Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:32 PM
Connect Directly

IT's Hottest 'Necessary Evil'

While IT security pros may still find themselves defending their roles, they're also in a good spot when it comes to compensation, with a median base salary bump for staffs up a tidy $7,000 this year, according to the new The InformationWeek 2012 U.S. IT Salary Survey: Security

The 2012 InformationWeek Salary Survey shows that security is one of the hottest sectors of the IT job market. But discussions with IT security pros suggest that they are, for the most part, considered a necessary evil by the rest of their organizations.

Even with the harsh glare of high-profile data breaches--recently intensified by the Anonymous hacktivist collective--IT security professionals often find themselves having to defend their group's mandate of defending the organization. Their efforts are often construed as a disruption to business operations, rather than a strategic element. "I feel like Don Quixote sometimes," says a senior information security analyst with a community college district. "There's lots of cooperation and collaboration with IT, but [some in the organization] think I'm a pain."

He says the vulnerability assessment and penetration testing he does to check for security holes are seen as disruptive to operations, and he's often restricted to running these tests on holidays. "I get flak for pointing out they have a problem," he says.

In one case, for example, he was chastised when an unpatched and misconfigured device knocked several switches offline during a vulnerability assessment. "The reality was that the switch was not patched, and it was vulnerable because it was misconfigured," he says.

Even with the issues IT security pros sometimes endure in-house, this year's numbers again show they are in a good spot when it comes to salary and overall compensation. IT security specialists command higher salaries than general IT security professionals, and they feel better overall about their job security than others, according to our InformationWeek 2012 U.S. IT Salary Survey.

Even so, only half of the security pros who responded to the survey said security has "crucial" status across all levels of manage- ment, with 31% saying it's crucial in some business areas of the organization.

The median base salary for IT security pros rose in 2012. The median base salary for security staffers was $97,000 this year, up from $90,000 in 2011; the median base salary for managers was $115,000 in 2012, up from $110,000 the year before. That's higher than the overall IT median salary of $85,000 for staffers and $108,000 for managers, according to this year's report.

Overall compensation--salary plus bonuses and other cash payments--put the IT security staffer's median overall salary at $103,000, up from $97,000 the year before, and the IT security manager's median overall compensation at $127,000, up from $122,000. That's also higher than the overall median IT compensation of $90,000 for staffers and $116,000 for managers, according to the survey data.

IT security requires a different mind-set than other IT careers, and it can be both stressful and rewarding, says Todd Ryan, IT architect for mobility and information security at electronic design automation firm Cadence Design Systems. "You are generally viewed as paranoid and not an enabler of new technology, when the truth is we are trusted with protecting the organization--and that comes with great responsibility," Ryan says. "An attacker only needs to be lucky one time to be considered a success; a security professional may protect the organization for years, and if an attacker breaches the company one time, you may be viewed as a failure. That being said, I think the role is highly rewarding from a compensation and job satisfaction perspective."

Security jobs are hot for several reasons, starting with stringent compliance regulations and increasing concerns over protecting sensitive customer and corporate information. There also is a shortage of talent in the IT security area, which puts those with skills and experience in high demand. Several security pros who participated in the survey say they regularly get offers for positions in other organizations. "I think that, overall, the IT security field is white-hot from a recruiting and need perspective for employers," Ryan says.

We don't expect this demand for security talent to decrease any time soon, especially given the consumerization of IT and the security issues that come along with the bringyour- own-device model, several cybersecurity legislative efforts under way, increasing threats from cyber espionage adversaries gunning for intellectual property, and groups such as Anonymous that are posing a very visible threat.

chart: Median based annual salary

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/5/2012 | 1:29:17 PM
re: IT's Hottest 'Necessary Evil'
Interesting breakdown of salaries - but not very useful. the salaries for the D.C. area need to be broken out. Also maybe a breakout of salaries in a metropolitan (i.e. high cost of living) area vice smaller communities.

Also, IT security with a government security clearance needs to be broken out. I think there is a wide difference in salary between those offered at a "public" company vice those who deal with national security issues.

Another breakout could be the different areas of IT Security - network security, security administration, database security, forensics, penetration testing, etc. Lumping them all together is as significant as a salary for programmers - lumping embedded SW designers with VB, C++, Java, Python, COBOL, Ada, etc programmers. The salaries offered may vary widely by language skills.
User Rank: Apprentice
4/2/2012 | 8:55:24 PM
re: IT's Hottest 'Necessary Evil'
"Their efforts are often construed as a disruption to business operations, rather than a strategic element."

I believe that I had read this elsewhere, and find it quite universally applicable:
Security and convenience are always in an inverse relationship.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-16
The unofficial vscode-rpm-spec extension before 0.3.2 for Visual Studio Code allows remote code execution via a crafted workspace configuration.
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Express (ACE) from version 3.0.2 before version 6.6.0: Atlassian Connect Express is a Node.js package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Express app occurs with a server-to-server JWT or ...
PUBLISHED: 2021-04-16
Broken Authentication in Atlassian Connect Spring Boot (ACSB) from version 1.1.0 before version 2.1.3: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring Boot app occurs with a se...
PUBLISHED: 2021-04-16
A cross-site scripting (XSS) vulnerability has been reported to affect earlier versions of File Station. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions: QTS build 20210202 (and later) QT...
PUBLISHED: 2021-04-16
Command Injection in Tenda G0 routers with firmware versions v15.11.0.6(9039)_CN and v15.11.0.5(5876)_CN , and Tenda G1 and G3 routers with firmware versions v15.11.0.17(9502)_CN or v15.11.0.16(9024)_CN allows remote attackers to execute arbitrary OS commands via a crafted action/setDebugCfg request...