"What's the unemployment rate for a good cybersecurity person? Zero," Weatherford said, adding that government agencies and the private sector were stealing the best people from each other. "We are all familiar with the fratricide going on."
The InformationWeek 2013 U.S. IT Salary Survey of 682 IT security professionals confirms that the market for security pros is booming, so much so that the gender gap has nearly closed when it comes to pay. But interviews with respondents suggest that the scarcity of security professionals has resulted in a frenetic pace that has left some feeling dissatisfied and, ironically, less secure in their jobs than last year. In addition, companies' decisions to outsource some of their security functions have left U.S. college graduates with fewer paths to pick up IT security and move into higher-paid positions.
Salaries split in 2013, with the median staff salary declining $2,000 to $95,000 this year. Management salaries continued to rise, topping $120,000 in 2013, up $5,000 from the previous year. The trend in total compensation reflects the same split as salaries: Total compensation for staff declined in 2013 to a median of $98,000, down $5,000, while management saw a $2,000 increase, to $129,000.
Compared with the general market for IT professionals, however, security salaries and compensation are much stronger. Salaries for both information technology staff and management increased $2,000 in 2013, to $87,000 and $110,000, respectively -- much lower than either category of IT professional.
"It's rocking right now," says Preston George, a senior cybersecurity analyst with a federal agency. "There are so many opportunities out there, I can't count them."
Satisfaction rates continue to be high as well. Sixty-three percent of IT security staffers are satisfied or very satisfied with all aspects of their jobs, while nearly two-thirds of IT security managers are similarly content. George, for example, loves working for his federal agency but will likely leave soon -- the competitive pay and benefits offered by the private sector make it hard for the government to compete. Like 68% of staff and 73% of managers, higher compensation is the top reason for leaving.
But satisfaction comes not just from money and perks. Increasingly, organizations are looking at IT security as not just a necessary evil. More than 80% of respondents say security is considered crucial by upper management or within certain areas of the business. Compliance is considered the top priority in 31% of organizations and one of the most important priorities in an additional 52%.
Respondents also say that companies have started recognizing the need to create and maintain better digital defenses.
"The interesting part I'm seeing is that people are interested in more than just compliance -- they are interested in actual security," says Jens C. Laundrup, principal consultant with consultancy Emagined Security. "They are realizing that if their security is bad, and if they get breached, they will be killing their reputation and killing their name."
Yet with companies' greater recognition of the need for security professionals comes a downside: In 2013, security practitioners showed a slight drop in how secure they feel in their jobs. While other IT disciplines continue to feel as secure in their positions as in 2012, IT security staff saw a seven-point drop, to 43%, in the number that feel very secure. Overall, 89% of IT security staffers feel at least somewhat secure in their jobs, down from 92% in 2012, and 92% of IT security managers feel secure, down slightly from 93% in 2012.
None of the IT security practitioners interviewed was worried. "Everyone I know in the security industry -- myself included -- are secure in their jobs," says Ivor Coons, a security channel sales engineer who asked that his company not be named. "I don't know where that trend comes from."
IT security is a stressful occupation, and that could be contributing to the feeling of insecurity, says Coons.
Another perspective: It's the complexity and reliance on IT security making workers worry, says Barbara Bartley, executive director of IT operations and information security for Baptist Health. Bartley points out that while there's a great deal of demand for workers in security, the expectations can be very high, and that leads to stress and uncertainty. The ever-changing nature of technology -- especially security technology -- leads workers to always feel under pressure.
"It's gone from just taking care of the integrity of your devices in-house to now it's the cloud, it's mobile devices, watching for breaches and the high-tech rules -- these have changed so much, and the expectations are so great that any one of us feels that [we are] more vulnerable," Bartley says. "So you don't feel secure. With this economy nowadays, I don't know if anyone feels secure in their job."
Some of the insecurity may also come from uncertainty about government funding and the sequester. Many of the industries, including defense contractors and healthcare, that have made strides in securing their systems have done so because the government accounts for a large part of their business, says a security team leader at a Midwest healthcare insurer who asked not to be identified.
"When the government talks about making cuts to Medicare, as a government contractor that means they are talking about making cuts to us," he says.
Not Just A Man's World
Demand for knowledgeable IT security workers has helped close the earnings gap between men and women. While there continues to be roughly a $10,000 difference in salaries between the genders in the IT market in general, male and female IT security workers are making almost identical salaries, with no difference between men and women in management positions. Male security staffers still make $2,000 more than the average female IT security pro.
