Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Connect Directly

IT Security Salaries Stay Flat Despite Wave Of Attacks

InformationWeek salary survey finds median base salary during the past 12 months mostly stayed the same or dipped slightly for security pros -- but they still make more than their IT counterparts

No organization wants to become the next HBGary Federal, RSA, or Heartland Payment Systems: These and other high-profile data breaches have served as harsh wake-up calls for enterprises and also have raised the posture of the IT security department. But that hasn't translated into higher pay for the security pros tasked with protecting their organizations from these deadly attacks.

Nearly 80 percent of the respondents in the new 2011 InformationWeek Analytics U.S. IT Salary Survey say their organization has suffered a major data breach or security compromise in the past 12 months, while 10 percent don't know whether they have. But organizations for the most part aren't ponying up more money for their security pros: The median base salary for IT security professionals during the past 12 months remained mostly flat or dipped slightly -- a sign that even the relatively insulated IT security market is still feeling the pinch of the slowed economy.

Security staffers’ median annual base salary was $90,000 this year, the same as reported in 2010. Security managers’ pay dropped slightly, from $112,000 in 2010 to $110,000 in 2011, after increasing from $105,000 in 2009.

Median total cash compensation -- base salaries plus any bonuses or other cash payments -- rose slightly for IT security staff, from $95,000 in 2010 to $97,000 this year. Cash compensation remained flat for management in 2011, at $122,000, after a jump from $114,000 in 2009.

Meanwhile, about seven in 10 security professionals anticipate bonuses for 2011. Half of the managers and 44 percent of the staffers responding to the survey say they get bonuses based on company performance. Nearly one-third of managers and close to 20 percent of staffers say bonuses are awarded based on their divisions' performance.

That said, security pros make more money than their general IT counterparts, according to the survey, with IT staffers' annual median base salary at $83,000 and IT managers' at $105,000. This demonstrates the value placed on security skills as the economy slowly begins to show signs of life.

Security professionals' relatively higher pay can also be attributed to the premium placed on hot security specialties, such as Web application and mobile security; security and information event management (SIEM); forensics; and incident response, says Lee Kushner, president of IT security recruiting firm LJ Kushner and Associates. "The more specific the job, the more rare the skill, the higher premium the salary," Kushner says.

While business is picking up in many organizations, security pros still aren’t seeing much trickle-down: “While I am grateful to have gainful employment, I think that having lost two years of movement in my personal economy has been a negative experience,” says a security professional at a technology firm.

If security pros aren’t happy with their current pay pace, they are pragmatic about the reasons: "The slow economy tightened everyone's belts," says Reed Wilson, chief information security officer (CISO) for NuSkin Enterprises. "Of course, everyone wants a 20 percent raise, but it would not be justified [in this economy]."

Wilson, like many other security pros, has tried to focus on job security and stability in the downturn. "Stability is huge for me," he says. "This [economy] has refocused my strategies toward long-term stability and constant growth. ... My company is doing very well, so my feeling of job security has grown with it."

Job Hunting
About 57 percent of security managers and staffers say they aren’t looking for new jobs. About 30 percent of managers and staffers say they are “somewhat” on the search, while 14 percent of managers and 10 percent of staffers are actively looking to jump ship.

One of the reasons for seeking a new position at a new organization is a big jump in pay. Fair or not, new positions can be more lucrative. Kushner says that with the economy picking up, companies are paying handsomely for open security positions. “Now that companies are waking up to the fact that they are short on security talent, that has created a bit of an inflationary-type scenario where compensation might remain flat for a position in your current company, but the external market value for talent is better,” he says.

With security earning a higher profile in the enterprise, the need for security pros -- especially managers such as CISOs -- to understand the business side of the house is more crucial than ever.

“Business skills or, perhaps more accurately, business-process awareness is critical for any security person who is serious about being a CISO/CSO. It’s critical for anyone who works in security and wants to make real changes to their company or to the industry in general,” says Stephen Maiorca, senior systems security architect at Visual Concepts.

The value of security certifications might be a hotly debated topic, but security pros who hold certifications, such as the Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and Certified Information Systems Manager (CISM), make more money, according to the survey.

Gender Gap
Of the security professionals who responded to this survey, 701 were male and only 105 were female. As one male Web security analyst who participated in the survey puts it, the security industry remains a “bastion of good old boys.” Women make slightly less than their male counterparts, with an annual base salary of $87,000 for staff-level jobs. Men at the same level earn $90,000. But, unlike men, whose salaries remained flat, women saw a slight salary increase (of $5,000) from 2010.

On the management side, women have narrowed the gap a bit more, from $104,000 in 2010 to $108,000 in the past 12 months. Male managers make $110,000, down from $114,000 in 2010.

"Women's salaries are definitely lower in my company and in the industry. Additionally, one of the reasons I have a job is because I am a woman whose salary is lower than a man’s salary," says a female security professional at a government agency.

A full copy of the 2011 InformationWeek Analytics U.S. IT Salary Survey: Security, is available for download here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Post a Comment
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-14
DoS attack can be performed when an email contains specially designed URL in the body. It can lead to the high CPU usage and cause low quality of service, or in extreme case bring the system to a halt. This issue affects: OTRS AG ((OTRS)) Community Edition 6.0.x version 6.0.1 and later versions. OTR...
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.