Six-figure security jobs have become common. Maybe you should slip this article into your boss's mailbox.
For 14 months, candidate after candidate trudged through Andre Gold's office hoping to be offered a coveted position with the Continental Airlines information security team. Gold saw them all during his hunt for talent--CISSPs, CISMs, MSCEs, each with impressive technical chops, but....
"They could not define risk, or they did it by what the CISSP book says," says Gold, director of information security for the airline. "To the business side, it's important to have an entity that can articulate risk in terms of the business. I can find people who write rules and put in firewalls. All I ask them is, 'Why? What's the risk? How will it impact revenue?'"
Increasingly, those who can successfully align risk to business processes and communicate that to management are cashing in with lucrative careers in information security, and landing jobs with six-figure salaries, according to most prominent salary surveys.
By that measure, Gold believes he is making himself even more marketable by pursuing an MBA from Colorado State University. In fact, some predict (and hope) that those with business skills bolstering their bits-and-bolts know-how will get compensated in the same manner as a company's C-level executives.
"You will see compensation structures change, and [CISO] packages more in line with what chief executives expect in an organization," Gold says. "That includes the base salary, incentive bonus packages and stock options.
I see [getting a CISO position] becoming competitive, but you won't see that competition drive down the price."
|Putting Out Fires|
Former Army intelligence officer focuses on crisis control
Name: Don Ainslie
Title: Deloitte & Touche Global Security Officer
Key career move: Taking the job at Deloitte
Working counterterrorism and counterintelligence in the U.S. Army, Don Ainslie provided "black book" briefings that outlined threats in officers' particular regions. As the current global security officer for Deloitte & Touche, he supplies company executives with business intelligence on regional threats. Ainslie is responsible for securing the professional services firm's information and 125,000 employees in 150 countries, and handling crisis management.
Since taking the position in 2004, Ainslie's leadership and management during crises has been tested plenty of times with the Asian tsunami in 2004, the London subway bombings in 2005, various hurricanes and a building fire in Spain.
He draws on the security foundation he built during his four years in the Army and his experience working as a security consultant at Trident Data Systems and Aegis Research. Both companies specialize in serving government agencies, and some of the work was sensitive and involved classified data. He later joined Ernst & Young, where he helped commercial clients with business continuity plans, risk assessments and other security projects.
Deloitte tapped Ainslie in 1998 to help build an information security consulting practice. He then headed global information security until Deloitte combined its information and physical security efforts, expanding his role.
His job isn't about forcing people to do things or implementing security for security's sake within the company. Rather, it's about showing how security can help the bottom line and improve the services Deloitte provides its clients, Ainslie says.
"You have to establish credibility--that you know what you're talking about--but also [show] that you can add value," he says.
Getting Down to Business
Various organizations conduct salary studies that focus on slightly different job titles. But regardless of whose numbers you look at, today's average security manager is making upwards of $100,000 per year. The SANS Institute's annual salary and career advancement survey, released in January, puts the median U.S. salary for a senior security executive--such as a CISO, CSO or chief risk officer--just north of $106,000. Meanwhile, according to compensation researcher Foote Partners, a manager of information security earns slightly more than $101,000 per year.
Why do some security managers earn more than others? "The global nature of the position, responsibilities, size of staff, industry and geographic location," explains Joyce Brocaglia, CEO of Alta Associates, an executive recruitment firm specializing in information security. "People who have skill sets and can articulate certain situations to enable the business to reach its goals can demand better salaries."
But don't misinterpret six-figure pay to mean that infosecurity pros think they're being adequately compensated. With the money comes new demands; regulatory pressures have forced corporate boards to pay more attention to information security, and that added focus shines a spotlight on the policies and people that protect customer data and intellectual property. There's more on a CISO's plate than ever before.
"I haven't seen compensation in line with what major organizations are expecting of CISOs," says Contin-ental's Gold. "Base salaries are still low, and incentive plans that include equity in companies are not on par with what they should be. You're asking individuals to plug gaping holes in organizations, especially if it's a public or Fortune 500 company, and you're still not compensating them what you should be."
Some industries, like financial services, are starting to put security under the risk management umbrella alongside business continuity, disaster recovery and technology risk management. Earlier this decade, regulated industries scampered to meet the demands of auditors to have a central figure responsible for risk and, ultimately, for information security.
|It's the Can-do Attitude|
Experian's CISO makes security an enabler
Name: James Christiansen
Title: Experian CISO
Key career move: Switching from engineering to information security at Visa
James Christiansen was an engineering executive at Visa International in the late '90s when the company suffered a very public, embarrassing incident involving a stolen laptop. Intent on preventing similar events, the company's IT president asked Christiansen what it should do. Christiansen went to work on a business plan, scouring the Internet and anything he could get his hands on regarding security best practices. He handed the president his plan with the recommendation that Visa create an information security division and got a quick answer: Do it.
Eight years later, after becoming Visa's first information security officer and then the worldwide CISO for General Motors, Christiansen has taken up a post as CISO at credit and financial services firm Experian. He credits his success to his combination of technical and business experience.
At Visa, he directed the project management office and worked in IT financial management before moving into engineering. He also worked as the business relationship manager of call center operations at Household Credit Services, and, before that, worked in various database, systems engineering and programming jobs. His professional credentials include an MBA.
In Christiansen's opinion, a CISO needs deep technical grounding balanced with a strong understanding of business; using jargon and fear to convince the CEO of the need for security is "the loser approach," he says. "You need to be able to translate the issues into terms the CEO can understand."
That skill of couching security in terms of driving revenue last year helped him to earn an unusual honor for a security official: an award for his contribution to Experian's sales.
Instead of always saying no, it's critical for a CISO to figure out a way to build on the company's initiatives while still retaining confidentiality and data integrity, he says. "You've got to find a way to say 'yes.'"
Lloyd Hession, CSO for BT Radianz, a New York-based provider of secure connectivity for the financial industry, says that funding is being funneled to audit teams--away from those doing security work. He fears salaries may have leveled off for those reticent to take the plunge into risk management. "The auditor keeps the CEO out of jail and has a seat at the big table," Hession says. "Audit people have moved up in prominence while everyone else has [moved] down." According to Alta's Brocaglia, salaries have leveled off as skills have gotten commoditized and/ or outsourced.
"If a premium is paid anywhere, it's for the information risk area," she says. "Folks who are truly paid the most generously are the tri-athlete candidates: they have strong business acumen, a good technology base and the ability to communicate. Companies are asking for program managers and people who tie together disparate security aspects of business units, manage the entire function and present that package to the board or senior executives."
If paychecks are any indication, companies value a combination of IT and auditing skills. CISOs increasingly have more of a business-process background than one of strictly computer security or engineering. SANS found that managerial types--like senior security executives (CISO, CSO) and senior policy executives (CTO, director of IT operations)--make $106,326 per year, and technical security pros earn on average $75,275 per year. Security analysts and network security architects (positions with a technical focus) earn a median salary of $74,200 per year, according to Foote Partners.
The CISO must have strong business acumen and articulate technology solutions to a diverse audience, says Tracy Lenzner, CEO of LenznerGroup, an executive recruitment firm. Says Brocaglia, "There's a direct correlation between the increase in offers made to those candidates who have a more holistic approach of risk and executive management skills, which are required for other executives in a company."
|Rallying the Troops|
Former FBI agent says understanding motivation is key
Name: Tim McKnight
Title: Northrop Grumman CISO & Business Group Director
Key career move: Leaving the FBI for Cisco
Tim McKnight got his start in information security at the Federal Bureau of Invest-igation as a special agent protecting the nation's critical infrastructure from cyber-threats. His work as a G-man proved to be invaluable training for his current job as CISO of defense contractor Northrop Grumman--not just because of the investigative and security skills he developed, but also the people skills. In his 10 years at the FBI, he learned how to communicate clearly, build strong teams and lead effectively.
"Understanding motivations--what gets people going, what gets them out of bed in the morning--definitely helps to build relationships in the company, which leads to making the security programs successful," McKnight says.
Communication and leadership skills are essential for a CISO, who must be able to bounce between the data center and the boardroom, and translate security needs into business terms, he says. The main challenge for any CISO is getting past the old image of being the "gloom-and-doom, sky-is-falling guy."
After leaving the FBI, McKnight moved to the private sector and became steeped in how an IT organization in a large corporation operates. At Cisco Systems, he launched a team that conducted security assessments of companies Cisco acquired. He then worked as IT security director for defense and aerospace firm BAE Systems North America.
At the bureau, McKnight felt like a pioneer in an exciting world of information protection. Today, he thrives on the challenges of information security and forging ahead into uncharted territory.
"With the constant change in security and business needs, I continue to feel like a pioneer," he says.
Given this apparent premium on business skills, which would you rather your security staff have: an MBA or a CISSP? (See "Moving On Up")
Certification debates are sticky. Many argue that certifications are diluted and have lost their luster, especially with larger enterprises; others value them because they demonstrate a level of competency. One thing not up for debate: Security certification holders earn more money.
According to SANS, if you have an ISACA certification like the CISM and CISA, or (ISC)2's CISSP, you're among the highest paid security professionals. Those with ISACA's management and auditing certifications average $98,571 in annual salary; a CISSP or SSCP earns $95,155, on average. According to the survey, these wages exceed the $79,430 average annual salary for those professionals with vendor-specific certifications from Cisco Systems or Microsoft, for example. Foote Partners, meanwhile, looked at salaries associated with 109 certifications, and has determined that holders of the CISA, CISM, CISSP, SSCP, CCSP and SANS's GIAC certifications are among the highest paid professionals in the field.
While non-certified administrators got, on average, bigger raises in 2005, their base pay was lower. According to Foote Partners, compensation for certified professionals has leveled off because of a slowdown in demand for entry-level and intermediate security employees. However, the company predicts that hiring and salaries for certified security pros will increase for several reasons: The prevalent belief is that security is a cost of remaining competitive; additional global projects require complex security; criminally motivated breaches are on the rise; and federal and industry regulations are calling the shots.
While some infosecurity managers, like BT Radianz's Hession, argue against discounting non-certified job candidates simply "because they're not a career security person," certification bodies insist that certifications are perhaps more important factors in hiring security professionals than in any other IT segment.
"You're talking about someone with access to everything in an organization. You want to rely on what a competent organization said about what a candidate can do," says Corey Schou, vice chairman of (ISC)2's board of directors. "If a security professional goes through a certification program, it's worth paying them more; they have more skin in the game. We're talking about, in some cases, people getting $120,000 a year--you want to make sure you're buying good quality. We provide the due diligence model. They're not just walking in saying they're good; someone has sworn they're good."
|Leap of Faith|
Bloomberg chief makes unusual leap from sales to security
Name: Stephen Scharf
Title: Head of security at Bloomberg
Key career move: Volunteering with ISSA
Stephen Scharf's path to becoming head of information security at Bloomberg had a rather unlikely start: sales.
Fresh out of college with a degree in history, he got a job selling CAD/CAM-based nesting software to manufacturers of helicopters, tractors and other heavy equipment. The software helped engineers figure out the optimal parts positioning on sheet metal to cut down on material waste. He loved going out on the manufacturing floor filled with big machinery--"every kid's dream," Scharf says.
But, he was more interested in the products than selling them. So, he the shifted his focus to technical support and set his sights on a career in IT. He worked as a systems administrator and network engineer. Eventually, as security-related projects filled more and more of his time, he found his true calling.
Scharf transitioned to security consulting firm @stake (acquired in 2004 by Symantec), where he performed both IT security and physical security assessments mostly for financial services firms. He also expanded his knowledge of industry trends by volunteering for the Information Systems Secu-rity Association (ISSA).
After four years of consulting work, he joined Bloomberg, a major outlet for financial data, news and analysis. Like everyone who works for the company, Scharf doesn't have an official title; he heads up both physical and IT security.
His varied background of sales, support, engineering and consulting gives him the skills necessary for the job, which requires him to wear many hats, Scharf says. Having IT experience coupled with an understanding of business helps him take a measured approach, weighing risks with the cost of their remediation.
"We spend a lot of time and effort securing our environment, and you have to be able to translate that into the associated costs and benefits [from a business sense]," he says.
Keep in mind, too, that the definition of what's good often changes. Technical skills, in fact, may regain importance.
Alan Paller, director of research for the SANS Institute, says that people who have been writing security policies and audit reports aren't directly making their companies more secure, and the state of security is much worse than what managers have led people to believe.
"I can see just over the horizon a shift toward equally valuing the rarer skill of securing systems to the common skill of writing about and managing security," Paller says. "This means that the CISO has to focus more on the technology side of the job. Most CISOs have known this secretly and are intellectually prepared for it. It's a challenging shift because the professionals are being measured not on whether they wrote a report, but whether they've made a system secure. This forces more of a partnership between security and operations, as opposed to them having a 'gotcha' relationship."
Paller says that enterprises have been relying for too long on process-based metrics--such as whether a policy is written, disaster recovery plans are in place or in-house security awareness training is conducted.
Now, some businesses are moving to attack-based metrics that gauge the performance of people and systems against particular vectors like DoS attacks, Trojans, root-kits and spyware.
"As soon as you change the metrics, which is happening now, you value the people who get scores up more than those who write reports," Paller says.
He stresses that his theory doesn't devalue the skills of a security manager; it just elevates the worth of those with technical chops. With audits happening more frequently--in many instances, quarterly instead of annually--organizations are placing more emphasis on secure systems and processes.
"Assuming the value you're paying for management skills is fair, you're going to pay close to the same money for those who can meet demand," Paller says. "It isn't only about management." Paller concedes that this shift may take a couple of years.
In the meantime, many enterprises will pattern their security offices around risk management, the very skill that Continental's Gold was searching for. "What's hard to test is aptitude. I wanted someone who could think outside traditional security parameters," he says.