Pay is good and getting better for security pros -- especially if their job titles include the words "chief" or "director" and they work for large companies in the IT, utilities and financial sectors.
However, the benefits of advanced degrees and certifications aren't as clear; certifications haven't made much difference for some, while others have done well with nothing more than a high school diploma.
Those are among the SANS Institute's findings after polling more than 4,250 security pros in October and November for its 2005 Information Security Salary and Career Advancement Survey. The Bethesda, Md.-based training and certification group released a .pdf of the survey Monday.
Pay is good and getting better
A majority of respondents said compensation for information security jobs is strong and getting better, especially in the United States. The median income for U.S. information security professionals -- including salary and bonuses -- is $81,558 a year. By comparison, it's $76,389 in Britain and $67,982 in Canada, the SANS report said.
Compensation is highest among those with such titles as chief information security officer, chief risk officer, chief privacy officer, chief security officer, director of security and security manager. Professionals in this category are earning an annual salary of $106,326, including bonuses, in the U.S.
On the lower end of the scale, those with such titles as network architect, security analyst/consultant, security auditor, security engineer, systems engineer, systems integrator, security penetration tester, network administrator, programmer, systems administrator, and Web security manager earn a salary of about $75,275 in the U.S.
The survey also showed that larger companies pay more. Security pros working for companies with 100,000 or more employees said they earn a salary of about $86,388, while those working for companies with fewer than 250 employees earn about $75,185.
Not surprisingly, those who've been at security the longest are earning more. Respondents with less than three years of experience reported earning a salary of about $63,529, while those with 20 or more years of experience are earning a salary of about $101,724.
Keys to success not the same for all
The survey shows professionals benefiting from their advanced degrees and certifications. But some say certifications haven't made much difference in their pay and career advancement, while others reported doing well with nothing more than a high school degree.
For starters, security professionals with bachelor's degrees aren't necessarily earning more than people without college degrees. Those with a high school diploma reported earning about $78,731 a year, while those with a bachelor's degree reported earning $77,247.
On the other hand, advanced degree holders get far better pay than people who hold master's or Ph.D. degrees. Those with a master's or Ph.D. reported earning between $90,647 and $98,333 a year.
Meanwhile, those in the IT, utilities and banking-insurance-financial sectors said they're earning more -- between $82,927 and $84,397 a year -- than those in other industries. Professionals in the healthcare sector, for example, said they earn about $75,988.
Certifications help some, not others
Most of those surveyed said they hold at least one relevant professional certification. Some respondents said they hold multiple certifications. While many have enjoyed career advancement and better pay as a result, 34% said their certifications haven't made much difference when it comes to getting promotions, raises or high pay.
Of the 4,250 people polled, 1,172 said they hold ISC(2) certifications (CISSP, SSCP); 1,135 said they hold vendor certifications from the likes of Microsoft and Cisco Systems Inc.; 903 hold GIAC certifications (GSEC, GSWN, etc.); 459 hold ISACA certifications (CISA, CISM); and 442 hold CompTIA certifications (Security+, etc.). Of them:
- 27.8% said their certifications helped them better defend systems against penetrations.
- 24.1% said their certifications helped them get a new job.
- 19.6% said it helped them get a raise.
- 15% said it got them a promotion.
- 11.6% said being certified helped their consulting companies get new business.
- 34.4% said their certifications had no impact on any of those factors.
People who hold certifications from ISC(2) and ISACA are earning more -- between $91,555 and $98,571 -- than those who hold other certifications, SANS found. Those with a CompTIA certification, for example, said they earn about $68,036.