No organization wants to become the next HBGary Federal, RSA, or Heartland Payment Systems: These and other high-profile data breaches have served as harsh wake-up calls for enterprises and also have raised the posture of the IT security department. But that hasn't translated into higher pay for the security pros tasked with protecting their organizations from these deadly attacks.
Nearly 80 percent of the respondents in the new 2011 InformationWeek Analytics U.S. IT Salary Survey say their organization has suffered a major data breach or security compromise in the past 12 months, while 10 percent don't know whether they have. But organizations for the most part aren't ponying up more money for their security pros: The median base salary for IT security professionals during the past 12 months remained mostly flat or dipped slightly -- a sign that even the relatively insulated IT security market is still feeling the pinch of the slowed economy.
Security staffers’ median annual base salary was $90,000 this year, the same as reported in 2010. Security managers’ pay dropped slightly, from $112,000 in 2010 to $110,000 in 2011, after increasing from $105,000 in 2009.
Median total cash compensation -- base salaries plus any bonuses or other cash payments -- rose slightly for IT security staff, from $95,000 in 2010 to $97,000 this year. Cash compensation remained flat for management in 2011, at $122,000, after a jump from $114,000 in 2009.
Meanwhile, about seven in 10 security professionals anticipate bonuses for 2011. Half of the managers and 44 percent of the staffers responding to the survey say they get bonuses based on company performance. Nearly one-third of managers and close to 20 percent of staffers say bonuses are awarded based on their divisions' performance.
That said, security pros make more money than their general IT counterparts, according to the survey, with IT staffers' annual median base salary at $83,000 and IT managers' at $105,000. This demonstrates the value placed on security skills as the economy slowly begins to show signs of life.
Security professionals' relatively higher pay can also be attributed to the premium placed on hot security specialties, such as Web application and mobile security; security and information event management (SIEM); forensics; and incident response, says Lee Kushner, president of IT security recruiting firm LJ Kushner and Associates. "The more specific the job, the more rare the skill, the higher premium the salary," Kushner says.
While business is picking up in many organizations, security pros still aren’t seeing much trickle-down: “While I am grateful to have gainful employment, I think that having lost two years of movement in my personal economy has been a negative experience,” says a security professional at a technology firm.
If security pros aren’t happy with their current pay pace, they are pragmatic about the reasons: "The slow economy tightened everyone's belts," says Reed Wilson, chief information security officer (CISO) for NuSkin Enterprises. "Of course, everyone wants a 20 percent raise, but it would not be justified [in this economy]."
Wilson, like many other security pros, has tried to focus on job security and stability in the downturn. "Stability is huge for me," he says. "This [economy] has refocused my strategies toward long-term stability and constant growth. ... My company is doing very well, so my feeling of job security has grown with it."
About 57 percent of security managers and staffers say they aren’t looking for new jobs. About 30 percent of managers and staffers say they are “somewhat” on the search, while 14 percent of managers and 10 percent of staffers are actively looking to jump ship.
One of the reasons for seeking a new position at a new organization is a big jump in pay. Fair or not, new positions can be more lucrative. Kushner says that with the economy picking up, companies are paying handsomely for open security positions. “Now that companies are waking up to the fact that they are short on security talent, that has created a bit of an inflationary-type scenario where compensation might remain flat for a position in your current company, but the external market value for talent is better,” he says.
With security earning a higher profile in the enterprise, the need for security pros -- especially managers such as CISOs -- to understand the business side of the house is more crucial than ever.
“Business skills or, perhaps more accurately, business-process awareness is critical for any security person who is serious about being a CISO/CSO. It’s critical for anyone who works in security and wants to make real changes to their company or to the industry in general,” says Stephen Maiorca, senior systems security architect at Visual Concepts.
The value of security certifications might be a hotly debated topic, but security pros who hold certifications, such as the Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and Certified Information Systems Manager (CISM), make more money, according to the survey.
Of the security professionals who responded to this survey, 701 were male and only 105 were female. As one male Web security analyst who participated in the survey puts it, the security industry remains a “bastion of good old boys.” Women make slightly less than their male counterparts, with an annual base salary of $87,000 for staff-level jobs. Men at the same level earn $90,000. But, unlike men, whose salaries remained flat, women saw a slight salary increase (of $5,000) from 2010.
On the management side, women have narrowed the gap a bit more, from $104,000 in 2010 to $108,000 in the past 12 months. Male managers make $110,000, down from $114,000 in 2010.
"Women's salaries are definitely lower in my company and in the industry. Additionally, one of the reasons I have a job is because I am a woman whose salary is lower than a man’s salary," says a female security professional at a government agency.
A full copy of the 2011 InformationWeek Analytics U.S. IT Salary Survey: Security, is available for download here.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio