BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
IT security professionals say budgets and staff sizes have increased this year, and they expect more of the same in 2015. But despite growing demand for qualified security practitioners, salary levels for security-focused job roles are only up slightly when compared to last year.
Those were the key takeaways from TechTarget's 2014 IT Salary Survey. Conducted among readers across TechTarget's network of sites, the survey polled 1,194 IT professionals across North America.
Among approximately 250 respondents who indicated that security is their primary role within their organizations, one-third said budgets are larger than last year, with the average increase among that group hitting 12%, while another third said that budgets held steady. IT staff sizes also increased at 29% of organizations by an average of 15 professionals, according to security pros surveyed. Another 43% said that the head count remained the same. Only 18% of respondents said that staff sizes had been reduced.
All told, the IT security salary survey bears out a trend commonly cited within the security industry: more qualified practitioners will be needed to fill an increasing number of openings in the coming years. More than one-third of security-focused respondents indicated that their organizations are looking to hire new IT professionals this year, and that number is likely to increase; 43% said that they expect the mood within IT to be more optimistic in 2015.
David Escalante, director of computer security and policy at Boston College, said that security budgets are indeed rising at many organizations, but warned that the trend shouldn't lead security professionals to be overly optimistic. Instead, he said that larger budgets are being allotted to deal with even bigger security problems, and consequently, management teams will be expecting results.
"I am hearing people talk about bigger security budgets and head count, but only in the context of increased focus on the difficulty of doing good security and increased upper management scrutiny," said Escalante. "They're generally happy at getting upper management's attention, while realizing it's a two-edged sword."
Salaries increasing, but not by much
Just over half of the security pros who responded to the TechTarget Salary Survey said that they received raises this year, with 4.6% being the average increase in base compensation. Another 51% expected a similar increase next year. But while 35% received a bonus this year, only one-fifth of respondents expect a bonus in 2015.
All told, salary levels did not increase at nearly the pace one might expect with the demand for security professionals at an all-time high. Despite security-focused respondents generally being experienced in the field -- more than two-thirds said they had at least 10 years of experience -- the average base salary only reached $112,372 this year, compared to $111,169 in last year's survey.
The median base salary jumped $6,000 year over year, but most of the compensation gains within the security industry appear to be going to those receiving bonuses. With bonuses factored into the equation, the average compensation levels among all respondents increased by an average of more than $2,500 -- more than twice the increase seen in base salaries alone.
Escalante said that he does indeed hear about increasing salaries among security professionals, but that averages such as those in the TechTarget survey tend to skew the perspective of those tasked with budgeting for talent.
"This is making it harder for security groups to recruit [and] retain employees since the salary survey data that central HR groups use to benchmark employee salaries tends to lag hot markets," said Escalante.
Lee J. Kushner, president of information security recruitment firm L.J. Kushner and Associates in Freehold, N.J., agreed with the assessment that human resources teams focus too often on hiring security pros at or below oft-cited average salary levels. In the process, he said, they ignore the reality that organizations need to pay premium rates if they want to attract above-average practitioners. Case in point: even large companies like Home Depot and J.P. Morgan Chase that have endured massive data breaches recently have struggled to attract and retain infosec pros.
At the same time, Kushner warned that the optimism expressed by respondents to TechTarget's 2014 IT Salary Survey may be slightly misplaced, as the lion's share of compensation increases and new opportunities go to only the top 10% or so of professionals in the field. Thus, while nearly half of readers described themselves as "open to new opportunities," Kushner said that most security professionals should not expect large wage increases as a result of switching employers, much less a more prominent role within a new organization.
Between HR professionals generally offering too little for top-tier talent and a majority of security pros expecting better compensation, Kushner advised enterprises to do a better job of addressing expectations for salary and bonus increases in order to avoid potential issues with employee dissatisfaction.
"The expectations for promotion, advancement, all those things, if you're optimistic and the air goes out of the balloon, that's a problem," said Kushner. "A talented person that is working at a company that treats security as important and are treated well… those people aren't going anywhere.
"I think we're riding a nice wave here," Kushner continued, "but that could turn."
Read why recent high-profile data breaches show the CISO role is now essential in the enterprise
Expert Joseph Granneman discusses which skills boost CISO salaries