IT's Hottest 'Necessary Evil'

While IT security pros may still find themselves defending their roles, they're also in a good spot when it comes to compensation, with a median base salary bump for staffs up a tidy $7,000 this year, according to the new The InformationWeek 2012 U.S. IT Salary Survey: Security
"Certifications definitely still benefit people in terms of salary, even though the skills they are teaching are not directly applicable, and there isn't always a one-to-one correspondence," says a security manager who holds a CISSP. "It's sort of a good indication that someone has the basics down and is motivated to get that cert. ... All else being equal [with job applicants], I'll take the one with the cert."

Loyola's Murphy says certifications are "very, very important" for management-level positions. "It seems that many employers won't even look at your résumé without at least one certification," she says. "I am currently working on my EnCE [EnCase Certified Examiner– Forensics] because we have to have a forensic- certified member on staff." She adds that she also will soon be working on a Global Information Assurance Certification.

Cadence's Ryan, who holds CISSP, CompTIA Security+ and CCSA certifications, says that not only do many jobs require certifications, but that accreditation also garners respect. "Certifications are a key in the security field," he says. "Many jobs actually require certain certifications, and certain certifications give you respect in the industry due to the level of knowledge and commitment required to obtain them."

Security pros are split on whether their career paths and salary advancements are as promising as they were five years ago. Among staffers, 48% say they're not as promising, while 42% say they are and 10% aren't sure. Managers are a bit more optimistic, with 48% saying they're as promising as they were five years ago and 47% saying they're not. About 5% are unsure.

Kevin Fred, a senior information security consultant, says the security field has a more promising outlook than other IT specialties. "The future looks better for security folks than in other aspects of IT," says Fred, who notes that he's expressing his opinion and not that of his employer. He says it's only a matter of time before a big cyber attack hits the United States, which will put information security front and center. "I think that when this happens, there's going to be a massive shift in the realization of the [general public] in what this information security world means," he says.

Which leads us to the one very surprising finding from the survey: Only 13% of the IT security pro respondents say their organizations were hit by a serious data breach or compromise in the past 12 months.

This number does not align with many other studies, which show that a majority of organizations have been hit. So why the discrepancy? It's unclear if the word "serious" narrowed the affirmative answers, but some security pros say organizations may not know they've been hit. "As more companies put in more infosec controls to prevent this--DLP [data leakage prevention] plays a big part here--they will start to see what is really happening that they didn't know before. Then there will be more reportable incidents," says the female corporate security manager.


Survey Name: InformationWeek 2012 U.S. IT Salary Survey: Security

Survey Date January 2012

Region United States

Number of Respondents 725 IT security professionals in 2012, including 418 IT staff and 307 IT managers.

Purpose To track IT salary and compensation trends from the perspective of those on the front lines, InformationWeek conducts an annual U.S. IT Salary Survey. Now in its 15th year, it's the largest employeebased IT salary survey in the country. Last year, 18,201 full-time IT professionals completed the Web-based survey. This year, 13,880 took part. The goal of this study is to measure various aspects of compensation, benefits, and job satisfaction. This report focuses on the 725 IT security professionals who participated in the survey.

Methodology The survey was designed by InformationWeek and fielded online. The survey was promoted in InformationWeek's daily and weekly newsletters. In addition, email invitations with an embedded link to the survey were sent to qualified IT professionals from InformationWeek Business Technology Network print, newsletter and events databases. The survey was fielded from November 2011 to January 2012.

The information in this report is based on responses from 725 IT security professionals. Unemployed and part-time workers were excluded from these results, as were respondents from outside the United States. This report uses median rather than mean or average figures for salary and percentage salary changes to eliminate distortions caused by extremes at the high or low ends of the responses.