Information security pros neither face wage boons nor badlands this year, reports Illena Armstrong.
Salary windfalls are awaiting few, if any, information security leaders this year. And while that fact may be far less than shocking, compensation wastelands aren't the norm either, despite an economy that has been painfully sinking over more than a few months.
As the dollar continues its fall to record lows, the belief that the economy is slipping faster into an official recession is quickly turning into reality. Numerous recently published economic reports confirm an unrelenting slump and indicate that many markets, including finance, manufacturing and construction, will get hit the hardest over coming months. And while information technology also is taking a battering, budgets focused specifically on IT security are, for the most part, either increasing or staying put, according to experts.
In this year's SC Magazine Salary and Career Survey, which was conducted with research firm Millward Brown, the average base salary for C-, director-, manager- and VP-level security pros is $117,000. According to last year's Salary Survey, the average base salary for lead IT security professionals was $108,000 compared to a $101,400 average in 2006. While this year's rise is a modest one of about eight percent, it's an increase nonetheless. And, to most industry experts, it's a boost that makes sense – regardless of a sustained economic tumble.
“From all the research I'm seeing, I don't think information security is going down. [The pay increase] is within a cost-of-living adjustment north, so I'm not surprised that it's so modest. In general, a lot of information security positions…support infrastructure, and companies are looking at ways to lower costs and control the support,” says Mark Lobel, a member of ISACA's Security Management Committee and a PricewaterhouseCoopers advisory partner. “But, from research that PwC has done, we're seeing the vast majority [of professionals]… saying security will increase somewhat or increase significantly. [This] makes me believe [it's] a growing area. Organizations see the importance of it and the value of it, and thus they continue to invest in it and salaries keep rising.”
To be sure, information security initiatives are ranking higher on the list of overall business priorities for most companies. The upshots are escalating salaries and additional hires.
“This is driven by the regulatory compliance requirements relating to information security that impact almost all industries,” says Simone Seth, director, PricewaterhouseCoopers, who supports the nonprofit Information Security Forum (ISF) as part of her job.
Jeff Combs, director of technology risk recruiting for Alta Associates, a New Jersey-based executive recruiting firm, agrees. The problem is, however, that the pool of experienced executives from which to choose still seems a bit small.
“Whether driven by regulatory requirements, customer and shareholder confidence or legitimate threats to the business, organizations across the board are addressing the need,” he explains. “And although many [pros] aspire to be in a leadership role, the people who are qualified to lead and build security programs are in great demand and that level of experience comes with a price.”
Still, the pay increase noted in this year's SC Magazine survey, which saw 536 readers respond, is less a hike based on the notion that security professionals add value to the organization, says Seth, who also has served in lead privacy and security positions at Citigroup, Deutsche Bank and JP Morgan Chase. “It still feels like most organizations do security because they have to, rather than because they see it as something that can add rather than subtract from their bottom line.”
Staffing for security
Whether regulators or internal drivers are compelling them, company leaders clearly understand the need to have information security professionals on the payroll to help safeguard critical data. But, judgments on just how large the staff should be is another issue altogether.
This year's survey shows that the number of employees in charge of IT security is generally small, which correlates closely with last year's survey that saw 474 readers respond. Specifically this year, 45 percent of respondents noted that one to two employees were responsible for security, while another 24 percent had three to five staff. Meanwhile, only nine percent of respondents have either 51-plus or 21 to 50 employees dedicated to security.
Yet, the top three responses on overall company size reveal that most organizations have either 5,000 (36 percent), 1,000 to 5,000 (23 percent), or 101 to 500 (18 percent) total employees. These numbers, taken together with the purported size of IT security departments, beg the question: Are companies relying on too few information security pros to protect their companies given how many in-house employees they have?
“All budgets, including security, are feeling the effects of the current economic climate,” says the ISF's Seth. However, she adds that plenty of people having some responsibilities for information security and controls “are sprinkled throughout organizations.”
Many CSOs in big companies, which often centralize information security, have over 500 people reporting to them, says Ed Zeitler, executive director of (ISC)2, a global certification and training organization. Other organizations, however, might have less defined security staff.
“The number of people out there working on information security is probably steady. It's just how you recognize them,” says Zeitler, who previously has headed up information security at Charles Schwab & Co., Fidelity Investments, Bank of America and Security Pacific National Bank. “When I was at Fidelity, I created a distributed information security officer program. So, each of the individual companies within Fidelity had its own information security officer who reported to that company. Even though I had an organization that I managed [by] dotted line of maybe 200 people, I only had 20 who directly reported to me.”
