Despite a middling economy and high unemployment rates, the information security field has been a bastion of hope for IT job-seekers, with conservative estimates from organizations like (ISC)2 showing that hundreds of thousands of new infosec positions will need to be filled in the coming years.
But given the scarcity of qualified IT security pros, how much do security certifications matter for those looking for good jobs and better salaries? A new survey shows that the average information security salary is on the rise and that security certifications can start or improve a career, but one expert questions their true value.
Many times, having the appropriate certifications … is the right step for folks if they want to be competitive for security positions.
managing director, SANS Institute
The just-released 2014 SANS Institute Salary and Professional Trends Survey -- an expanded update to the infosec training organization's 2008 Salary and Certification Survey -- drew on data from more than 4,000 respondents to analyze current career trends for IT security pros, including salary ranges, education levels and future staffing expectations.
Given the high demand for qualified security personnel, the SANS survey unsurprisingly found that many current infosec pros are well compensated. Nearly half of the survey's respondents make more than $100,000 per year -- only 38% of respondents claimed the same in the 2008 survey -- and almost a quarter more fell in the $80,000 to $99,999 range.
The SANS survey noted that career experience is the main driver for larger wages. Across all infosec roles, those professionals with three years or less experience garnered less than $75,000 per year on average, while those with seven years or more experience crossed the six-figure threshold. Whether someone works in a management capacity also plays a large factor in pay rates: the average respondent filling a management position earns more than $120,000 per year, but average non-management employees earn just above $95,000.
Scott Cassity, managing director with the SANS Institute, said the 2014 survey shows that as a profession, infosec is moving in the right direction.
"I think it was accurately predicted that the space would grow," said Cassity. "We saw some moderation in salaries due to the economic collapse, but salaries are higher now than six years ago."
What's the value of security certifications?
Though the SANS survey highlights several factors that can lead to higher salaries for infosec pros, respondents overwhelmingly viewed security certifications as being key to their professional success.
In fact, nearly three-fifths of those surveyed said that certifications were one of the biggest contributing factors to their career. In comparison, less than 40% of respondents cited networking peers as a major factor in their success and less than a quarter indicated that either a bachelor's or master's degree played a part.
Not all certifications are created equal though, according to the survey. Respondents valued SANS' own GIAC Security Expert cert and the (ISC)2 CISSP above all others, while CompTIA's Security+, a cert typically aimed at less experienced security professionals, was placed in the lowest value rung.
Admitting that respondents to a SANS survey may be biased -- SANS is one of the leaders in the for-profit security training and certification space -- Cassity said that certs tend to be the main indicator to human resources personnel that a candidate has the necessarily baseline knowledge to fill a security position. This is particularly true during the earlier stages of a professional's career, Cassity noted, because entry-level security positions are often filled by candidates that are transitioning to the field from areas of IT, like networking.
"Many times, having the appropriate certifications … is the right step for folks if they want to be competitive for security positions," said Cassity. "With the bachelor's degree and the other formal training, I think companies recognize that provides candidates with the theory, but it’s the training and certifications that prove they have those skills.
"They certainly need to have the tech skills," continued Cassity. "But there's still art that goes along with the science."
Intriguingly, the SANS survey indicates that security certifications may be less of a factor in obtaining higher wages and promotions than respondents thought. SANS did not provide specific statistics that clearly show a correlation between wage growth and certifications, instead stating that "increases of up to 5% of salary accompany many certifications."
Even that optimistic 5% pay bump pales in comparison to some of the gaps created by differences in formal education. For example, those security professionals with between four and six years of experience and only a high school diploma net an average salary of $75,938. A professional with the same experience and a bachelor's degree earns an of $84,619 per year, while a master's degree or MBA correlates with another large bump in average pay to $97,109 per year.
Lee J. Kushner, president of information security recruitment firm L.J. Kushner and Associates, explained that while security certifications are great for getting a candidate's foot in the door -- especially when human resources professionals unaware of industry-specific skills are responsible for screening candidates -- those same certs do not drive wage growth in the same manner as experience and skill sets.
"Unless it's a very HR-heavy environment, the certifications become somewhat meaningless," said Kushner. "Our clients never say they'll pay $100,000 for a candidate to fill a specific role, but if they've got a certain cert, they'll pay $120,000."
Infosec opportunities on the rise, but changing
For workers looking to break into the information security field, or even those current security pros looking for a change in scenery, the SANS survey confirmed what's been widely held to be true: many organizations are actively looking to fill security positions.
Over the past year, 43% of respondents said that their employers had increased their infosec staff, while just over 10% reduced their headcount. The projected numbers for the next year show that trend continuing -- more than one-third of respondents expected to add IT security personnel and fewer than 5% of those surveyed plan to cut positions.
New ISACA program courts entry-level security pros
ISACA has launched a new program to create an entry-level information security certification path that may rival offerings from (ISC)2 and CompTIA (May 9, 2014).
The SANS survey also specified which areas of security are likely to experience the most growth in the next two years, with respondents expecting incident response, cloud computing/virtualization and analytics to be the top three in-demand skillsets.
Senior SANS analyst Barb Filkins said the trends highlighted in the skills breakdown tracks with what the industry has been seeing anecdotally in recent years and generally indicates that the field will continue to produce new opportunities in the coming years.
"From my standpoint, it shows that security is a pretty good place to have a job," said Filkins.
Security certification just one part of career puzzle
Kushner cautioned that the takeaways of any large survey won't be meaningful to everyone. He specifically warned the skills highlighted in the SANS survey as being most important may either be too broad, or simply top of mind because of recent events.
For instance, incident response may be in demand in part because of the high-profile breaches that struck Target and other retailers over the last year. In-demand skills can also change in a heartbeat, he said; for example, if a cyberattack took down critical infrastructure in the next year, SCADA security skill would be mentioned by many more respondents.
Kushner also warned that without experience working in cutting-edge environments -- taking a security gig at a cloud-focused organization, for instance -- many of the most compelling job opportunities will likely be outside of an infosec professional's reach, even if they obtain security certs. He advised those security pros looking to climb the career ladder to first understand "where they want to end up," and then to take the action accordingly to get there. If someone wants to be a CISO, for example, Kushner said it would be wise to focus less on pure tech skills and more on business skills, perhaps even obtaining an MBA.
Conversely, he said hiring managers and HR personnel must realize that luring security talent from other companies is difficult if the opportunity or pay isn't better than what a candidate already has. Positions are often left unfilled longer than they should be, Kushner noted, because companies are unwilling to adjust wage expectations for qualified, experienced candidates -- and the SANS survey and others only further solidify the reality of rising industry salary ranges.
"I've got a client that is hiring pen testers right now and they have wicked high requirements for what they want," said Kushner, who noted that his client could never find a candidate that would meet their high expectations at the salary ranges mentioned in the survey.
"There's no question that there is heavy demand [for infosec talent], but understand this: talented information security professionals with skills that are kind of differentiating have a really bright market in front of them," Kushner continued. "There are opportunities for those people with average skills, but most times it is not a different or better opportunity. It's like switching golf shirts."