entire career, Casesa says.

“If you can develop really deep talent in an area of need in information security, you can actually develop a reputation” giving speeches, writing, or by participating in different types of security events. “That way your reputation transcends your employment situation. So if you wanted to make a change, you would have enough opportunities available to you,” Casesa says.

Even if you are not aspiring to be a security celebrity, developing communication skills and the ability to influence others will be important in the long run if you want to make those high-level salaries, he says.

 

Meanwhile, security salaries overall are not as high as you’d think.

Pete Lindstrom, research director of security products at IDC says “the vast majority” aren’t as “exorbitant” as you would expect. At the top, CISOs of large security organizations are paid well, and a security professional with distinct skills, such as hacking, get paid well in consulting firms and technology companies.

But if you are a typical jack-of-all trades, security organizer/risk assessment/auditing professional, “you shouldn’t get your hopes up” for the big bucks, says Lindstrom, who co-authored an IDC study last year, IDC Security Survey: As the Jobs Churn. 

The IDC study, conducted in conjunction with Tech Exec Networks Inc., surveyed 155 CISOs and other senior information security executives from major national and global companies headquartered in the US about their organizations' security personnel — staffing numbers, salaries, open positions, and important skills.

Security pros with up to five years of experience make anywhere from $56,000 to $87,000; $79,000 to to $114,000 for professionals with six to 10 years of experience; and those with 11- to 15 years of experience, $97,000 to $141,000, according to IDC's report. 

At the highest end were security pros with 21+ years of experience, at $119,000 to $186,000.

IDC found that it is not hard for organizations to fill entry-level positions, where expectations are basic and it takes about three months to fill a position, Lindstrom says. The shortage is at the higher levels after with requirements of more than 10 years of experience, where expectations are much higher than for entry-level positions.

Salary trends for the most part align based on the size of the security organization and size of the company -- and sometimes the level of risk in a specific industry, he notes.

“What I’m worried about is you can typically make a lot more money as a consultant than in enterprises,” Lindstrom says. “So we are feeding the consulting economy and increasing costs because the regular enterprises have a harder time keeping security folks happy and engaged.”

Professionals who want to stay in enterprises and make more money have to develop skills that are in demand, which are generally hacking, developer, or technical skills, or move to a more risk-averse industry, he says.  

Demand for cybersecurity professionals is on the rise in the finance, healthcare, and retail sectors, according to Burning Glass Technologies’ data.

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Harmonizing Salaries

The US Cyber Challenge is trying to increase the pool of cyber talent so salaries will harmonize across the board, says Karen Evans, national director of the nationwide talent search and skills development program, which is focused specifically on increasing the cyber workforce.

The federal government and industry are competing for the same finite set of resources as agencies and companies face the same adversaries, Evans says.

Through partnerships with academia, government, and industry, the US Cyber Challenge offers cyber competitions and camps and other programs to attract students and professionals for the cybersecurity field.

“I’m trying to create the supply so [organizations] can figure out what staffing [they] need. A lot of agencies and companies think they need these high-end people,” Evans says. “You don’t [necessarily] need to have the high-end salaried people.” 

For instance, application developers who can develop more secure applications reduce the need for high-end professionals, she says, because this would be a way for organizations to be more proactive about their security.

An organization could increase salaries of application developers who demonstrate they have developed secure code, for example. “If you have a finite set of dollars, maybe you pay more for people who are developing applications that have less vulnerabilities,” Evans says.

Related Content:

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
A Call for Greater Regulation of Digital Currencies
Kelly Sheridan, Associate Editor, Dark Reading,  11/21/2017
New OWASP Top 10 List Includes Three New Web Vulns
Jai Vijayan, Freelance writer,  11/21/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.