Security Architecture, Application security, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Patch/Configuration Management, Governance, Risk and Compliance, Compliance Management, Privacy, Critical Infrastructure Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Money matters: SC Magazine/EC-Council Salary Survey 2007

However, many experts believe that solid salaries will grow for those IT security pros who are experienced in business, are equipped with an understanding of both compliance and auditing demands, and have well-developed technical skills. Additionally, opportunities to make a wider imprint on their corporations' operations and business strategies will become more and more evident as the industry continues to mature.

According to the SC Magazine/EC-Council Salary Survey 2007, conducted with research firm Millward Brown, the average base salary this year for C-level — as well as director, manager- and V.P.-level security pros — is $108,000, compared to a $101,400 average last year. Despite the 6.51 percent rise, however, it's a far cry from what many may recall seeing when internet-related sectors became all the rage among various businesses and venture capitalists during the lively days of the dot-com.

"There's definitely been a huge adjustment after the boon [of 2000] kind of flattened out," says Jeff Combs, director of technology risk recruiting for Alta Associates, a New Jersey-based executive recruitment firm. Indeed, 2000 was a "ridiculously insane year," Combs recalls, adding that "there was just so much hubris, I couldn't get over it."

Then, in 2001, salaries and benefits packages plummeted as the information security industry became sluggish after the bubble burst and 9/11 happened.

"[In] 2003, people weren't getting paid much, and I think it was because there was a lot more talent than demand, but now it's coming back up," he explains.

So while lead IT security pros in the financial services space, for instance, may have made around $150,000 to $160,000 back in the boon days, today they're more likely to see $130,000 or less.

"Companies are realizing you have to pay fair market value," he adds. But, for that to materialize more consistently across both regions and vertical markets in this still-evolving sector, says Combs, more understanding of roles must happen.


Shifting job definition
Most security professionals do have more responsibilities associated with their jobs, says Sondra Schneider, president and CEO of Security University, a provider of hands-on information security training classes that prepares and qualifies security professionals to protect electronic assets. But, she adds, they are getting paid for that expansion of duties.

According to the SC Magazine/EC-Council Salary Survey, about half of respondents say their salary meets their expectations.

"I see some well-compensated people in [the information security] space [who] are definitely doing more than they ever have. If they're getting somewhere between $100,000 and $180,000, I think the company expects them to be business-oriented," Schneider says. "They're really addressing a different level of risk inside the organization and that's not a worker bee [position]. It's really someone who is taking on that responsibility of business risk."

And, because of the increased occurrence of connecting these responsibilities to business goals, bonuses are good and, usually, are performance-based, says Combs. Of the 474 respondents to the survey, 46 percent see performance-related bonuses, and about 64 percent rate these kinds of bonuses as an important part of their salary packages.

Along with bonuses, other benefits rank quite high on the list of what companies usually offer as part of respondents' salary packages, including medical plans (89 percent), dental plans (82 percent) and 401(k) plans.

Strong benefits and pay might contribute to why turnover in the information security field seems to be lower than in the past. Of all the respondents, only seven percent had changed jobs in the last 12 months. Most have been with their employers between five to nine years (37 percent) or one to four (22 percent).

"My knee-jerk reaction to that kind of data is that we've heard for a while that maybe the security market is cooling off a little bit," says Gene Fredriksen, principal consultant with analyst firm Burton Group, and former chief information security officer of Raymond James Financial. "For a long time we saw that security salaries were rapidly increasing. It may be indicative that the curve is slowing down a bit and that people aren't moving simply for money anymore. And, given the fact that they may be faced with a lateral or lower percentage move, they're opting to stay where they're at."

Traditionally, says both Fredriksen and Combs, the minimum increase in salary to change jobs centered on a 10 percent hike. And while about 41 percent and 21 percent of total respondents expect anywhere between a two- to 3.9- or four- to 5.9-percent raise respectively at their next review, it would take a much higher increase to entice them to leave their current jobs. Some 20 percent would expect a 20 percent raise in pay, while approximately 15 percent would want to see a 15 percent increase.

A maturing view of information security among corporate leaders also may be helping individuals to stay put where they are so as to experience an evolution in their positions, says Fredriksen.

"The other thing that I think we're starting to finally see is that security is becoming more and more integrated into the other operational areas of IT, whereas if you go back a few years, you needed a staff of absolute security specialists that sort of rode herd on the whole thing," he says. "Now what's becoming more important is that security is integrated into all facets of the IT operations. It's that cross-pollination, I think, that's happening and, as security gets integrated more and more into the mainstream of the organization, you're going to see that differentiator for people as security specialists in a standalone mode change."

That means that no longer will companies need to hire "a team of security killers," but "a bunch of IT professionals with good security awareness," he adds.

Still, it will be necessary to cover some specialty areas, says Sanjay Bavisi, president and CEO of the EC Council, an organization that, among other services, provides training and certification in ethical hacking, forensics and penetration testing. Just as organizations will need an information security leader with broad-based security, risk management and IT know-how, he says, others on their team will need to understand the specifics of, for example, evidence discovery and data retention in order for the company to make educated decisions on what to do after systems are breached. And, more importantly, to ensure the infrastructure is robust enough to sidestep such attacks.


