Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:32 PM
Connect Directly

IT's Hottest 'Necessary Evil'

While IT security pros may still find themselves defending their roles, they're also in a good spot when it comes to compensation, with a median base salary bump for staffs up a tidy $7,000 this year, according to the new The InformationWeek 2012 U.S. IT Salary Survey: Security

The 2012 InformationWeek Salary Survey shows that security is one of the hottest sectors of the IT job market. But discussions with IT security pros suggest that they are, for the most part, considered a necessary evil by the rest of their organizations.

Even with the harsh glare of high-profile data breaches--recently intensified by the Anonymous hacktivist collective--IT security professionals often find themselves having to defend their group's mandate of defending the organization. Their efforts are often construed as a disruption to business operations, rather than a strategic element. "I feel like Don Quixote sometimes," says a senior information security analyst with a community college district. "There's lots of cooperation and collaboration with IT, but [some in the organization] think I'm a pain."

He says the vulnerability assessment and penetration testing he does to check for security holes are seen as disruptive to operations, and he's often restricted to running these tests on holidays. "I get flak for pointing out they have a problem," he says.

In one case, for example, he was chastised when an unpatched and misconfigured device knocked several switches offline during a vulnerability assessment. "The reality was that the switch was not patched, and it was vulnerable because it was misconfigured," he says.

Even with the issues IT security pros sometimes endure in-house, this year's numbers again show they are in a good spot when it comes to salary and overall compensation. IT security specialists command higher salaries than general IT security professionals, and they feel better overall about their job security than others, according to our InformationWeek 2012 U.S. IT Salary Survey.

Even so, only half of the security pros who responded to the survey said security has "crucial" status across all levels of manage- ment, with 31% saying it's crucial in some business areas of the organization.

The median base salary for IT security pros rose in 2012. The median base salary for security staffers was $97,000 this year, up from $90,000 in 2011; the median base salary for managers was $115,000 in 2012, up from $110,000 the year before. That's higher than the overall IT median salary of $85,000 for staffers and $108,000 for managers, according to this year's report.

Overall compensation--salary plus bonuses and other cash payments--put the IT security staffer's median overall salary at $103,000, up from $97,000 the year before, and the IT security manager's median overall compensation at $127,000, up from $122,000. That's also higher than the overall median IT compensation of $90,000 for staffers and $116,000 for managers, according to the survey data.

IT security requires a different mind-set than other IT careers, and it can be both stressful and rewarding, says Todd Ryan, IT architect for mobility and information security at electronic design automation firm Cadence Design Systems. "You are generally viewed as paranoid and not an enabler of new technology, when the truth is we are trusted with protecting the organization--and that comes with great responsibility," Ryan says. "An attacker only needs to be lucky one time to be considered a success; a security professional may protect the organization for years, and if an attacker breaches the company one time, you may be viewed as a failure. That being said, I think the role is highly rewarding from a compensation and job satisfaction perspective."

Security jobs are hot for several reasons, starting with stringent compliance regulations and increasing concerns over protecting sensitive customer and corporate information. There also is a shortage of talent in the IT security area, which puts those with skills and experience in high demand. Several security pros who participated in the survey say they regularly get offers for positions in other organizations. "I think that, overall, the IT security field is white-hot from a recruiting and need perspective for employers," Ryan says.

We don't expect this demand for security talent to decrease any time soon, especially given the consumerization of IT and the security issues that come along with the bringyour- own-device model, several cybersecurity legislative efforts under way, increasing threats from cyber espionage adversaries gunning for intellectual property, and groups such as Anonymous that are posing a very visible threat.

chart: Median based annual salary

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/5/2012 | 1:29:17 PM
re: IT's Hottest 'Necessary Evil'
Interesting breakdown of salaries - but not very useful. the salaries for the D.C. area need to be broken out. Also maybe a breakout of salaries in a metropolitan (i.e. high cost of living) area vice smaller communities.

Also, IT security with a government security clearance needs to be broken out. I think there is a wide difference in salary between those offered at a "public" company vice those who deal with national security issues.

Another breakout could be the different areas of IT Security - network security, security administration, database security, forensics, penetration testing, etc. Lumping them all together is as significant as a salary for programmers - lumping embedded SW designers with VB, C++, Java, Python, COBOL, Ada, etc programmers. The salaries offered may vary widely by language skills.
User Rank: Apprentice
4/2/2012 | 8:55:24 PM
re: IT's Hottest 'Necessary Evil'
"Their efforts are often construed as a disruption to business operations, rather than a strategic element."

I believe that I had read this elsewhere, and find it quite universally applicable:
Security and convenience are always in an inverse relationship.
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
PUBLISHED: 2020-02-21
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 ( and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...