Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:40 PM
Connect Directly

Security Pros Feel Underpaid, But In Some Cases Would Take A Pay Cut

New survey shows value IT security professionals place on job security, training, quality of life

While most security professionals say their expertise entitles them to make more money than their counterparts in IT, nearly half would accept a lower salary if it was necessary to keep their job or if they were offered additional training, according to a new survey that will be released tomorrow.

Click here for more of Dark Reading's Black Hat articles.
The survey, conducted by Information Security Leaders, which polled 460 security professionals between March and April, found that nearly half of these security pros feel they should get "a bit more" compensation than an IT pro at the same experience level, and another one-third say they are entitled to "a lot more" money.

But more than 60 percent feel they're either slightly or significantly underpaid for their jobs. More than 35 percent say they are paid fairly, less than 5 percent say they are slightly overpaid, and 3 percent say they are "significantly" overpaid.

While money is an obvious factor, it isn't the only key to job satisfaction: Forty-nine percent say they would accept less pay if it meant keeping their jobs. Some perks were worth lower pay, as well: Forty-seven percent say they'd take less money for additional training and education; 38 percent, for shorter hours; 37 percent, for working from home more frequently; 36 percent, for more vacation; and 19 percent, for better health benefits.

"Money is important. But people in our industry value other things highly," says Information Security Leaders' Mike Murray, who is also co-founder of MAD Security. "One of the big results [in the survey] is that they value training. Training was a [close] second only to 'if I had to make less money I would only to keep my job.'"

Lee Kushner, also of Information Security Leaders, says employers are missing the boat if they aren't offering security pros more career flexibility and options, such as training and education and working from home or more manageable hours. "Companies are generally short-staffed in security. Security pros are asking, 'Let me make the most use of my time,'" says Kushner, who is president of LJ Kushner and Associates, an executive search firm specializing in the information security field. "Employers could get the best of both worlds" if they offer these perks, he says.

Close to 70 percent say money has never been the sole factor in their job moves. More than 90 percent of the respondents say money is a factor in their job searches, but only 8 percent say it's the main driver.

Meanwhile, the survey shows that salaries appear to be dipping, Murray and Kushner say. Five percent fewer security pros make more than $120,000 a year than those surveyed in 2008/2009 by the Information Security Leaders, while 5 percent more make less than $100,000 than in the previous survey. The number of security pros who fall into the category of middle-range salaries has stayed about the same, however, they found.

More than 7 percent of the respondents experienced a pay cut this year, while one-third say their salaries remained flat with no increases. Close to 44 percent earned a pay increase of less than 5 percent, while 15 percent of the security pros in the survey were awarded raises of more than 6 percent.

More than half got less of a raise than they expected the last time they got one, and about 10 percent were pleasantly surprised with their pay increase. "Fifty percent got less than they expected -- they thought they were getting more," Kushner notes. "For every one security professional who was enthused about a raise, five were disappointed."

Murray says that data set was especially surprising. "Everyone knows there's a downturn and that the economy is slow. But still, the [fact that] that many people got less than they expected ... someone is not setting expectations very well," he says. "It suggests the communication is not there" between upper management and security pros, he says.

Bonuses were also a big disappointment this past year: While close to half of the respondents say their compensation includes a bonus, about 40 percent got less than 10 percent of their bonus in the past year and 20 percent got 10 to 15 percent of it. Around 35 percent got less of a bonus than they expected, while 20 percent got more.

Only 6.4 percent consider their bonus as part of the expected overall compensation they receive. "This shows that people don't trust their employers," Kushner says. "The expectations about money show that [security pros] are still counting on their employers to do it for them. And they are still at their mercy, not taking control of their own careers."

Kushner and Murray will address career issues, such as how to negotiate a salary or compensation, at Black Hat USA in Las Vegas next week. They'll be presenting back-to-back panels on Thurs., July 29, called "Things You Wanted To Know But Were Afraid To Ask About Managing Your Information Security Career" and "Your Career = Your Business." In the second session, they will offer strategies for getting a raise.

One of the first steps to figuring out how much you're worth, Kushner says, is to estimate the value of your skills to the organization. "Start thinking, 'If I want to earn more money, what do I do to deserve that money?'" he says. For example, are your skills becoming antiquated, and what skills are important to your organization?

"You have to be able to make logical arguments about what you're worth to your employer without holding a gun to their head. Too many people make it adversarial. It should be congenial," he says. Rather than saying you have another offer, take a preemptive approach, he says.

"'I like working here. I like being part of this team. Everything about my job is excellent. The only issue is finances, what I'm being paid,'" is one approach to asking for a raise, he says. Explain how your mortgage has gone up or how other life changes have caused your financial picture to change.

Be honest, he says: "'In order to keep the status quo, I have to earn more money. I would rather do that here than go somewhere else ... is that possible in this organization?'" is one way to approach the difficult discussion of money. Try working with your boss on a solution for this, he says, rather than threatening to leave.

And for career growth, security pros should assess how they are -- or are not -- marketing and selling themselves. "What new skills am I adding to my portfolio to make Me 2.0 for next year's 'product release?'" Murray says.

Meantime, Kushner and Murray's new survey results will be available here tomorrow.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Exploitation, Phishing Top Worries for Mobile Users
Robert Lemos, Contributing Writer,  2/28/2020
Kr00k Wi-Fi Vulnerability Affected a Billion Devices
Robert Lemos, Contributing Writer,  2/26/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-28
On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for so...
PUBLISHED: 2020-02-28
Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensi...
PUBLISHED: 2020-02-28
An open redirect is present on the gateway's login page, which could cause a user to be redirected to a malicious site after logging in.
PUBLISHED: 2020-02-28
A reflected XSS vulnerability exists within the gateway, allowing an attacker to craft a specialized URL which could steal the user's authentication token. When combined with CVE-2020-6803, an attacker could fully compromise the system.
PUBLISHED: 2020-02-28
BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML.