One of the most common topics people ask us about is compensation: How to make more money; how much money information security professionals should make; what the status of compensation in this economy is, etc.
Unfortunately, other than an anecdotal understanding of what's happening, there's really not any reliable data out there. There are some companies that claim to have it, but most of that data is tainted by the methods they use or the clients they claim to serve. (i.e. If the research is paid for by companies, the results tend to skew lower than reality, while if the data is paid for by individuals, the results tend to skew higher.)
Earlier this year, we conducted a short IT security salary survey and decided to publish the results for free to the industry. The survey was completed by 460 information security professionals, and was promoted by the use of social media, conference presentations, and to respondents of our past surveys, who are information security professionals at different stages in their careers.
This month, we wanted to share three of the more interesting conclusions of that survey with our SearchSecurity.com readers.
The entitlement mentality
In the late 90s and early 2000s, security skills were rare and unique -- very few information security professionals were in the marketplace and they were highly valued because of it. At that time, security professionals were paid a premium for their skills over the rest of IT due to their rarity.
Unfortunately, this is no longer true; nearly every company has some complement of information security skills on the payroll. And large numbers of security professionals exist (we estimate based on public data that there are well over 100,000 certified information security professionals as of this writing). Because of this, most companies treat information security as just another part of the IT cost-center environment.
However, most infosec pros still believe they're entitled to premium pay. According to the results of our survey, almost half of respondents believe that being in security entitles them to "a bit more" compensation than a similarly experienced IT pro; an additional one-third of respondents believe they're entitled to "a lot more".
In summary: More than 80% of IT security professionals surveyed believe they're entitled to be paid better for their skills than the database administrators, system administrators and software engineers.
Unfortunately, the market reality is that companies aren't paying a premium for information security professionals the way that they used to, so a large number of our brethren are suffering under unrealistic compensation expectations.
This leads quite directly to the next conclusion in our survey.
We feel underpaid
Nearly 60% of respondents said they're either slightly or significantly underpaid, while only 3% said they feel they're overpaid for their skills. Given the statistics described above, this probably shouldn't be a surprise.
Additionally, the down economy is having an effect on the way compensation is doled out. More than 50% of the respondents to the survey said their most recent salary increase was "less than expected," while only 10% said they were "positively surprised." That's a 5:1 ratio of people who were positively surprised vs. those who were negatively surprised.
Money is not all that matters
Some good news gleaned from the survey results, however, is that money is rarely the main factor in accepting a new job or staying with a current one for information security pros. While 93% of survey respondents said that money is a factor in their job search, only 8% listed it as the primary factor when they change jobs.
Even more telling is what respondents would give up money for. When asked to fill in the blank in the following statement: "I would be willing to accept less compensation if I were …", 49% responded that they would accept less money if they were forced to in order to remain employed. Coming in at a close second, 47% said they would give up some of their compensation if they were "given more training." This suggests almost half of our respondents believe that training is worth more than money, and they'd take a compensation cut for more access to training materials, education and knowledge.
Beyond this, the next level of responses were quality-of-life factors -- approximately a third of respondents would give up money for being allowed to work less (38%), to work from home more often (36%) or for more vacation (36%).
This is good news for employers and hiring managers. Even in the situation where they are hamstrung by a lack of money for compensation, the ability to offer additional training and other quality-of-life factors will increase the satisfaction of their employees.. That's going to be increasingly important as salaries for security pros continue to align with the rest of IT and with the majority of infosec pros failing to understand their true worth to their employers. Employers who can offer additional training will generally be able to maintain the satisfaction of their information security team even in the face of smaller salary increases and an inability to offer the premium pay of the past.
The survey results were quite enlightening to us. In our analysis, we recognized a significant gap between compensation attitudes and market-based reality. It is a logical assumption that job satisfaction will suffer if employees believe they are underpaid (even if they are not). Our overarching conclusion is that a perception problem exists between information security professionals and the people responsible for paying them. It is critical that, as a group, security pros communicate better with management, with the goal being better alignment of compensation expectations with employers' current compensation structures.
If you would like to view the full results of the survey, you can request a copy of the results be sent to your email account.
This was first published in August 2010