No matter the number of IT staff, though, companies are acknowledging the need to become more deliberate with their information security planning. Even with a souring economy, executive leaders understand the consequences associated with theft of data. Information security, says Zeitler, while once viewed as a cost center, now is seen as more essential to the business. As a result, most companies are expanding budgets or, at least, keeping them fixed when it comes to management, operations or auditing of information security/risk management programs, he adds.
The roles of IT security professionals, on the flip side, are anything but unchanging. Information security persists in defining sound business practices, which equates to heftier roles for security pros. These, in turn, require larger skill sets.
Approximately 91 percent of SC Magazine readers responding to this year's survey rate the ability to communicate effectively as the most important skill an information security leader can master. Other talents that made it to the top of this list include strategic thinking/planning (77 percent), the ability to lead during a crisis (72 percent), the understanding of business processes and operations (71 percent), and tech skills and knowledge (69 percent). Just as last year's survey showed, IT security-specific talents were lower on the scale of importance to security executives.
Most winning CISOs are very strategic, collaborative thinkers, truly looking at information security from a business perspective, says ISACA's Lobel. As one would expect, they cover people, process and technology. But as their careers progress, they are continuously relying on more than just technology.
Adroit management helps, too, says Michael Hamilton, CISO of the city of Seattle. In addition to toggling easily and confidently between IT and business languages, pros must master “the ability to negotiate and ensure that the business always comes out on the winning side – or at least create that perception, without compromising control standards,” he explains.
Budding roles should have some meaningful side effects: more money, better benefits and increased job satisfaction. This year's survey indicates that while there is pretty much a 50/50 split on whether current salaries meet expectations, many readers find their jobs rewarding (49 percent). Only about 36 percent feel they are well compensated for the duties they perform, while 41 percent note feeling under more pressure to perform. When their next annual review comes around, 42 percent of respondents expect between a two to four percent raise, while another 26 percent predict between a four to six percent bump.
Overall, pay packages are beginning to strengthen in the IT security industry, especially for the pros who are offering the right skill set, says John Baschab, SVP, Management Services, Technisource, a staffing, management and technology services provider in North America. “Security professionals who can combine technical, management and executive expertise into a single package are going to be most sought after.”
Given the right circumstances, such leaders may remain with a company for some time, too, as this year's survey bears out. At the high end, 32 percent have been with their current organization between five to nine years. About 31 percent have stayed on between one and four, and another 19 percent have 10 to 14 years at their current companies.
This is because security people now are developing more influence inside their organizations and are staying longer to witness the fruits of their labors, which often takes longer than a mere 12 months to manifest, says ISACA's Lobel. Plus, changing information security jobs quickly can be grueling, adds the ISF's Seth.
“It is too hard to prove your value over and over again,” she explains. “However, junior- and mid-level people will try and crawl up the corporate ladder. But with the recession in full swing, no one is going anywhere by choice. Everyone speaks of staying low to the ground and clinging to what they have.”
To remain a vital player in the field requires breadth of knowledge. How to get and maintain that know-how is a matter of opinion.
Approximately 20 percent of respondents have information systems undergraduate degrees, 13 percent have business degrees and 11 percent computer science degrees. Of those who note having undergrad degrees, about 439 respondents, 10 percent opted for a master's in business.
Such educational background is expected, according to Combs. “Among organizations that prioritize education, undergrad degrees in the sciences are still preferred. However, for leadership roles, business-focused degrees are very desirable.”
On top of long-standing business programs offered by universities and colleges, the value of more formal information security degree programs can benefit pros in varying stages of their careers. After all, translating business risk into a value proposition that makes sense to C-level executives is critical, says Dennis Devlin, CISO of Massachusetts-based Brandeis University. And to do this right takes more than just an IT background. Information security or assurance degrees, such as those offered by Brandeis and other universities, can prove quite advantageous to one's career development.
Professional certifications help, also. According to respondents, (ISC)2 certifications lead the pack again this year, showing that 38 percent hold either a CISSP (Certified Information Systems Security Professional) or other credential from the organization. ISACA certifications, including the CISA (Certified Information Systems Auditor) and CISM (Certified Information Security Manager), came in second with 16 percent of respondents having these certs. CompTIA offerings were third, with 14 percent of respondents earning their CompTIA Security+, Network+ or A+ certs.
