By Sharon Gaudin
Jun 7, 2007
IT security professionals living outside of Silicon Valley and the
Northeast are getting substantial raises.
An eight-year study by the SANS Institute shows that security
professionals working in the rest of the country -- especially the
Midwest, the Northwest, and the Southeast -- are catching up to their
better-paid security brethren. When it comes to getting the best raises,
these areas have been at the top of the charts since the end of the last
century, with salary growth exceeding 7.5% yearly.
"There has been a leveling," said Alan Paller, director of research at
the SANS Institute, in an interview with InformationWeek. "It used to be
that from New York to Boston and then in California, salaries were way
ahead. That's where you went if you wanted a lot of money. Then the rest
of the country discovered they were just as much a target for attacks as
the California and New York firms were. It's not that they're getting
paid more than New Engand, but they're getting bigger raises and
Have they caught up, yet, though?
According to Paller, the Mid-Atlantic region -- Pennsylvania, Maryland,
Virginia and Washington -- has the biggest paychecks for security
professionals, coming in at a mean salary of $95,615 for 2006. The
Northeast came in second with $92,452, while the West, which includes
Silicon Valley, rang in with $86,368. The Midwest is seeing a mean
salary of $84,120, as the Northwest comes in at $81,186. The Southeast
comes in at $80,123 and the U.S. Central, which includes Kansas,
Oklahoma and Texas, came in at $78,666.
Paller, though, was quick to point out that salary satisfaction doesn't
come from having the highest salary. It comes from having consistent
increases in your salary.
"Satisfaction is less related to the absolute value of your salary than
with the change," he explained. "People who are getting good raises
every year are feeling appreciated. Those people will be much more
satisfied with their compensation than people who are paid well but
haven't gotten raises in two years. Satisfaction in security is much
higher in areas outside of the traditional high-paid areas, like Silicon
The SANS survey also shows that Federal Information Security Management
Act and the advancement of China's technology capabilities are
propelling salaries in industries like aerospace and professional
service providers who work for government agencies, handling jobs like
security assessments and auditing. Those are two of the industry
segments that showed an eight-year total salary increase of 65%. Just a
few weeks ago, the Department of Defense released a report saying that
the People's Liberation Army in China is building up its cyberwarfare
capabilities, even creating malware that could go after enemy computer
systems in first-strike attacks.
"It's two-thirds FISMA and one-third that the Chinese are all over the
aerospace industry and government computers," said Paller. "We're trying
to build protections against attacks. ... [The DOD] wouldn't have said
it publicly if they didn't think that some action really needed to be
taken. It's been known for some time but talking about it means they're
Paller noted that salaries for security professionals working in the
telecommunications and finance industries are growing strong, but that's
not surprise since they have been for years.
Who's not doing so well?
Salaries in manufacturing, health care, and education aren't fairing
nearly so well, coming in at the low end of the pay spectrum. "They've
always been the lowest paid and they're getting the lowest raises," said
As for what jobs are doing well, and not so well, it looks like managers
are seeing more raises than the people they're managing.
Some of the positions that saw their salaries grow by more than 65% in
the past eight years are IT director; director or manger in information
security or audit; CISO; CSO; chief compliance officer; chief privacy
officer; chief of audit, and security auditor.
Those who got smaller raises include security architects; systems or
network managers; intrusion detection specialists; forensics
investigators, and desktop support.
"It's basically appreciation of the value of these people," said Paller.
"Through these last seven years, people have valued writing about
security higher than doing security and that's because of regulations.
FISMA is not measured on how secure your systems are but how well-done
your reports are. It's more or less the same with HIPAA and SOX. Most of
the money went to people who wrote about security rather than those who
did security. That's what these attacks from the Chinese and
cybercrimals has changed. IT's moving security back into the operational
people's hands " operational directors."
SANS is in the process of running another salary survey. The new study
will focus on the past year, as opposed to this study which focused on
an eight-year span. To participate in the new study, go to this Web site
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com