Cybersecurity salaries continue to rise as organizations grapple with an increasing shortage of cyber talent. Given the current climate, job-hopping might seem like a way to earn more money in the short term.
However, developing the necessary skills that are in demand and showing how security adds value to your organization is a surer way of improving your salary in the long run, industry experts say.
“Certainly as an industry as a whole [security] salaries are going up,” says Philip Casesa, director of product development and portfolio management with (ISC)², a non-profit organization that provides education and certification for security professionals.
Consider these statistics: The average median chief information security officer (CISO) salary is $204,000, according to SilverBull, an IT and cybersecurity recruiting firm. The average annual salary among the security professionals surveyed inThe 2015 (ISC)2 Global Information Security Workforce Studyis $97,778 -- a 3% increase from when the survey was conducted in 2013.
Meanwhile, cybersecurity job postings tend to advertise a 9% salary premium over IT jobs overall, according to Burning Glass Technologies’ report, Job Market Intelligence: Cybersecurity Jobs, 2015. The average cybersecurity professional earns $83,934, compared with $77,475 for IT positions.
“If you are in information security and you are not getting raises, it might be time to look at organizations around you that are looking for your skill set. You should easily make salary jumps there,” Casesa says.
But changing jobs every year is not something infosec folks should be aspiring to do as professionals, although it is common, especially given the many job vacancies popping up. “You could job-hop all the time as a quick way to make more money. But organizations will soon realize that there is no loyalty and that will end part of your career,” Casesa warns.
“I don’t recommend necessarily jumping places to make a quick buck. I recommend you plot out your career to figure out what you want to do and really become the best you can at that, especially if those skills are hot,” Casesa says.
Some hot skills in demand include threat intelligence/security operation center professionals, security software and security infrastructure developers, cloud specialists, cybersecurity/IT auditors, and big data analysis, security experts say.
Casesa offers several ways cybersecurity professionals can increase their salaries:
Get certified: “I think certification in an of its self is an indicator of an employee’s willingness to apply disciplines and practices to lean in on a job as well as show dedication to the industry and their job skills,” he says.
That doesn’t mean that security pros who don’t have certifications are less skilled. There are many people who advance their careers, make a lot of money, and have deep technical skills, but don’t need or have a certification to define them. But for the most part, in order to stand out in a market where it is hard to make a name for yourself, certification is one way to do that, he says.
Cybersecurity jobs are highly certificated, according to Burning Glass data: More than one in three (35%) of all cybersecurity positions calls for at least one of the major certifications such as Certified Information Security Professional, Certified Information Systems Auditor, Certified Information Security Manager, Systems Security Certified Practitioner, and GIAC Security Essentials.
Only 23% of overall advertised IT jobs request an industry certification.
Develop deep expertise in skills most in demand: Being a generalist won’t win you the highest salary in the long term unless you are going to try to become a CISO. Those are tough jobs to get. Even then, a lot of CISOs come from a deep background in one area or another – they are not typically generalists over their entire career, Casesa says.
“If you can develop really deep talent in an area of need in information security, you can actually develop a reputation” giving speeches, writing, or by participating in different types of security events. “That way your reputation transcends your employment situation. So if you wanted to make a change, you would have enough opportunities available to you,” Casesa says.
Even if you are not aspiring to be a security celebrity, developing communication skills and the ability to influence others will be important in the long run if you want to make those high-level salaries, he says.
Meanwhile, security salaries overall are not as high as you’d think.
Pete Lindstrom, research director of security products at IDC says “the vast majority” aren’t as “exorbitant” as you would expect. At the top, CISOs of large security organizations are paid well, and a security professional with distinct skills, such as hacking, get paid well in consulting firms and technology companies.
But if you are a typical jack-of-all trades, security organizer/risk assessment/auditing professional, “you shouldn’t get your hopes up” for the big bucks, says Lindstrom, who co-authored an IDC study last year, IDC Security Survey: As the Jobs Churn.
The IDC study, conducted in conjunction with Tech Exec Networks Inc., surveyed 155 CISOs and other senior information security executives from major national and global companies headquartered in the US about their organizations' security personnel — staffing numbers, salaries, open positions, and important skills.
Security pros with up to five years of experience make anywhere from $56,000 to $87,000; $79,000 to to $114,000 for professionals with six to 10 years of experience; and those with 11- to 15 years of experience, $97,000 to $141,000, according to IDC's report.
At the highest end were security pros with 21+ years of experience, at $119,000 to $186,000.
IDC found that it is not hard for organizations to fill entry-level positions, where expectations are basic and it takes about three months to fill a position, Lindstrom says. The shortage is at the higher levels after with requirements of more than 10 years of experience, where expectations are much higher than for entry-level positions.
Salary trends for the most part align based on the size of the security organization and size of the company -- and sometimes the level of risk in a specific industry, he notes.
“What I’m worried about is you can typically make a lot more money as a consultant than in enterprises,” Lindstrom says. “So we are feeding the consulting economy and increasing costs because the regular enterprises have a harder time keeping security folks happy and engaged.”
Professionals who want to stay in enterprises and make more money have to develop skills that are in demand, which are generally hacking, developer, or technical skills, or move to a more risk-averse industry, he says.
Demand for cybersecurity professionals is on the rise in the finance, healthcare, and retail sectors, according to Burning Glass Technologies’ data.
The US Cyber Challenge is trying to increase the pool of cyber talent so salaries will harmonize across the board, says Karen Evans, national director of the nationwide talent search and skills development program, which is focused specifically on increasing the cyber workforce.
The federal government and industry are competing for the same finite set of resources as agencies and companies face the same adversaries, Evans says.
Through partnerships with academia, government, and industry, the US Cyber Challenge offers cyber competitions and camps and other programs to attract students and professionals for the cybersecurity field.
“I’m trying to create the supply so [organizations] can figure out what staffing [they] need. A lot of agencies and companies think they need these high-end people,” Evans says. “You don’t [necessarily] need to have the high-end salaried people.”
For instance, application developers who can develop more secure applications reduce the need for high-end professionals, she says, because this would be a way for organizations to be more proactive about their security.
An organization could increase salaries of application developers who demonstrate they have developed secure code, for example. “If you have a finite set of dollars, maybe you pay more for people who are developing applications that have less vulnerabilities,” Evans says.