Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:32 PM
Connect Directly

IT's Hottest 'Necessary Evil'

While IT security pros may still find themselves defending their roles, they're also in a good spot when it comes to compensation, with a median base salary bump for staffs up a tidy $7,000 this year, according to the new The InformationWeek 2012 U.S. IT Salary Survey: Security

The 2012 InformationWeek Salary Survey shows that security is one of the hottest sectors of the IT job market. But discussions with IT security pros suggest that they are, for the most part, considered a necessary evil by the rest of their organizations.

Even with the harsh glare of high-profile data breaches--recently intensified by the Anonymous hacktivist collective--IT security professionals often find themselves having to defend their group's mandate of defending the organization. Their efforts are often construed as a disruption to business operations, rather than a strategic element. "I feel like Don Quixote sometimes," says a senior information security analyst with a community college district. "There's lots of cooperation and collaboration with IT, but [some in the organization] think I'm a pain."

He says the vulnerability assessment and penetration testing he does to check for security holes are seen as disruptive to operations, and he's often restricted to running these tests on holidays. "I get flak for pointing out they have a problem," he says.

In one case, for example, he was chastised when an unpatched and misconfigured device knocked several switches offline during a vulnerability assessment. "The reality was that the switch was not patched, and it was vulnerable because it was misconfigured," he says.

Even with the issues IT security pros sometimes endure in-house, this year's numbers again show they are in a good spot when it comes to salary and overall compensation. IT security specialists command higher salaries than general IT security professionals, and they feel better overall about their job security than others, according to our InformationWeek 2012 U.S. IT Salary Survey.

Even so, only half of the security pros who responded to the survey said security has "crucial" status across all levels of manage- ment, with 31% saying it's crucial in some business areas of the organization.

The median base salary for IT security pros rose in 2012. The median base salary for security staffers was $97,000 this year, up from $90,000 in 2011; the median base salary for managers was $115,000 in 2012, up from $110,000 the year before. That's higher than the overall IT median salary of $85,000 for staffers and $108,000 for managers, according to this year's report.

Overall compensation--salary plus bonuses and other cash payments--put the IT security staffer's median overall salary at $103,000, up from $97,000 the year before, and the IT security manager's median overall compensation at $127,000, up from $122,000. That's also higher than the overall median IT compensation of $90,000 for staffers and $116,000 for managers, according to the survey data.

IT security requires a different mind-set than other IT careers, and it can be both stressful and rewarding, says Todd Ryan, IT architect for mobility and information security at electronic design automation firm Cadence Design Systems. "You are generally viewed as paranoid and not an enabler of new technology, when the truth is we are trusted with protecting the organization--and that comes with great responsibility," Ryan says. "An attacker only needs to be lucky one time to be considered a success; a security professional may protect the organization for years, and if an attacker breaches the company one time, you may be viewed as a failure. That being said, I think the role is highly rewarding from a compensation and job satisfaction perspective."

Security jobs are hot for several reasons, starting with stringent compliance regulations and increasing concerns over protecting sensitive customer and corporate information. There also is a shortage of talent in the IT security area, which puts those with skills and experience in high demand. Several security pros who participated in the survey say they regularly get offers for positions in other organizations. "I think that, overall, the IT security field is white-hot from a recruiting and need perspective for employers," Ryan says.

We don't expect this demand for security talent to decrease any time soon, especially given the consumerization of IT and the security issues that come along with the bringyour- own-device model, several cybersecurity legislative efforts under way, increasing threats from cyber espionage adversaries gunning for intellectual property, and groups such as Anonymous that are posing a very visible threat.

chart: Median based annual salary

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/5/2012 | 1:29:17 PM
re: IT's Hottest 'Necessary Evil'
Interesting breakdown of salaries - but not very useful. the salaries for the D.C. area need to be broken out. Also maybe a breakout of salaries in a metropolitan (i.e. high cost of living) area vice smaller communities.

Also, IT security with a government security clearance needs to be broken out. I think there is a wide difference in salary between those offered at a "public" company vice those who deal with national security issues.

Another breakout could be the different areas of IT Security - network security, security administration, database security, forensics, penetration testing, etc. Lumping them all together is as significant as a salary for programmers - lumping embedded SW designers with VB, C++, Java, Python, COBOL, Ada, etc programmers. The salaries offered may vary widely by language skills.
User Rank: Apprentice
4/2/2012 | 8:55:24 PM
re: IT's Hottest 'Necessary Evil'
"Their efforts are often construed as a disruption to business operations, rather than a strategic element."

I believe that I had read this elsewhere, and find it quite universally applicable:
Security and convenience are always in an inverse relationship.
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-19
An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer 'struct kvm_coalesced_mmio' object, wherein write indices 'ring->first' and 'ring->l...
PUBLISHED: 2019-09-19
Pydio 6.0.8 mishandles error reporting when a directory allows unauthenticated uploads, and the remote-upload option is used with the http://localhost:22 URL. The attacker can obtain sensitive information such as the name of the user who created that directory and other internal server information.
PUBLISHED: 2019-09-19
Pydio 6.0.8 allows Authenticated SSRF during a Remote Link Feature download. An attacker can specify an intranet address in the file parameter to index.php, when sending a file to a remote server, as demonstrated by the file=http%3A%2F%2F192.168.1.2 substring.
PUBLISHED: 2019-09-19
In goform/setSysTools on Tenda N301 wireless routers, attackers can trigger a device crash via a zero wanMTU value. (Prohibition of this zero value is only enforced within the GUI.)
PUBLISHED: 2019-09-19
libIEC61850 through 1.3.3 has a use-after-free in MmsServer_waitReady in mms/iso_mms/server/mms_server.c, as demonstrated by server_example_goose.