Conventional wisdom dictates that the high demand for IT security practitioners would cause salaries to rise, perhaps significantly - a simple example of supply and demand. But the recovery from the Great Recession - which lasted from December 2007 to June 2009 - didn't substantially fatten paychecks for a large number of IT security personnel.
That's one takeaway from research published by SANS, the education and research institute, which conducted a similar survey in 2008.
Even though salaries may not have increased as much as we perceived, the workforce in this sector was stable.
In 2008, before the economy felt the full impact of the Great Recession, SANS researchers said they expected a big bump in salaries among the largest group of IT security practitioners, those who then earned between $80,000 and $100,000. But the new study didn't show much movement in pay among that group.
It's difficult to conduct an apples-to-apples comparison of the two surveys because SANS used different ranges of years of experience for each study. Still, one can extrapolate from the two sets of data the relatively paltry pay growth between 2008 and 2014.
Take, for instance, the largest occupation among security practitioners: systems administrators. In 2008, systems administrators with five to nine years of experience averaged an annual salary of $75,253. In 2014, systems administrators with seven to 10 years of experienced averaged an annual salary of $85,469. That's an increase of just over 2 percent a year. Not great, but better than many other professions that saw pay stagnate, or, in some instances, decline as demand for employment outweighed supply of positions.
CISOs didn't fare better. A chief information security officer with 10-plus years of experience averaged an annual salary of $141,750 in 2008. This year, that job pays on average $138,529 a year for those on the job between 11 and 15 years, a decline of $3,221. Even the more experienced CISO, with 16 to 20 years of experience, saw a paltry increase in average salary to $148,000 in 2014; that's not even a 1 percent annual increase.
The paltry pay raises come at a time when the unemployment rate was virtually nil among IT security practitioners, says Scott Cassity, managing director for Global Information Assurance Certification, which worked with SANS on analyzing the data. "There has not been a drastic pickup in pay," Cassity says."
According to Information Security Media Group's analysis of U.S. Bureau of Labor Statistics employment data, the unemployment rate for computer systems administrators stood at 2.9 percent for the first three months of 2014 (see A Seller's Market for IT Security Jobs for qualifications on how those rates are determined). For information security analysts, the ISMG analysis shows an employment rate of 3.2 percent for the first quarter of 2014.
Many economists consider an unemployment rate of about 3 percent or less to be full employment because of the normal churn of jobs.
$100,000 Salaries on the Rise
Still, a larger proportion of IT security practitioners - 49 percent in 2014 vs. 28 percent in 2008, earn on average more than $100,000 a year, suggesting better pay for IT security managers.
And that's a positive harbinger for the coming years. "Even though salaries may not have increased as much as we perceived, the workforce in this sector was stable," says Barbara Filkins, the SANS senior analyst who managed the survey.
Even with small pay increases, salary isn't the reason most IT security practitioners remain in IT security. Seventy percent of the 4,000 respondents in 2014 cite job satisfaction as the top reason for staying in the profession.
The survey emphasizes the importance of certification for advancement in the IT security field. SANS says certifications are more frequently required in IT security than in other, more general, IT roles.
The survey has a pro-certification bias. Cassity and Filkins acknowledge that many of those recruited to take the survey come from those who have studied for certifications.
In 2008, the survey reported that a majority of hiring managers felt that certifications were a key requirement for hiring. The 2014 results support this finding, but from the standpoint of those obtaining certification. In this year's survey, 58 percent believe that holding one or more certifications is critical to their career success.
What else do this year's respondents see as critical to a successful IT security career? Continuing education and networking are key.
An Evolving Profession
How does the IT security profession look differently today than six years ago?
According to the SANS research, the security engineer or architect was the most popular job title, slightly greater than 12 percent in 2008, followed closely by information security analyst, at slightly less than 12 percent. In 2014, both titles have grown in numbers, with 23 percent of survey respondents saying they're a security analyst, followed by security engineer or architect at 15 percent. Management-oriented job titles this year occupy third and fourth places. SANS says 28 percent of IT security pros hold management titles vs. 72 percent non-management titles.
Here are other interesting tidbits from this year's survey:
- 18 percent of respondents come from banking, finance and insurance industries;
- 60 percent of respondents have 10 years or less of IT security experience;
- 35 percent of respondents expect their organizations to increase their cybersecurity staff;
- One-third of respondents say incident handling and response is a key skill for managers, the highest of any skill; that skill also ranks No. 1 among non-managers, at 15 percent;
- Other key skills for managers: cloud computing/virtualization, analytics and intelligence and audit and compliance; for non-managers: audit and compliance, managerial or leadership skills, firewall/IDS/IPS/SIEM management and analytics and intelligence.
How has your compensation fared in the past several years and what factors keep you in the cybersecurity profession? Please share your views in the box below.