Security Pros Feel Underpaid, But In Some Cases Would Take A Pay Cut

New survey shows value IT security professionals place on job security, training, quality of life

While most security professionals say their expertise entitles them to make more money than their counterparts in IT, nearly half would accept a lower salary if it was necessary to keep their job or if they were offered additional training, according to a new survey that will be released tomorrow.

The survey, conducted by Information Security Leaders, which polled 460 security professionals between March and April, found that nearly half of these security pros feel they should get "a bit more" compensation than an IT pro at the same experience level, and another one-third say they are entitled to "a lot more" money.

But more than 60 percent feel they're either slightly or significantly underpaid for their jobs. More than 35 percent say they are paid fairly, less than 5 percent say they are slightly overpaid, and 3 percent say they are "significantly" overpaid.

While money is an obvious factor, it isn't the only key to job satisfaction: Forty-nine percent say they would accept less pay if it meant keeping their jobs. Some perks were worth lower pay, as well: Forty-seven percent say they'd take less money for additional training and education; 38 percent, for shorter hours; 37 percent, for working from home more frequently; 36 percent, for more vacation; and 19 percent, for better health benefits.

"Money is important. But people in our industry value other things highly," says Information Security Leaders' Mike Murray, who is also co-founder of MAD Security. "One of the big results [in the survey] is that they value training. Training was a [close] second only to 'if I had to make less money I would only to keep my job.'"

Lee Kushner, also of Information Security Leaders, says employers are missing the boat if they aren't offering security pros more career flexibility and options, such as training and education and working from home or more manageable hours. "Companies are generally short-staffed in security. Security pros are asking, 'Let me make the most use of my time,'" says Kushner, who is president of LJ Kushner and Associates, an executive search firm specializing in the information security field. "Employers could get the best of both worlds" if they offer these perks, he says.

Close to 70 percent say money has never been the sole factor in their job moves. More than 90 percent of the respondents say money is a factor in their job searches, but only 8 percent say it's the main driver.

Meanwhile, the survey shows that salaries appear to be dipping, Murray and Kushner say. Five percent fewer security pros make more than $120,000 a year than those surveyed in 2008/2009 by the Information Security Leaders, while 5 percent more make less than $100,000 than in the previous survey. The number of security pros who fall into the category of middle-range salaries has stayed about the same, however, they found.

More than 7 percent of the respondents experienced a pay cut this year, while one-third say their salaries remained flat with no increases. Close to 44 percent earned a pay increase of less than 5 percent, while 15 percent of the security pros in the survey were awarded raises of more than 6 percent.

More than half got less of a raise than they expected the last time they got one, and about 10 percent were pleasantly surprised with their pay increase. "Fifty percent got less than they expected -- they thought they were getting more," Kushner notes. "For every one security professional who was enthused about a raise, five were disappointed."

Murray says that data set was especially surprising. "Everyone knows there's a downturn and that the economy is slow. But still, the [fact that] that many people got less than they expected ... someone is not setting expectations very well," he says. "It suggests the communication is not there" between upper management and security pros, he says.

Bonuses were also a big disappointment this past year: While close to half of the respondents say their compensation includes a bonus, about 40 percent got less than 10 percent of their bonus in the past year and 20 percent got 10 to 15 percent of it. Around 35 percent got less of a bonus than they expected, while 20 percent got more.

Only 6.4 percent consider their bonus as part of the expected overall compensation they receive. "This shows that people don't trust their employers," Kushner says. "The expectations about money show that [security pros] are still counting on their employers to do it for them. And they are still at their mercy, not taking control of their own careers."

Kushner and Murray will address career issues, such as how to negotiate a salary or compensation, at Black Hat USA in Las Vegas next week. They'll be presenting back-to-back panels on Thurs., July 29, called "Things You Wanted To Know But Were Afraid To Ask About Managing Your Information Security Career" and "Your Career = Your Business." In the second session, they will offer strategies for getting a raise.

One of the first steps to figuring out how much you're worth, Kushner says, is to estimate the value of your skills to the organization. "Start thinking, 'If I want to earn more money, what do I do to deserve that money?'" he says. For example, are your skills becoming antiquated, and what skills are important to your organization?

"You have to be able to make logical arguments about what you're worth to your employer without holding a gun to their head. Too many people make it adversarial. It should be congenial," he says. Rather than saying you have another offer, take a preemptive approach, he says.

"'I like working here. I like being part of this team. Everything about my job is excellent. The only issue is finances, what I'm being paid,'" is one approach to asking for a raise, he says. Explain how your mortgage has gone up or how other life changes have caused your financial picture to change.

Be honest, he says: "'In order to keep the status quo, I have to earn more money. I would rather do that here than go somewhere else ... is that possible in this organization?'" is one way to approach the difficult discussion of money. Try working with your boss on a solution for this, he says, rather than threatening to leave.

And for career growth, security pros should assess how they are -- or are not -- marketing and selling themselves. "What new skills am I adding to my portfolio to make Me 2.0 for next year's 'product release?'" Murray says.

Meantime, Kushner and Murray's new survey results will be available here tomorrow.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights