- Lawrence M. Walsh
Quality of life is what Mike Henry sought when he left his high-paying consulting job. The grueling schedule and high pressure was robbing him and his family of quality time. He wanted a break.
Henry knew he would take a hit in the wallet when he took a position at Applied Materials, a $5 billion company that makes manufacturing equipment for high-tech OEMs. As a consultant who holds a CISSP, he commanded $150-an-hour rates and collected a handsome $220,000 salary. In contrast, his new position as senior director of global information security pays a base salary of $165,000 and potential bonus of 35%.
"I had to readjust my values and standard of living," Henry explains. "I'm a divorced father with two girls. My job became less about a chase for dollars and more about quality of life."
Infosecurity practitioners are living in a mixed job market, according to salary research conducted by Foote Partners, an IT salary research and consulting firm, and an independent survey of more than 2,300 Information Security readers.
According to Foote, information security salaries and bonuses continue to outpace most IT fields. Nevertheless, the Information Security survey found the ongoing recession has left thousands of infosecurity pros unemployed or forced to accept lower-paying positions or salary freezes.
"Employers are still willing to pay for security talent, but they're offering less money," says David Foote, president of Foote Partners.
Executives gain most
Overall, information security salaries continued to climb, according to Foote Partners research.
Depending on the job level, the average security professional's overall wages increased between 12 and 24.5% over the last three years. The exception: security system administrators, who saw their overall paycheck shrink 2.5% since 2000 (see Figures 1-3).
The biggest gainers were senior security executives, who saw their wages jump in 2003, fueled by the high demand for managers who can bridge the gulf between IT and business operations. According to Foote, CISOs, vice presidents and director-level security executives realized a 6% increase in their salary and bonus packages over 2002. However, the rate of increase continued to slow from previous years -- 15.1% in 2001 and 8.4% in 2002.
Managers, who constitute the tier just below the executive suite, saw the highest jump in salaries and benefits, earning 6.9% more in 2003. While a respectable increase, it merely offsets the steep loss in bonuses in 2002. Managers' salaries in 2002 climbed 4.4%, but their bonuses plunged more than 26%. This year's 30% increase still doesn't bring managers' bonuses back to their 2001 level, which averaged $18,000.
"If you can grow 4 to 5%, you're doing well, since many other IT fields' salaries are remaining stagnant or regressing," says Foote.
One reason for the salary increases in the upper echelons of infosecurity is the growing demand for professionals who can translate security into business operations. A security executive -- such as the emerging class of chief information security officers (CISOs) and chief security officers (CSOs) -- are typically politically savvy and moderately technically astute. In theory, these pros straddle the divide between the bits-and-bytes practitioners and executive suite and boardroom MBAs. (See "Qualities of Aspiring Security Pros" sidebar)
Given the scant number of people who fit this description, corporations are forced to provide higher compensation packages than for most other security fields -- classic supply-and-demand economics. But short supply isn't the only contributing factor, says Foote. The security executive is still a relatively undefined position, oftentimes with broad responsibility for maintaining security posture but little authority for ensuring security policies are properly implemented.
"Management in security is a thankless job, which is why you might be able to get respectable pay," says Foote. "People who are qualified often don't want the job."
Hands-on people gain less ground
Middle and junior security professionals aren't faring as well. Security practitioners and managers on these levels received pay increases that were roughly half of those received by their senior counterparts.
"The adage of people, process and tools as the means to improve security seems to have been forgotten for that of just implementing technology," says one security admin in the Information Security survey.
The divide between upper management and the operational ranks is reflected in the three-year compensation trend. While executive salary increases have slowed, the rate of deceleration is substantially less than that of the lower ranks. Executive compensation has climbed nearly 25% since 2000, while sysadmins' packages have actually declined 2.5% for the same period.
On the lowest level, security admins saw the smallest wage increases of the security professions -- 2.6%. The average base salary crept up $1,000, while bonuses remained level.
Middle managers did a little better. Web security managers earned 3.4% more and senior security analysts received a 2.8 wage increase in 2003. Overall, their salaries have remained flat over the past three years, while bonuses slightly rebound from last year's plunge.
Tough times for some
Sluggish economic conditions have been hard on some infosecurity practitioners. Roughly one in eight senior security professionals experienced voluntary or mandatory pay cuts, while junior admins and middle managers suffered the greatest number of layoffs - -roughly 5% each.
The vast majority of security professionals -- more than two-thirds -- received pay raises in 2003, according to the Information Security survey (see Figure 4). However, survey respondents say their employers are delaying pay raises and not fully paying bonuses.
"Our raises were supposed to hit in March, but were postponed until October, and there's no guarantee they'll come then," says one security analyst. "We're not holding our breath."
Layoffs and hiring freezes took a toll on those who retained their jobs. Many found themselves with greater responsibilities and heavier workloads, with little or no additional compensation. In some cases, such stagnation is an organizational issue. A company may still be developing infosecurity roles and doesn't know how to compensate its people. But, for most, it's a simple cost containment issue: cut headcount and don't increase expenses.
"My position seems to be somewhat secure, as well as my staff's. However, we are constantly being asked to do more with less," says one mid-level manager. "Although funding has been made available for various project initiatives, we don't have the ability to hire additional staff to address growing operational needs due to budget constraints."
Qualities of Aspiring Security Pros
Aspiring infosecurity professionals need more than technical ability to succeed. They need subjective skills and abilities to navigate corporate politics and operational challenges. The following are eight essential qualities enterprises desire in security managers, according to David Foote, president of Foote Partners.
1. Broad View of Security: You must understand the needs of your company from a 30,000-foot view, so you can implement security measures in the context of business missions and needs.
2. Global Experience: Given the increasing level of globalization, you must understand organizational security needs in different geographic regions -- domestically and internationally -- and then be able to effectively implement and manage those programs.
3. Regulatory Experience: Enterprises are subject to an increasing amount of local, federal and international security legislation. California's CA 1386, Sarbanes-Oxley and the European Data Protection Directive are only the beginning. You must be able to interpret and respond to regulatory requirements.
4. Politically Savvy: You can no longer concern yourself with the bits and bytes of your craft. To be successful, you must navigate the shark-infested waters of corporate politics to build coalitions and win support for your programs.
5. Legal Knowledge: As with regulatory experience, you need to understand the legal implications of your security and privacy measures.
6. Marketing Ability: You must be able to sell your programs internally, first to senior management and then to the rest of your organization.
7. Project Management: You must be able to plan and effectively develop and implement -- or oversee the process of -- security programs.
8. Process Police: Security cuts across all aspects of an enterprise. You must earn a piece of the decision-making process to ensure security is considered in business projects.
Most people are lucky if their annual raise outpaces cost-of-living increases. For most, merit raises often allow them to keep pace with inflation. Changing jobs, either by switching companies or internal promotions, is often a better route for boosting income.
According to the Information Security survey, nearly half of security professionals (44%) changed jobs in the last two years, either within their companies or by changing employers (see Figure 5).
Of those who changed jobs, 51% improved their overall compensation packages, while nearly a third lost no ground. The minority were forced to accept pay cuts when taking new jobs. The survey didn't measure how much of an increase or decrease they accepted, but those interviewed say the gains were modest.
For a few, a job change meant accepting a pay cut. In interviews, survey respondents say poor economic conditions made it difficult to find jobs, especially in markets particularly hard hit by the downturn -- such as California and the Northeast. (See "Cool Job Market" sidebar)
"My boss told me flat out that my knowledge of and interest in security was a big factor in getting me my job, but I should not expect any additional money for it," says one mid-level practitioner.
Certifications and incentives
Experience and know-how remain important to career success, but certifications -- especially for management and strategic credentials -- earn practitioners and managers larger bonuses and pay incentives.
Overall, those holding a security certification earn bonuses and pay incentives of 8.8% of their base salary, a meager 2.3% over last year. And some certifications saw no growth in incentive pay.
According to Foote, those holding the vanguard Certified Information Systems Security Professional (CISSP) certification receive the highest incentive pay: 11% of base salary, which is 22% more than last year. The Certified Information Systems Auditor (CISA) saw the highest annual change, 25% over last year to 10% of base pay. This reflects the importance of strategic managers and the growing importance of auditors, especially for corporations struggling to comply with the Sarbanes-Oxley Act.
Most certifications bring incentive pay of roughly 9% of base pay. However, the rate of annual increases is in flux. Some certifications saw steep decreases. For example, Foote says, the GIAC Certified Incident Handler (GCIH) tumbled 10% and the GIAC Certified Intrusion Analyst (GCIA) fell 17%. Others saw no increase.
Certifications remain important for career advancement and incentive pay. Companies are willing to pay employees more for holding key credentials and, in many cases, will pay all or part of the training. Fields likely to see gains are security management and auditing, while technical certifications will stay constant or lose some ground, according to Foote.
Credential holders are seriously concerned about certification dilution. As more certifications are introduced and obtained by upcoming practitioners, they fear that the marketplace will see a glut and start devaluing their credentials.
"The security field, like any other field that becomes a 'hot commodity,' is now gaining its share of pretenders, who are simply in it for the money," says one Information Security survey respondent. "These are the people who go out and get a certification via the shortest route and then start job hopping to boost their personal income and job titles."
Infosecurity was once thought to be immune from the vagaries of the economy, since no enterprise would forgo security and risk exposing their mission-critical IT assets to compromises. At least, that's how the logic went.
Cool Labor Market
After surviving several rounds of layoffs and pay cuts, Robert Mitchell knew it was just a matter of time before the downsizing ax fell on him at Intel.
Losing his job of 26 years would be tough, but he thought having a background in infosecurity would work in his favor. With security now paramount to enterprises, finding a new job would be a snap.
Reality proved vastly different when his layoff notice arrived last March.
"I'm a highly trained professional, and I can't find a job," says Mitchell, 52, who lives in central Massachusetts. "You would think that information security is a hot topic, but I'm not getting the hits that reflect that."
Mitchell is not alone. Numerous respondents to the Information Security salary survey noted difficulty in finding jobs. Many said that jobs just don't exist, and the competition for the few available positions is steep.
"There are fewer positions being filled in information security, and employers are being incredibly selective in the qualities they're looking for in individuals," says Joyce Brocaglia, president of the infosecurity recruiting firm Alta Associates. "We've had so many people with awesome skills sets, but they're not getting the offers."
Intel helped Mitchell prepare for the job market and offered job placement counseling and services. He had ample experience. He came from a networking background, which evolved into antivirus administration and security education positions. Even better, he holds the coveted CISSP certification. He posted his resume on Monster.com and the (ISC)2 online bulletin boards, and mailed applications to major corporations.
Still, no bites. With a daughter in college and limited liquid assets, Mitchell is finding it harder to hold out.
"I've even looked at going to work at Circuit City and the retail world, but my experience has been in the corporate world," he says. "Besides, that's basically minimum wage, and that's a big change from what I'm used to."
Career counselors and recruiters say economic downturns are times when workers should retool their skills and expand their knowledgebase. When searching for jobs, especially high-paying technology jobs, they say, people should use their peer networks to find open positions.
Mitchell is trying all the angles, hoping to land the right infosecurity job that will keep him in Massachusetts and at a reasonable income. While that's a tall order in these times, he's prepared to take a pay cut and, if need be, abandon infosecurity.
"I've been in IT for years; I can do probably anything in the IT field," he says. "I was looking more for information security because that's the area I like the most. If that fails, I can fall back on IT."
Still, infosecurity spending accounts for less than 5% of corporate IT budgets, despite the increasing regulation and threats. When the budget knife slashed through IT, it took a lot of infosecurity dollars with it. The result is a discouraged workforce, which fears their jobs will be eliminated, or that they'll be forced to accept more work and less pay.
"We don't have any job security; we're just a number," says a security analyst. "Either jobs are being outsourced or they're being eliminated. We just keep counting our blessings that my particular organization hasn't been hit and it's one of the few safe places in the company right now."
Will the situation improve as the economy pulls out of the doldrums? A recent Datamonitor study predicts global infosecurity spending will climb from $7 billion this year to nearly $14 billion by 2006. If the report proves even marginally correct, the increased spending on products will translate into a greater need for administrators and support staff.
Additionally, major regulations -- such as Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA -- are driving the need for stronger security controls and auditing. As Congress and individual states enact more infosecurity regulations, enterprises will have to beef up their in-house expertise to ensure they're complying -- or at least demonstrating due diligence.
Even as the economy recovers and companies replenish their IT and security budgets, it's unlikely that they'll rush to give raises or restore bonus structures to prerecession levels. Until companies start feeling more confident about their fiscal health, they'll only spend what's necessary to continue operations.
About the author:
Lawrence M. Walsh is managing editor of Information Security.