Information security professionals may not be getting paid many bonuses in this battered economy but they remain dedicated to their field.
Those were some of the findings of the first-ever Information Security/SearchSecurity.com salary survey, which polled 256 readers on their pay and a variety of career related questions. Readers expressed their views on security certifications, rated the most important factors in choosing a job, and revealed what kind of bonuses they're getting -- or not getting, in most cases.
"The economy is affecting pay scales across the board, not just security," says Jay Arya, information security officer at an East Coast-based bank. Yet security pros will weather the storm and don't plan to switch careers, he adds: "They plan to continue because it's a growing field. People are recognizing security isn't an option anymore -- it's a requirement. A lot of regulations are driving the fact you need security."
Read on for more details from the survey and thoughts from security and recruiting experts on what employers are looking for and the current career climate for information security pros.
Despite some encouraging signs, an economic recovery remains tepid at best, often resulting in stagnant salaries and few bonuses. Of the 256 survey participants, nearly 52 percent estimate their bonus this year at zero and about 50 percent don't expect anything more next year. About eight percent estimate their 2010 bonus at $10,000 and about 5 percent estimate it at $2,000. Among CISOs, CSOs, and information security directors, 48 percent estimate their 2010 bonus at zero and 15 percent estimate a $10,000 bonus.
Salaries vary widely, but about 20 percent of survey respondents reported receiving an annual salary this year of $50,000 to $75,000. Experience pays off, with salaries for CISOs, CSOs, and information security directors trending up: Roughly 25 percent reporting 2010 annual salaries between $115,000 and $135,000. The CISO respondents to the survey report that their 2010 salaries range from $97,000 to $101,000.
A separate compensation survey of 460 infosecurity professionals conducted this spring by InfoSecLeaders.com, an information security career content website, shows that salaries are trending downward. More than seven percent of respondents took a pay cut, one-third received no pay increase, and nearly 44 percent received less than a five percent raise.
The InfoSecLeaders.com survey also shows that bonuses are a big part of a security pro's compensation package, with nearly half of the respondents reporting that their compensation includes a bonus component. However, 35 percent say they received less of their bonus than expected and nearly 40 percent received less than 10 percent of their bonus. As a result, infosecurity pros are discounting the importance of bonuses in their compensation package, the survey indicated, with only 6.4 percent viewing their bonuses as part of their expected compensation.
"Bonuses aren't getting paid," said Lee Kushner, president of LJ Kushner and Associates, an information security recruitment firm, and co-founder of InfoSecLeaders.com. "They're not a great tool for compensation."
Security professionals overall aren't too pleased with their compensation situation, according to the InfoSecLeaders survey: More than 60 percent say they're either slightly or significantly underpaid. At the same time, nearly half believe that being in security entitles them to more compensation than a similarly experienced IT pro.
There are a lot of security certifications available on the market, but opinions are divided on whether they add up to more pay or career advancement.
The Information Security/SearchSecurity.com survey showed that 54 percent feel certification has either definitely or somewhat helped advance their career while 44 percent feel certification helped increase their pay. Among CISOs, CSOs, and information security directors, those numbers soar to 89 percent and 77 percent respectively.
For Sheryl Harkleroad, information security official at a large health care provider, there's no question that having the Certified Information Systems Security Professional (CISSP) credential helped advance her career and boost her pay. "Having a CISSP was a key component to my being offered my current job -- certification was required," she says. "The CISSP helped qualify me for the job, where I received a 25 percent pay raise."
Arya agrees that certification plays a significant role for information security professionals. "Without certification, one's professional credibility can be questioned," he says.
Most security professionals have a security certification and not having a certification can sometimes exclude someone from an opportunity but it's not the magic bullet that drives pay, Kushner says.
"Having the CISSP evens the playing field. It gets you a ticket to the dance but it doesn't let you come home with any dates," he says. "The certification might be what gets you in the door, but it doesn't necessarily equate to success."
When companies look for senior-level security executives, they're more concerned about finding someone whose background is similar to their other top business executives, he says. Security professionals can become too focused on building skills that are important within information security and neglect the skills needed to compete with other business leaders.
"In order to get that board-level respect that security pros want, they have to start speaking the language of the people they'll be interacting with -- the CFO, the COO," Kushner says. "A lot of security professionals have fallen short. They stop their career development at measuring the bar among security pros instead of measuring themselves against the broader marketplace."
