In order to align compensation expectations appropriately with their skills and their worth to a current employer, information security professionals must understand their market value.
1. The importance of security to the organization
Functions closely aligned with a company's line of business that are essential to its success will be compensated at a higher rate than those that are further removed. So, in order to calculate their professional worth and understand the leverage that they may have in negotiating an information security salary, all infosec pros should understand why their employers have made investments in information security and the value of the assets that they are protecting.
For example, if you work in a technology company and your job is to make sure software is written securely, you can be confident that the company places value on the skills you bring to the table. If this is the case, you should be able to command something of a premium for your talent.
Conversely, if you work in an environment where information security only exists because of a regulation or an audit requirement, chances are your organization is not concerned with quality or performance, but rather with having a warm body who can serve to demonstrate compliance. In such a situation, you most likely would not have a great deal of leverage and would have to accept whatever the company is willing to pay you with little recourse.
2. The sharpness of your security skills
The information security profession is unique in the wide variety of specialized skills that it demands. In addition, because security and risk management are key elements in the introduction of all new technologies and business regulations, there is great value to professionals who keep their security skills sharp and remain current with new developments in the field, such as emerging attack techniques and new defensive technologies. Information security professionals who let their security skills lapse, however, will find themselves at a competitive disadvantage and will offer less value to their employers.
When figuring out your market value, try to determine which skills make you unique as compared to others, both within in your team and within your field. As you undergo this exercise, ask yourself questions such as:
- Which of my skills does my company rely on me (and only me) for?
- What new skills have I learned in the last 12 months?
- Do I have a good understanding of security/risk trends that correlate with my company's business?
- If I had to find a new job tomorrow, which of my skills would have value in the open market?
The more complete your answers are to these questions, the better you will be able to articulate your market value to both current and future employers.
3. Talent: Supply and demand
Individuals often have more influence over their compensation than they realize, but one factor they cannot control is the external market's need for skills and the competition for talent. In many cases, compensation is determined by the simple laws of supply and demand.
The more options that an information security professional has for similar employment, the better chance that he or she will receive higher compensation. Likewise, if your skills are unique to a specific market, and there are not many options for similar employment, your employer may be able to drive down compensation.
A prime example of this would be the Washington, DC market's need for information security professionals that hold security clearances . For a good portion of the information security work in the DC area, security clearances are required both to provide security services and to sell products to the government. There are many government contractors who compete for this business and can only win if they have the information security professionals on staff to deliver. Thus, information security professionals who hold these clearances can leverage their skills to command higher compensation.
Conversely, if the same infosec pros found themselves in an area where there was not a need for cleared information security professionals, they may have to consider a pay cut to perform a similar job.
Please treat these as guidelines to follow, not absolute gospel. There are many other items that go into determining compensation, and these vary from organization to organization: They can include your current compensation, corporate culture, work/life balance, cost of living, industry, organizational size and too many others to list. The best piece of advice: Continue to build your skills, build your brand and create value. If your current employer does not recognize your worth, chances are a future one will.
This was first published in May 2010