According to Joyce Brocaglia, CEO of Alta Associates and founder of the Executive Women's Forum, an industry event that brings female information security pros together for knowledge exchange, the majority of hiring managers worldwide indicate that information security certifications are important when hiring.
“Employee competency and quality of work remain the top reasons that employers and hiring managers continue to place emphasis on security certifications. Professional certifications are a great validation of your commitment to the industry and a level of competency,” she adds. “Companies that are hiring are more and more determining the professional certification that best validates a candidate's suitability for the position.”
And as far as management posts are concerned, (ISC)2's CISSP is the industry standard. On the other hand, more technology-focused jobs might call for a vendor certification, for instance, “that matches your organization's particular technology environment, such as certifications from Microsoft or Cisco,” she says.
While there are still some hold-outs – approximately 36 percent of respondents to the SC Magazine survey note having none of the listed certs – most experts agree that certifications often do give those looking for jobs in the space a leg-up. Frequently, they are “useful for making a ‘first cut,'” says Seattle's Hamilton. Still, candidates' real-world experiences and abilities usually are the top considerations, he adds.
For most employers, Alta's Combs says that a combo package of on-the-job experience, education and training is the best.
“While more and more companies require a degree, candidates who lack formal education, but have a depth of experience, are marketable, especially if they can demonstrate a track record of success,” he says. “Certifications are always desirable because they show a candidate's commitment to their profession. References, while rarely the initial priority of a hiring manager, are often what leads to hidden opportunity or can push a candidate over the top.”
Nonetheless, getting to the top requires a lot more than experience and education. The skills that are critical to information security pros looking to secure and maintain a C-level seat at the table are numerous, says Alta's Brocaglia. Overall industry knowledge, understanding of the company's place in the market, familiarity with relevant regulatory and legal requirements, and solid communication skills are all requirements. Another important talent is being able to “articulate the business value” of security.
“First and foremost, companies are looking to hire, retain and promote individuals who can execute and deliver programs and solutions on time and in a manner that enables businesses to achieve their goals,” she explains. “Many people can talk the talk, but companies most value the folks who actually deliver.”
More than ever before, organizations are seeking out well-rounded IT security executives who understand the business, who support the mission of the organization, and can address the risks the organization is facing, adds Devlin.
“There's that old expression that efficiency is doing things right and effectiveness is doing the right thing,” he says. “I think the real wisdom of a good CSO is applying a finite amount of resource…to the things that will have the highest return in terms of mitigating risks.”
IT security: Growing diversityWhite males are the majority in the field of information security.
Not far off from last year's results, this year's SC Magazine Salary and Career Survey shows that about 88 percent of respondents are males and only 13 percent females. Last year saw 90 percent men and 11 percent women.
As far as ethnicity is concerned, about 87 percent of readers who responded are white, while four percent are black or Asian, respectively, five percent are Hispanic, and two percent Native American. This cross section also closely mirrors last year's response, with only slight changes in one or two categories.
The lack of diversity in the information security space, whether when discussing the dearth of female professionals or the scarcity of varied ethnic groups moving into the profession, is the norm, according to most experts. But, fortunately, this is starting to change.
“Security is definitely a male-dominated field. However, the 455 alumni of the Executive Women's Forum are a great example of the growing number of successful women in our field,” says Joyce Brocaglia, CEO of Alta Associates and founder of the Executive Women's Forum. “Skill sets that most employers value in their technology executives have changed in the past few years. For example, most organizations…are looking for executives who have strong business acumen, can manage through influence, communicate effectively at all levels, exhibit strong collaborative styles and multi-task many demanding people and deliverables. I believe women naturally possess many of these skills and are changing the face of the information security professional.”
Yet, such transformations will take time simply mirrors the evolution occurring in other business markets.
“Ethnic diversity in the [information security] field will follow the natural evolution of ethnic diversity in the workplace. There is nothing unique or special about [information security],” says Simone Seth, a director at PricewaterhouseCoopers. “As the ethnic makeup of the United States changes, the changes will be reflected in the workplace. It will happen naturally and gradually.”
The SC Magazine Salary and Career Survey 2008 was conducted by SC Magazine and research firm Millward Brown. The survey was open to all SC Magazine readers. A total of 536 respondents completed the survey from March 26 to April 16, 2008.
Results are not weighted. Based on this sample, results are accurate to a margin of +/– 4.2 percent at a 95 percent confidence level.
This report offers selected highlights only. Full survey results are available in a Premium Edition for $295. To order, please contact Katy Wong at [email protected].