Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

4/14/2011
10:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

IT Security Salaries Stay Flat Despite Wave Of Attacks

InformationWeek salary survey finds median base salary during the past 12 months mostly stayed the same or dipped slightly for security pros -- but they still make more than their IT counterparts

No organization wants to become the next HBGary Federal, RSA, or Heartland Payment Systems: These and other high-profile data breaches have served as harsh wake-up calls for enterprises and also have raised the posture of the IT security department. But that hasn't translated into higher pay for the security pros tasked with protecting their organizations from these deadly attacks.

Nearly 80 percent of the respondents in the new 2011 InformationWeek Analytics U.S. IT Salary Survey say their organization has suffered a major data breach or security compromise in the past 12 months, while 10 percent don't know whether they have. But organizations for the most part aren't ponying up more money for their security pros: The median base salary for IT security professionals during the past 12 months remained mostly flat or dipped slightly -- a sign that even the relatively insulated IT security market is still feeling the pinch of the slowed economy.

Security staffers’ median annual base salary was $90,000 this year, the same as reported in 2010. Security managers’ pay dropped slightly, from $112,000 in 2010 to $110,000 in 2011, after increasing from $105,000 in 2009.

Median total cash compensation -- base salaries plus any bonuses or other cash payments -- rose slightly for IT security staff, from $95,000 in 2010 to $97,000 this year. Cash compensation remained flat for management in 2011, at $122,000, after a jump from $114,000 in 2009.

Meanwhile, about seven in 10 security professionals anticipate bonuses for 2011. Half of the managers and 44 percent of the staffers responding to the survey say they get bonuses based on company performance. Nearly one-third of managers and close to 20 percent of staffers say bonuses are awarded based on their divisions' performance.

That said, security pros make more money than their general IT counterparts, according to the survey, with IT staffers' annual median base salary at $83,000 and IT managers' at $105,000. This demonstrates the value placed on security skills as the economy slowly begins to show signs of life.

Security professionals' relatively higher pay can also be attributed to the premium placed on hot security specialties, such as Web application and mobile security; security and information event management (SIEM); forensics; and incident response, says Lee Kushner, president of IT security recruiting firm LJ Kushner and Associates. "The more specific the job, the more rare the skill, the higher premium the salary," Kushner says.

While business is picking up in many organizations, security pros still aren’t seeing much trickle-down: “While I am grateful to have gainful employment, I think that having lost two years of movement in my personal economy has been a negative experience,” says a security professional at a technology firm.

If security pros aren’t happy with their current pay pace, they are pragmatic about the reasons: "The slow economy tightened everyone's belts," says Reed Wilson, chief information security officer (CISO) for NuSkin Enterprises. "Of course, everyone wants a 20 percent raise, but it would not be justified [in this economy]."

Wilson, like many other security pros, has tried to focus on job security and stability in the downturn. "Stability is huge for me," he says. "This [economy] has refocused my strategies toward long-term stability and constant growth. ... My company is doing very well, so my feeling of job security has grown with it."

Job Hunting
About 57 percent of security managers and staffers say they aren’t looking for new jobs. About 30 percent of managers and staffers say they are “somewhat” on the search, while 14 percent of managers and 10 percent of staffers are actively looking to jump ship.

One of the reasons for seeking a new position at a new organization is a big jump in pay. Fair or not, new positions can be more lucrative. Kushner says that with the economy picking up, companies are paying handsomely for open security positions. “Now that companies are waking up to the fact that they are short on security talent, that has created a bit of an inflationary-type scenario where compensation might remain flat for a position in your current company, but the external market value for talent is better,” he says.

With security earning a higher profile in the enterprise, the need for security pros -- especially managers such as CISOs -- to understand the business side of the house is more crucial than ever.

“Business skills or, perhaps more accurately, business-process awareness is critical for any security person who is serious about being a CISO/CSO. It’s critical for anyone who works in security and wants to make real changes to their company or to the industry in general,” says Stephen Maiorca, senior systems security architect at Visual Concepts.

The value of security certifications might be a hotly debated topic, but security pros who hold certifications, such as the Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and Certified Information Systems Manager (CISM), make more money, according to the survey.

Gender Gap
Of the security professionals who responded to this survey, 701 were male and only 105 were female. As one male Web security analyst who participated in the survey puts it, the security industry remains a “bastion of good old boys.” Women make slightly less than their male counterparts, with an annual base salary of $87,000 for staff-level jobs. Men at the same level earn $90,000. But, unlike men, whose salaries remained flat, women saw a slight salary increase (of $5,000) from 2010.

On the management side, women have narrowed the gap a bit more, from $104,000 in 2010 to $108,000 in the past 12 months. Male managers make $110,000, down from $114,000 in 2010.

"Women's salaries are definitely lower in my company and in the industry. Additionally, one of the reasons I have a job is because I am a woman whose salary is lower than a man’s salary," says a female security professional at a government agency.

A full copy of the 2011 InformationWeek Analytics U.S. IT Salary Survey: Security, is available for download here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25137
PUBLISHED: 2020-09-25
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur via the alert_name or alert_message parameter to the /a...
CVE-2020-25138
PUBLISHED: 2020-09-25
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur via /alert_check/action=delete_alert_checker/alert_test...
CVE-2020-25139
PUBLISHED: 2020-09-25
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur via la_id to the /syslog_rules URI for delete_syslog_ru...
CVE-2020-25140
PUBLISHED: 2020-09-25
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur in pages/contacts.inc.php.
CVE-2020-4531
PUBLISHED: 2020-09-25
IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.0, 8.5, and 8.6 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the sy...