Bartley says she's treated on par with her male counterparts, perhaps because healthcare has become a more egalitarian workplace. A decade ago, when administrators and information technology staff tended to be pulled from the business side of healthcare, men often got preferential treatment. Now, however, many administrators rise up through the nursing ranks -- a field dominated by women, Bartley says. The chief operating officer at Baptist Health is a woman, as are the hospital administrator and the previous administrator.
As a result, women have equal responsibilities and, in most cases, pay.
"It has been very equitable and been based on experience, education, and on outcomes, and not by gender," she says. "If you would have asked me that question 10 years ago, there would have been a defined difference."
Lisa Ackerman, managing director of information assurance at Tresys Technology, an information security consultancy, agrees that, in the security field at least, the gap between men and women is narrowing.
"For a long time, I was the only woman everywhere I went, and now I'm starting to see a lot more women everywhere I go," Ackerman says. "More opportunities are available as a whole across security in terms of the types of degrees that are offered and the types of jobs that are available, and women are more interested in the opportunities."
Certification continued to be a major asset for IT security workers, with staff members holding certifications making $12,000 more in base salary than their noncertified co-workers' median salary of $84,000. Managers with certifications also received a hefty premium of $10,000 more than the $110,000 median salary for noncertified managers.
Workers with certifications also have an edge when looking for new jobs. While companies value training, with 56% of staff and 66% of management attending employer-paid training, companies paid for certification opportunities only about half as often -- perhaps for that very reason.
"I don't think certification is about job-proofing in terms of making your job more secure; it's getting the job," says Terry Koenn, a security architect. "Certification from the employees' side is getting the next job. Certification from the employers' side -- they look at it as the employee leaving."
Perhaps the biggest certification that people need for many security positions is a college degree. Coons, the channel sales engineer, does not have a degree, having dropped out of a prestigious university to work, but he is a rare bird at his company. "We do not hire people without a college degree," he says. "It is a huge barrier."
It's a barrier that many are looking to lower. Looking to quickly train enough IT security professionals to meet demand, the U.S. Department of Homeland Security's Task Force on CyberSkills aims to use junior and community colleges in combination with 2,000 hours of on-the-job training to bring would-be workers to the level necessary to defend a network from attack.
At the RSA Conference, DHS's Weatherford stressed that the hurdle of a college degree needs to be lowered. "We have to get over the fact that you do not need a college degree to be in our business," he said. "Probably the five smartest people I know in our business did not go to college."
It's the will to learn that companies should look for in their candidates, says Fred Drum, IT risk management team leader at P&G Associates, a provider of risk management services. While certifications are needed to "get past the HR filters," hiring professionals who continue to educate themselves is important. After all, attackers don't care about that piece of paper. "They don't have college degrees, and they are not in school or still in school, but they are taking down our networks," Drum says.
In particular, the small and midsize business market needs to focus on training. Companies with less than $10 million in revenue tend to pay their staff about $5,000 less than the median base salary, with managers making $5,000 to $10,000 less than the median salary. Because IT security workers in those companies tend to focus on security for a brief time and then move on, training and integrating the process into the business is key, says Daniel Moore, a principal with Secure Networks.
It's important "for security of the Internet but especially for small businesses," Moore says. "Most small businesses think that the right security solutions are out of reach, or they make a snap decision when they are breached."
While outsourcing results in fewer jobs for IT security professionals and lower employee morale -- about half of staff and managers make both assertions -- companies that outsource their day-to-day security may also incur greater expenses, says Emagined's Laundrup. When an incident happens and they have to call in a consultant or outside tech, the costs quickly accumulate. Instead, companies should keep core expertise in-house and use outside consultants to help with a surge in business, or a large incident, and with the special projects that may benefit from an outside viewpoint.
"Extra projects are more fun," Laundrup says. "And I can understand that, but it is not as logical."
Cloud, however, where day-to-day service costs are operationalized, is a good option for companies that may not be able to develop the talent in house to deal with day-to-day security, he said.
Perhaps worse for the IT security market as a whole, outsourcing is removing some of the U.S. workforce's core competency in IT security, says Coons. By outsourcing many of the basic IT security jobs to managed security providers that have global operations, U.S. companies are destroying a lot of the fertile breeding ground for security training, he says. Rather than have people that learn basic security practices on the job, companies expect them to come trained. Nearly two-fifths of staff and management indicate that outsourcing leads to fewer opportunities for advancement.
"We want them to come out from where ever they are graduating from, full trained in security," he says.
The 2013 Salary Survey: Security report -- including key data and graphics -- is available here for download.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.