This article can also be found in the Premium Editorial Download "Information Security magazine: Exclusive: Security salary and careers guide."
Download it now to read this article plus other related content.
|Putting Out Fires|
Former Army intelligence officer focuses on crisis control
Name: Don Ainslie
Title: Deloitte & Touche Global Security Officer
Key career move: Taking the job at Deloitte
Working counterterrorism and counterintelligence in the U.S. Army, Don Ainslie provided "black book" briefings that outlined threats in officers' particular regions. As the current global security officer for Deloitte & Touche, he supplies company executives with business intelligence on regional threats. Ainslie is responsible for securing the professional services firm's information and 125,000 employees in 150 countries, and handling crisis management.
Since taking the position in 2004, Ainslie's leadership and management during crises has been tested plenty of times with the Asian tsunami in 2004, the London subway bombings in 2005, various hurricanes and a building fire in Spain.
He draws on the security foundation he built during his four years in the Army and his experience working as a security consultant at Trident Data Systems and Aegis Research. Both companies specialize in serving government agencies, and some of the work was sensitive and involved classified data. He later joined Ernst & Young, where he helped commercial clients with business continuity plans, risk assessments and other security projects.
Deloitte tapped Ainslie in 1998 to help build an information security consulting practice. He then headed global information security until Deloitte combined its information and physical security efforts, expanding his role.
His job isn't about forcing people to do things or implementing security for security's sake within the company. Rather, it's about showing how security can help the bottom line and improve the services Deloitte provides its clients, Ainslie says.
"You have to establish credibility--that you know what you're talking about--but also [show] that you can add value," he says.
Getting Down to Business
Various organizations conduct salary studies that focus on slightly different job titles. But regardless of whose numbers you look at, today's average security manager is making upwards of $100,000 per year. The SANS Institute's annual salary and career advancement survey, released in January, puts the median U.S. salary for a senior security executive--such as a CISO, CSO or chief risk officer--just north of $106,000. Meanwhile, according to compensation researcher Foote Partners, a manager of information security earns slightly more than $101,000 per year.
Why do some security managers earn more than others? "The global nature of the position, responsibilities, size of staff, industry and geographic location," explains Joyce Brocaglia, CEO of Alta Associates, an executive recruitment firm specializing in information security. "People who have skill sets and can articulate certain situations to enable the business to reach its goals can demand better salaries."
But don't misinterpret six-figure pay to mean that infosecurity pros think they're being adequately compensated. With the money comes new demands; regulatory pressures have forced corporate boards to pay more attention to information security, and that added focus shines a spotlight on the policies and people that protect customer data and intellectual property. There's more on a CISO's plate than ever before.
"I haven't seen compensation in line with what major organizations are expecting of CISOs," says Contin-ental's Gold. "Base salaries are still low, and incentive plans that include equity in companies are not on par with what they should be. You're asking individuals to plug gaping holes in organizations, especially if it's a public or Fortune 500 company, and you're still not compensating them what you should be."
Some industries, like financial services, are starting to put security under the risk management umbrella alongside business continuity, disaster recovery and technology risk management. Earlier this decade, regulated industries scampered to meet the demands of auditors to have a central figure responsible for risk and, ultimately, for information security.
This was first published in July 2006