Paul Rohmeyer, a faculty member in the graduate school at Stevens Institute of Technology and a consultant, believes security certifications still are essential for CISOs and ISOs, but he's noticed that some companies are putting employees from other departments into the security role and then sending them out to obtain certification. For example, a bank promoted a well-regarded employee with no technical security experience into the ISO position, he says.
"It seems that's a low-cost alternative for some. They'd rather give the security skills to someone who knows their business," he says. "If you look at the average salaries demanded by anyone with any number of years as a security officer plus a credential -- in some ways, they're priced out."
For information security professionals, work isn't all about the money. Ninety-two percent of survey respondents rated job satisfaction as either a very important factor or the most important factor in their choice of a job, ahead of salary. Sixty-eight percent rated salary as a very important or the most important factor while 64 percent rated job responsibilities as the top factor or a very important factor.
"It's a relatively high-stress position," Rohmeyer says. "It's tough enough by nature. If you don't have a good environment and there's a dysfunctional team, then it's even tougher."
Arya says in any job, not just security, a person's morale suffers if he or she isn't happy. "The pay scale also matters, but if you've got job satisfaction in your career, the pay scale will follow," he says.
For Harkleroad, the most important factor in choosing a job -- in current economic conditions -- is job security. "I would not have left my last job without feeling a certain degree of job security," she says.
The InfoSecLeaders.com compensation survey indicates that information security is a labor of love: Almost 70 percent of respondents report that they haven't ever changed jobs solely for money. While 93 percent rank money as a factor in a job search, only eight percent say it's the most important factor.
Interestingly, nearly an equal number of InfoSecLeaders.com survey participants say they'd take a pay cut if it meant keeping their job (49 percent) or receiving additional training or education (47 percent).
Ongoing training is important in information security, says Hord Tipton, executive director of the nonprofit (ISC)2, which issues the CISSP and related credentials: "No one can declare him or herself immune from the need to be better educated about security."
He adds, "We all get lazy, tied up in our jobs and don't take the time to do the training and types of things that are necessary to keep abreast of the trends in the changing world of emerging technology."
Economic issues aside, information security professionals are a dedicated bunch: 54 percent of Information Security/SearchSecurity.com survey participants plan to continue to pursue a career in security over the next five years. Among survey respondents who identified themselves as CISOs or ISOs, that number soars to 81 percent.
The results speak to a belief in the future of the field, Rohmeyer says. "Security is a long-term operational requirement. It's not a short-lived problem that's going to be overcome. It's part of the landscape."
(ISC)2's Tipton says security is a growing field that offers a lot of opportunities. He cites a finding in (ISC)2's 2008 Global Information Security Workforce Study, which was conducted by Frost & Sullivan. The analyst firm estimated that the number of information security professionals worldwide would grow from approximately 1.66 million in 2008 to almost 2.7 million by 2012.
"Most companies are starting to step up to the plate," Tipton says. "Management is more responsive; they're more supportive of security people. The stars seem to be aligning. They've got momentum and they should take advantage of that."
Marcia Savage is Editor of Information Security. Send comments on this article to firstname.lastname@example.org.
Survey shows security makes up less than 10 percent of IT budget for many
In addition to career-oriented questions, the InformationSecurity/SearchSecurity.com survey polled readers on their organizations' security budgets. About 42 percent of the 256 survey participants say less than 10 percent of their companies' IT budget is spent on security.
Earlier this year, Gartner Inc. estimated that efficient and secure enterprises would reduce their share of security spending by three to six percent of their overall IT budgets through 2011. The average percentage of the IT budget spent on security in 2010 is five percent, down from six percent last year, according to the research firm, which cited faster growth in other IT areas that were gutted in the recession.
Depending on the nature of a company's business, 10 percent makes sense, says Hord Tipton, executive director of the nonprofit certification organization (ISC)2. "The more sensitive your data is, the more risk you have and the more you should be spending on security," he says.
To win funding for information security projects, security managers need to be able to speak budget talk and communicate risk in plain, simple terms, Tipton advises. "You need something beyond just scare tactics," he says. "You have to show those folks what the cost to the company would be due to a significant breach."