Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Connect Directly

IT Security Salaries Stay Flat Despite Wave Of Attacks

InformationWeek salary survey finds median base salary during the past 12 months mostly stayed the same or dipped slightly for security pros -- but they still make more than their IT counterparts

No organization wants to become the next HBGary Federal, RSA, or Heartland Payment Systems: These and other high-profile data breaches have served as harsh wake-up calls for enterprises and also have raised the posture of the IT security department. But that hasn't translated into higher pay for the security pros tasked with protecting their organizations from these deadly attacks.

Nearly 80 percent of the respondents in the new 2011 InformationWeek Analytics U.S. IT Salary Survey say their organization has suffered a major data breach or security compromise in the past 12 months, while 10 percent don't know whether they have. But organizations for the most part aren't ponying up more money for their security pros: The median base salary for IT security professionals during the past 12 months remained mostly flat or dipped slightly -- a sign that even the relatively insulated IT security market is still feeling the pinch of the slowed economy.

Security staffers’ median annual base salary was $90,000 this year, the same as reported in 2010. Security managers’ pay dropped slightly, from $112,000 in 2010 to $110,000 in 2011, after increasing from $105,000 in 2009.

Median total cash compensation -- base salaries plus any bonuses or other cash payments -- rose slightly for IT security staff, from $95,000 in 2010 to $97,000 this year. Cash compensation remained flat for management in 2011, at $122,000, after a jump from $114,000 in 2009.

Meanwhile, about seven in 10 security professionals anticipate bonuses for 2011. Half of the managers and 44 percent of the staffers responding to the survey say they get bonuses based on company performance. Nearly one-third of managers and close to 20 percent of staffers say bonuses are awarded based on their divisions' performance.

That said, security pros make more money than their general IT counterparts, according to the survey, with IT staffers' annual median base salary at $83,000 and IT managers' at $105,000. This demonstrates the value placed on security skills as the economy slowly begins to show signs of life.

Security professionals' relatively higher pay can also be attributed to the premium placed on hot security specialties, such as Web application and mobile security; security and information event management (SIEM); forensics; and incident response, says Lee Kushner, president of IT security recruiting firm LJ Kushner and Associates. "The more specific the job, the more rare the skill, the higher premium the salary," Kushner says.

While business is picking up in many organizations, security pros still aren’t seeing much trickle-down: “While I am grateful to have gainful employment, I think that having lost two years of movement in my personal economy has been a negative experience,” says a security professional at a technology firm.

If security pros aren’t happy with their current pay pace, they are pragmatic about the reasons: "The slow economy tightened everyone's belts," says Reed Wilson, chief information security officer (CISO) for NuSkin Enterprises. "Of course, everyone wants a 20 percent raise, but it would not be justified [in this economy]."

Wilson, like many other security pros, has tried to focus on job security and stability in the downturn. "Stability is huge for me," he says. "This [economy] has refocused my strategies toward long-term stability and constant growth. ... My company is doing very well, so my feeling of job security has grown with it."

Job Hunting
About 57 percent of security managers and staffers say they aren’t looking for new jobs. About 30 percent of managers and staffers say they are “somewhat” on the search, while 14 percent of managers and 10 percent of staffers are actively looking to jump ship.

One of the reasons for seeking a new position at a new organization is a big jump in pay. Fair or not, new positions can be more lucrative. Kushner says that with the economy picking up, companies are paying handsomely for open security positions. “Now that companies are waking up to the fact that they are short on security talent, that has created a bit of an inflationary-type scenario where compensation might remain flat for a position in your current company, but the external market value for talent is better,” he says.

With security earning a higher profile in the enterprise, the need for security pros -- especially managers such as CISOs -- to understand the business side of the house is more crucial than ever.

“Business skills or, perhaps more accurately, business-process awareness is critical for any security person who is serious about being a CISO/CSO. It’s critical for anyone who works in security and wants to make real changes to their company or to the industry in general,” says Stephen Maiorca, senior systems security architect at Visual Concepts.

The value of security certifications might be a hotly debated topic, but security pros who hold certifications, such as the Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and Certified Information Systems Manager (CISM), make more money, according to the survey.

Gender Gap
Of the security professionals who responded to this survey, 701 were male and only 105 were female. As one male Web security analyst who participated in the survey puts it, the security industry remains a “bastion of good old boys.” Women make slightly less than their male counterparts, with an annual base salary of $87,000 for staff-level jobs. Men at the same level earn $90,000. But, unlike men, whose salaries remained flat, women saw a slight salary increase (of $5,000) from 2010.

On the management side, women have narrowed the gap a bit more, from $104,000 in 2010 to $108,000 in the past 12 months. Male managers make $110,000, down from $114,000 in 2010.

"Women's salaries are definitely lower in my company and in the industry. Additionally, one of the reasons I have a job is because I am a woman whose salary is lower than a man’s salary," says a female security professional at a government agency.

A full copy of the 2011 InformationWeek Analytics U.S. IT Salary Survey: Security, is available for download here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.