It's a different world
Overall, most corporate executives and their companies are looking at security differently today, says Schneider.

"Before, it was an IT job. Today, it's related to risk and, now that we have risk officers and CSOs, I think people clearly can see that being in an information security position in an organization has more value than it has had in the past," she says. "The overall feeling of wanting to stay there and improve the business definitely is becoming a valid [motivation]."

This, though, is far from true across the board: "The bad companies — people are still running from the companies that still aren't doing risk management right or are not doing it at all," she adds.

While not a mainstream occurrence, many companies are striving to ensure they're viewed as being proactive about securing digital assets by asking that new hires have a certification.

Do certifications matter?
Of all respondents, 32 percent hold a Certified Information Systems Security Professional (CISSP). ISACA's Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) certs came in second with about 16 percent, and CompTIA's security, network and A+ certs came in at around a combined 19 percent. The SANS Institute's Global Information Assurance Certification (GIAC) seized about eight percent of respondents.

Ed Zeitler, executive director of (ISC)2, says the CISSP leads the fray because it has become the "gold standard." It takes the question out of employers' minds on whether or not an IT security professional understands how information security fits into the organization, he says. Further, he adds, those holding CISSPs usually are in management positions, running information security programs and, in these roles, "business planning is critical."

Yet, say some, other certifications are just as critical for an organization's IT security pros to have.

"Everyone knows (ISC)2 has been around for a very long time. And (ISC)2 has been a widely accepted authority for a certification that is non-technical," says Bavisi. "It's a very procedural-based certification, and it has been a certification that has been used for basically the senior people in the security community."

But, says Bavisi, the security sector is young, so just as the roles of IT security pros will change and develop, so too will certifications and training.

"Information security being in its infancy is going through the same evolution as the field of medicine. General medicine used to be the be-all solution to all sorts of problems," says Bavisi. "Now you see there seems to be an entire range of specializations. [These] evolved over time. Information security is going to go through the same sort of transformation."

And while companies need a person at the top of the hierarchy who has a general understanding and knowledge of information security's role in the company — the pro with the broad knowledge that the CISSP certification helps to show — others with more specialized knowledge will need to be a part of the team.

For now, many companies looking for professionals to join their ranks often note the CISSP as desirable, but not required, says Combs (though some government agencies have established directives that require that all managers and technicians obtain an approved certification to better protect their information infrastructures). Although it's often noted in want-ads, potential employers look at experience more, examining where candidates worked, what their roles were and how they progressed, and whether the industry and corporate challenges they may have faced at previous employers' match up with what they might need to address at the new organization, he adds.

Still, a number of pros are not in the market for various certifications being offered, which may be due to the fact that companies still fail to incentivize employees to get them by offering bonuses. Schneider says that in her experience when companies do offer incentives it's often because they wish to comply with certain mandates or audits.

Yet, as information security continues to become an integral part of the business, more and more organizations likely will look to verify proof of minimum knowledge with certifications, such as the CISSP, says Burton's Fredriksen.

"The most valuable security person, in general, is that well-rounded person. There are a lot of security specialists out there, but security problems are very seldom vertical, they are very seldom just one issue," he says.

In the minds of many respondents, the traits that are most critical to their success as IT security leaders include the ability to communicate effectively (89 percent), strategic thinking and planning (81 percent), the ability to lead during a crisis (75 percent), the understanding of business processes and operations (74 percent), the understanding of the IT security industry (72 percent) and technical knowledge and skill (71 percent).

So no matter the certifications attained, the books written or read, or the budgets managed, the guiding traits of a strong information security leader boil down to a couple of key qualities, says EC-Council's Bavisi.

"What makes a good CSO is really a person who does not necessarily have all the answers, but has an idea of how to find the people who have the answers," he adds. "What's really important for a CSO is that they need to be very open-minded, versatile characters that have a thirst for knowledge, that are willing to learn, that — regardless of their other [experience] — have a huge sense of humility and always want to look at new avenues [to make] sure the organization is protected. I truly think these seem to be the most important credentials of a good CSO."

of respondents say their current salaries meet their expectations.
20.3% of respondents say a 20% hike in pay would be the minimum raise necessary for them to leave their current jobs.
89% of respondents rate the ability to interact effectively as critical to their success as an IT security leader.
55.7% of respondents count audit and compliance among their day-to-day responsibilities.
64.3% rate performance-related bonuses as important.
72.6% of respondents consider information systems to be their personal professional backgrounds.
24.9% of respondents are currently job hunting in the IT security field.

The SC Magazine/EC-Council Salary Survey 2007 was conducted by SC Magazine and research firm Millward Brown. The survey was open to all SC Magazine readers. A total of 474 respondents completed the survey from January 23 to February 5, 2007.

Results are not weighted. Based on this sample, the results are accurate to a margin of +/- 4.6% at a 95% confidence level. This report offers selected highlights only. The full survey results are available in Excel format for $150. Please contact Dina Kleyman at [email protected].

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.