05:35 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
Repost This

Ponemon Institute Reveals Results Of First Cybersecurity Salary Benchmarking Survey

Survey reveals higher average salaries than expected

Portland, OR -- December 11, 2013 -- SecureWorld Insight, a partnership with Ponemon Institute and SecureWorld Expo, today revealed the highlights of the "2013 Salary Benchmark Report," kicking off a new series of quarterly cybersecurity research reports. This benchmark is the first to identify compensation for eight categories of information security staff - from CISOs to directors, managers and technicians - and key influencing factors.

The survey reveals higher average salaries than expected, with the top title of Chief Information Security Officer (CISO) earning an average annual base salary equivalent to the compensation of other C-level executives for 50% of the respondents. And this trend extends beyond the C-suite to all other levels. However the report also finds that 43% of cybersecurity professionals rate their position as the most difficult one in the organization.

Surprise findings include the number one factor influencing salary: reporting channel. In fact those who report to the CEO make a significantly higher salary; however they are also at risk as the first to be fired. The data also confirms that the number one reason security staff leave an organization is compensation – and leads to the resulting conclusion that an organization's biggest vulnerability may well be its own information security team, due to unfilled jobs and lack of funding.

Companies are heading into budgeting for 2014 facing an unprecedented threat landscape, extremely competitive environment and a limited pool of skilled cybersecurity talent. In response the SecureWorld Insight benchmarking report offers insights for IT, security and HR executives into how to hire and retain top cybersecurity talent and build information security teams.

Key findings from the study include:

Compensation varies widely based on the following factors, in order of highest impact:

· Steps from the CEO / Reporting Channel: CISO reporting to the CEO enjoy a 36% jump in average annual salary, followed by direct lines to the CFO, COO, CIO, CTO. Ironically, few actually report to the CEO and the majority (46%) report to the CIO.

· Industry Sector: The Communications sector leads in average annual salary, followed by Financial Services, Services and 11 other categories; Health & Pharma ranks lowest with Defense close by.

· Organization Headcount: The biggest jumps in technicians' average annual salary occur in organizations with more than 75,000 employees.

· Geo Footprint: Organizations with a global footprint pay more than domestics.

· Gender: In another surprise finding, men make only 5.5% more than women in the top security executive positions.

Certifications matter.. but not as much as you think. Professionals with certifications earn only 8.7% more than those without; however those with advanced degrees demand up to 35% higher salary.

Lack of adequate funding is the biggest barrier to team success. Fifty-six percent of respondents cited lack of adequate funding as their biggest barrier to success, followed by IT complexity (42%) and lack of qualified personnel (41%). In fact only 8% report having cybersecurity teams of over 20 FTEs, with the majority operating with 6-15 FTEs.

The study also identifies trends related to the CISO position specifically, such as how many organizations have a CISO; how many have a formal reporting structure to the board; what metrics are used to determine the success or failure; and the seven critical career success factors.

The benchmark study was conducted to independently determine the annual salary of CISO-level executives in larger-sized companies (with 1,000 employees or more). A total of 133 companies and CISOs agreed to participate by providing confidential salary and benefits data collected with a survey instrument. In addition to their own data, respondents provided salary data for members of their IT security team.

The "2013 Salary Benchmark Report: Compensation and Role of Security Teams" report includes studies of eight categories of security staff: CISO, Director Level 1, Director Level 2, Manager Level 1, Manager Level 2, Technician, Supervisor, Staff/Admin.

Supporting Quotes

"In past years, organizations have commissioned us to produce salary studies for their own knowledge. We are now making this comprehensive report available to all organizations through SecureWorld Insight," says Dr. Larry Ponemon. "As the market for top quality IT security professions get more competitive, this information becomes increasingly important to assure proper staff budgets and to avoid vulnerabilities that result from unfilled roles."

"Security teams and HR professionals need salary benchmarking information to retain key staff and make offers to new team members," added Michael O'Gara, president, SecureWorld. "We're excited to have identified this gap and provide this benchmarking to IT professionals nationwide throughout our SecureWorld network."

Resources and Links

· Watch the Preview Video:

· Purchase the Study:

· Interviews Available Upon Request

About SecureWorld Insight

SecureWorld Insight, Powered by Ponemon, is a partnership with Ponemon Institute and SecureWorld Expo, combining SecureWorld's nationwide reach with Ponemon Institute's highly respected research. SecureWorld Insight provides unprecedented, highly targeted, relevant benchmarking to IT professionals across the country and beyond.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/16/2013 | 1:00:17 PM
re: Ponemon Institute Reveals Results Of First Cybersecurity Salary Benchmarking Survey
Since when is 46% a majority?
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web