Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:40 PM
Connect Directly

Security Pros Feel Underpaid, But In Some Cases Would Take A Pay Cut

New survey shows value IT security professionals place on job security, training, quality of life

While most security professionals say their expertise entitles them to make more money than their counterparts in IT, nearly half would accept a lower salary if it was necessary to keep their job or if they were offered additional training, according to a new survey that will be released tomorrow.

Click here for more of Dark Reading's Black Hat articles.
The survey, conducted by Information Security Leaders, which polled 460 security professionals between March and April, found that nearly half of these security pros feel they should get "a bit more" compensation than an IT pro at the same experience level, and another one-third say they are entitled to "a lot more" money.

But more than 60 percent feel they're either slightly or significantly underpaid for their jobs. More than 35 percent say they are paid fairly, less than 5 percent say they are slightly overpaid, and 3 percent say they are "significantly" overpaid.

While money is an obvious factor, it isn't the only key to job satisfaction: Forty-nine percent say they would accept less pay if it meant keeping their jobs. Some perks were worth lower pay, as well: Forty-seven percent say they'd take less money for additional training and education; 38 percent, for shorter hours; 37 percent, for working from home more frequently; 36 percent, for more vacation; and 19 percent, for better health benefits.

"Money is important. But people in our industry value other things highly," says Information Security Leaders' Mike Murray, who is also co-founder of MAD Security. "One of the big results [in the survey] is that they value training. Training was a [close] second only to 'if I had to make less money I would only to keep my job.'"

Lee Kushner, also of Information Security Leaders, says employers are missing the boat if they aren't offering security pros more career flexibility and options, such as training and education and working from home or more manageable hours. "Companies are generally short-staffed in security. Security pros are asking, 'Let me make the most use of my time,'" says Kushner, who is president of LJ Kushner and Associates, an executive search firm specializing in the information security field. "Employers could get the best of both worlds" if they offer these perks, he says.

Close to 70 percent say money has never been the sole factor in their job moves. More than 90 percent of the respondents say money is a factor in their job searches, but only 8 percent say it's the main driver.

Meanwhile, the survey shows that salaries appear to be dipping, Murray and Kushner say. Five percent fewer security pros make more than $120,000 a year than those surveyed in 2008/2009 by the Information Security Leaders, while 5 percent more make less than $100,000 than in the previous survey. The number of security pros who fall into the category of middle-range salaries has stayed about the same, however, they found.

More than 7 percent of the respondents experienced a pay cut this year, while one-third say their salaries remained flat with no increases. Close to 44 percent earned a pay increase of less than 5 percent, while 15 percent of the security pros in the survey were awarded raises of more than 6 percent.

More than half got less of a raise than they expected the last time they got one, and about 10 percent were pleasantly surprised with their pay increase. "Fifty percent got less than they expected -- they thought they were getting more," Kushner notes. "For every one security professional who was enthused about a raise, five were disappointed."

Murray says that data set was especially surprising. "Everyone knows there's a downturn and that the economy is slow. But still, the [fact that] that many people got less than they expected ... someone is not setting expectations very well," he says. "It suggests the communication is not there" between upper management and security pros, he says.

Bonuses were also a big disappointment this past year: While close to half of the respondents say their compensation includes a bonus, about 40 percent got less than 10 percent of their bonus in the past year and 20 percent got 10 to 15 percent of it. Around 35 percent got less of a bonus than they expected, while 20 percent got more.

Only 6.4 percent consider their bonus as part of the expected overall compensation they receive. "This shows that people don't trust their employers," Kushner says. "The expectations about money show that [security pros] are still counting on their employers to do it for them. And they are still at their mercy, not taking control of their own careers."

Kushner and Murray will address career issues, such as how to negotiate a salary or compensation, at Black Hat USA in Las Vegas next week. They'll be presenting back-to-back panels on Thurs., July 29, called "Things You Wanted To Know But Were Afraid To Ask About Managing Your Information Security Career" and "Your Career = Your Business." In the second session, they will offer strategies for getting a raise.

One of the first steps to figuring out how much you're worth, Kushner says, is to estimate the value of your skills to the organization. "Start thinking, 'If I want to earn more money, what do I do to deserve that money?'" he says. For example, are your skills becoming antiquated, and what skills are important to your organization?

"You have to be able to make logical arguments about what you're worth to your employer without holding a gun to their head. Too many people make it adversarial. It should be congenial," he says. Rather than saying you have another offer, take a preemptive approach, he says.

"'I like working here. I like being part of this team. Everything about my job is excellent. The only issue is finances, what I'm being paid,'" is one approach to asking for a raise, he says. Explain how your mortgage has gone up or how other life changes have caused your financial picture to change.

Be honest, he says: "'In order to keep the status quo, I have to earn more money. I would rather do that here than go somewhere else ... is that possible in this organization?'" is one way to approach the difficult discussion of money. Try working with your boss on a solution for this, he says, rather than threatening to leave.

And for career growth, security pros should assess how they are -- or are not -- marketing and selling themselves. "What new skills am I adding to my portfolio to make Me 2.0 for next year's 'product release?'" Murray says.

Meantime, Kushner and Murray's new survey results will be available here tomorrow.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.