Despite layoffs and a gloomy job climate, worthless stock options, and canceled projects, IT is still a great career...
choice compared to other jobs. Depending on the type of IT job, it can even be outstanding. Pay for security-related skills, for instance, is growing at a surprising rate at a time when the values of many other technical skills have been steadily eroding.
It's been a mixed bag for IT compensation in this transition period, according to two recent compensation surveys by Foote Partners -- the Quarterly IT Professional Salary Survey and 3rd Quarter Hot Technical Skills and Certifications Pay Index (HTSCPI) -- involving continuous tracking of 1,840 IT organizations. Compiled from questionnaires and direct interviews with 29,400 workers in 66 U.S. and Canadian cities from July 1 to Sept. 30, 2001, the surveys show that overall base salaries for 80 key IT positions grew by an average of 7.9% over third-quarter 2000 (or two to three times greater than the general employment market).Salaries and Bonuses
Responses from 1,315 private and public sector security executives, managers, analysts and systems administrators revealed that salaries for security-related positions increased 7.2% overall for the year ending Q3 2001. That's down from a whopping 12% annual increase we reported for infosec jobs in our Q1 survey, and solid evidence of the effect hiring freezes and an expanding labor supply have had on compensation. Base pay for security jobs has been flat since January, up about 2% overall for the year. Still, evidence of the benefit of a security job is clear: four out of six surveyed positions earn in excess of $100,000 in total compensation. (Click here to preview the data referred to in this article)
Comparing security management salaries from Q3 2000 to Q3 2001, senior information security analyst salaries grew the most, at 13.5%, followed by a 10.6% increase for corporate infosec directors. Pay for manager-level corporate security positions and Web/e-commerce security managers grew more modestly, at slightly more than 7%. Lowest salary growth for all security jobs in this period are systems administrators and data warehouse management-level security jobs, up 2.4% and 1.7%, respectively.
Bonus pay in Q3 averaged a healthy 14.8% of base salary for all security positions surveyed, compared to 15.8% in Q1. Director- and manager-level corporate security execs, Web security managers and data warehouse security managers all averaged around 16% of base pay in bonuses, followed by senior infosec analysts and senior systems administrators at 12% each.Geographical Hot/Cold Spots
Our 2001 quarterly surveys uniformly indicate higher base pay growth for corporate security, systems administration and data warehousing security management jobs located in Midwest and Southern cities. Pay erosion has been most dramatic for Web security management positions in the West Coast and Northeast regions.Skills Bonuses
For the past four years, Foote Partners has tracked the increasing popularity of bonus premiums paid to IT workers with high-value skills and certifications. Isolating and rewarding skills with cash pay outs (most commonly calculated as a percent of base salary) make it easier for employers stuck with inflexible, outdated compensation systems to stay competitive in fast-moving technical labor markets. Like base pay, the market value for skills pay is driven by supply-and-demand economics; unlike salaries, skills pay tends to fluctuate more dramatically from quarter to quarter.
Overall, security skills have maintained their value equally or better than most of the other skills tracked in the past year. For all 82 IT skills represented in Q3 2001's survey, premium pay declined an average of 8% from Q4 2000 and 16% from Q3 2000, to a median bonus of 8.6% of base pay. However, networking-related security skills specifically related to certain hot projects -- such as data warehousing, CRM, SCM and e-business -- earned an astronomical 18% of base pay median premium bonus this quarter, ranking second highest among all 135 skills and certifications tracked in the HTSCPI. Following steep quarterly declines in late 2000, pay for security skills applied to Database and Web/e-commerce work is bouncing back: it grew 5% from July to September, to between 8.5% and 9% of base pay for each. These are three of the best places right now for security professionals to apply their skills to retain maximum pay benefit.
Conversely, the biggest decline in skills pay since the start of the year -- 20% -- occurred with enterprise applications skills, which have been on a steady and rapid descent since 3Q 2000. This is not the place to invest your valuable security skills, nor is messaging and groupware, where skills pay this year is down nearly 15%.Security Certification Pay
Technical certifications, though not absolute measures of technical prowess or guarantees of ROI in human capital, are viewed positively by employers and regularly factor in to compensation, selection and promotion decisions. Nowhere is this more true than with security certification bonus pay: It's increased 22% overall since the fourth quarter of last year, and nearly 19% in 2001 alone. That's the highest skills pay growth of all certification categories this year, and second only to System/Network OS certifications (33% growth) since our 4Q 2000 survey.
Median bonuses for 53 technical skills certifications tracked in Foote Partners' hot skills index increased from an average 7.9% to 8.6% of base pay from 4Q last year to the current quarter. Workers holding security certifications averaged 8.3% of base salary for skills bonus pay they received in 3Q 2001, up from 7% in the first quarter. Most responsible for this growth has been the SANS-GIAC family of security certifications. We anticipate more accelerated growth in security certification pay over the next two years, and predict that average premium bonus pay there it will top the average for all certifications in the survey by the beginning of next year.Trends
Security skills will continue to grow in importance as more business is launched online. Expect the following trends to shape security compensation and employment in coming months:
1. Continued reluctance by employers to pay large security skills premiums to junior staff and inexperienced workers. This includes those who aren't well matched to priority projects and those whose ROI isn't assured. In particular, this trend will affect enterprise applications, network/internetworking and operating systems skill areas
2. Available funds for security skills will increasingly be directed to upper-echelon impact IT workers in larger (or sometimes additional) bonuses. Compensation will be most affected in database and application development tools and languages skill areas.
3. More emphasis on team- and project-based security skills premium pay during the economic downturn, as budgets undergo case-by-case scrutiny to focus resources on projects that produce tangible, near-term benefits. Anticipate greater experimentation in how incentive pay can be used to motivate and sustain performance.
4. Security professionals will further diversify skill sets, driving pay higher. While continuing to master new technologies for protecting IT systems and excel in niches (e.g. forensics), security professionals will be under more pressure than ever to understand their company's entire business, pinpoint the security risks that are most threatening to the company's bottom line, and expertly package and market solutions internally to a wider variety of stakeholders. Soft skills will become more critical to job success.
5. Security skills and knowledge most highly valued (and influential to pay) over the next 12 to 24 months: Privacy expertise (e.g. HIPAA, Gramm-Leach-Bliley compliance); developing stronger user-awareness policies; remote and wireless access, bulletproofing business-to-business exchanges; authorization and authentication mechanisms; security architecture; selecting and managing ASPs and outsourcing partners; risk management; embedding benchmark practices and using metrics to measure effectiveness; IDS.
Knowledge of the technical side of security has long dominated security job evaluation and defined compensation levels, but the following qualities will soon rival technology in influencing pay for security pros: being adept at corporate politics; possessing business skills and aptitudes; having good relationship management, communication, and collaborative team skills; project management experience; and being able to market, sell and negotiate outcomes.About the author:
David Foote (email@example.com) is president and chief research officer at Foote Partners LLC, an IT workforce research firm and management consultancy in New Canaan, Conn. He also leads a team that compiles and publishes the only continuous quarterly IT salary and hot technical skills survey research currently available in North America. His editorial opinion columns, articles and contributions appear regularly in a variety of business, HR, and IT industry publications, and on radio and broadcast television appearances.
Dig Deeper on Information Security Jobs and Training