Analytics
12/13/2013
05:35 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Ponemon Institute Reveals Results Of First Cybersecurity Salary Benchmarking Survey

Survey reveals higher average salaries than expected

Portland, OR -- December 11, 2013 -- SecureWorld Insight, a partnership with Ponemon Institute and SecureWorld Expo, today revealed the highlights of the "2013 Salary Benchmark Report," kicking off a new series of quarterly cybersecurity research reports. This benchmark is the first to identify compensation for eight categories of information security staff - from CISOs to directors, managers and technicians - and key influencing factors.

The survey reveals higher average salaries than expected, with the top title of Chief Information Security Officer (CISO) earning an average annual base salary equivalent to the compensation of other C-level executives for 50% of the respondents. And this trend extends beyond the C-suite to all other levels. However the report also finds that 43% of cybersecurity professionals rate their position as the most difficult one in the organization.

Surprise findings include the number one factor influencing salary: reporting channel. In fact those who report to the CEO make a significantly higher salary; however they are also at risk as the first to be fired. The data also confirms that the number one reason security staff leave an organization is compensation – and leads to the resulting conclusion that an organization's biggest vulnerability may well be its own information security team, due to unfilled jobs and lack of funding.

Companies are heading into budgeting for 2014 facing an unprecedented threat landscape, extremely competitive environment and a limited pool of skilled cybersecurity talent. In response the SecureWorld Insight benchmarking report offers insights for IT, security and HR executives into how to hire and retain top cybersecurity talent and build information security teams.

Key findings from the study include:

Compensation varies widely based on the following factors, in order of highest impact:

· Steps from the CEO / Reporting Channel: CISO reporting to the CEO enjoy a 36% jump in average annual salary, followed by direct lines to the CFO, COO, CIO, CTO. Ironically, few actually report to the CEO and the majority (46%) report to the CIO.

· Industry Sector: The Communications sector leads in average annual salary, followed by Financial Services, Services and 11 other categories; Health & Pharma ranks lowest with Defense close by.

· Organization Headcount: The biggest jumps in technicians' average annual salary occur in organizations with more than 75,000 employees.

· Geo Footprint: Organizations with a global footprint pay more than domestics.

· Gender: In another surprise finding, men make only 5.5% more than women in the top security executive positions.

Certifications matter.. but not as much as you think. Professionals with certifications earn only 8.7% more than those without; however those with advanced degrees demand up to 35% higher salary.

Lack of adequate funding is the biggest barrier to team success. Fifty-six percent of respondents cited lack of adequate funding as their biggest barrier to success, followed by IT complexity (42%) and lack of qualified personnel (41%). In fact only 8% report having cybersecurity teams of over 20 FTEs, with the majority operating with 6-15 FTEs.

The study also identifies trends related to the CISO position specifically, such as how many organizations have a CISO; how many have a formal reporting structure to the board; what metrics are used to determine the success or failure; and the seven critical career success factors.

The benchmark study was conducted to independently determine the annual salary of CISO-level executives in larger-sized companies (with 1,000 employees or more). A total of 133 companies and CISOs agreed to participate by providing confidential salary and benefits data collected with a survey instrument. In addition to their own data, respondents provided salary data for members of their IT security team.

The "2013 Salary Benchmark Report: Compensation and Role of Security Teams" report includes studies of eight categories of security staff: CISO, Director Level 1, Director Level 2, Manager Level 1, Manager Level 2, Technician, Supervisor, Staff/Admin.

Supporting Quotes

"In past years, organizations have commissioned us to produce salary studies for their own knowledge. We are now making this comprehensive report available to all organizations through SecureWorld Insight," says Dr. Larry Ponemon. "As the market for top quality IT security professions get more competitive, this information becomes increasingly important to assure proper staff budgets and to avoid vulnerabilities that result from unfilled roles."

"Security teams and HR professionals need salary benchmarking information to retain key staff and make offers to new team members," added Michael O'Gara, president, SecureWorld. "We're excited to have identified this gap and provide this benchmarking to IT professionals nationwide throughout our SecureWorld network."

Resources and Links

· Watch the Preview Video: http://secureworldinsight.com/

· Purchase the Study: http://secureworldinsight.com/products/the-compensation-and-role-of-security-teams

· Interviews Available Upon Request

About SecureWorld Insight

SecureWorld Insight, Powered by Ponemon, is a partnership with Ponemon Institute and SecureWorld Expo, combining SecureWorld's nationwide reach with Ponemon Institute's highly respected research. SecureWorld Insight provides unprecedented, highly targeted, relevant benchmarking to IT professionals across the country and beyond.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
alanteew
50%
50%
alanteew,
User Rank: Apprentice
12/16/2013 | 1:00:17 PM
re: Ponemon Institute Reveals Results Of First Cybersecurity Salary Benchmarking Survey
Since when is 46% a majority?
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3154
Published: 2014-04-17
DistUpgrade/DistUpgradeViewKDE.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 does not properly create temporary files, which allows local users to obtain the XAUTHORITY file conte...

CVE-2013-2143
Published: 2014-04-17
The users controller in Katello 1.5.0-14 and earlier, and Red Hat Satellite, does not check authorization for the update_roles action, which allows remote authenticated users to gain privileges by setting a user account to an administrator account.

CVE-2014-0036
Published: 2014-04-17
The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

CVE-2014-0054
Published: 2014-04-17
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External ...

CVE-2014-0071
Published: 2014-04-17
PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections.

Best of the Web