The lives of infosec professionals are rife with peculiarities, and for an example you need look no further than their pay over the past five years.
Wild corporate spending on programmers, web developers and other non-security IT jobs during the internet boom vanished in the 2000 bust and three-year recession that followed, resulting in plummeting pay and job security.
By contrast, through these lean years, the average security professional's wage increased 23-47 percent, according to Foote Partners' IT Insider Professional Salary Survey of 50,000 IT professionals.
Now the economy is humming again, many IT professionals specializing in hot areas such as networking, applications, web services, architecture, storage, databases, messaging and Linux/open source are seeing rises of 10-15 percent in pay.
And for the infosec professional? There are modest gains in 2005 salaries, offset by lower bonuses and declining premium pay associated with security certifications – many of the same certs which had displayed sustained growth for a year.
Why? That's a good question.
Overall, infosec salaries have risen up to 5.7 percent in the past year, with VP/ director-level and manager-level security executives realizing the highest gains. But bonuses have been stingier, down between nine and 33 percent for security pros, depending on job level. All in all, a poor showing.
Better off were senior security executives, who saw their total wages (base pay plus cash bonus) rise 3.2 percent for the year ending July 2005, a modest increase compared to a nearly ten percent rise one year earlier.
Information security managers, who constitute the tier just below executive, also saw some growth in total pay, earning just 1.4 percent more this year. But their bonuses declined 25 percent, compared to a 12 percent drop for senior executives, accounting for a big chunk of the meagre increase in compensation.
One reason for these fluctuations is SOX-related activity, peaking last year as the November 2004 deadline loomed.
Middle and junior infosec pros are, if anything, faring worse. Those on these levels received base pay increases in 2005 that were roughly a quarter or less of those of their senior counterparts.
On the lowest level, security administrators saw the smallest salary increase (1.1 percent) among all security professions we monitor. Base salary crept up an average of just $900, with bonuses off 20 percent, producing a net loss in total wages compared to a year ago.
Security analysts have done no better: only 1.4 percent growth in base pay in 2005 (about $1,300 average) with bonuses cut by about one third.
The divide between upper management and operational ranks is even more dramatic when viewed over two years. Executive pay increases have slowed, but at a rate substantially less than for lower ranks. Executives' total pay has climbed more than 13 percent since 2003, while security analyst and data warehouse infosec manager total pay has grown only four percent apiece for the period, with just a 6.7 percent increase for administrators. Middle managers responsible for web security have done much better, earning 11 percent more in both base and total pay.
Certifications have long earned larger incentives, and remain crucial to infosec career success. But those holding security certification earned average incentives of 8.6 percent of their base salary this year, down from 8.9 percent a year ago. This represents the first overall annual decline in security certifications pay since 1999.
This should not be interpreted as diminished demand. Instead, it is the result of IT professionals flooding into the field in search of job security, training opportunities and attractive pay.
This has driven down pay for many popular beginner/intermediate certs from Comptia, SANS/GIAC and Check Point as supply has met or exceeded demand. However, infosec certifications still earn owners more pay than many other IT certifications we track. Those holding the Certified Information Systems Auditor (CISA) receive the highest incentive pay of all certs we track, at 14 percent of base salary – up 40 percent on 2003. The gold-standard Certified Information Systems Security Professional (CISSP) ranks second, averaging 13 percent of base, but Cisco's Certified Security Professional (CCSP) recorded the highest security cert pay increase surveyed – 23 percent more than last year, to 11 percent of base pay.
Another up-and-comer, the Certified Forensic Analyst from SANS, earns bonuses of around ten percent of base pay. This reflects the greater attention being paid to business risk management and security governance, and growing frustration with security threats.
Many security certs earn bonuses of 8-10 percent of base pay, but this list is shrinking. Overall pay for this group is down 3.5 percent on last year. This might last several months until demand expands to meet projected staffing needs.
Enterprises can neither risk exposing their mission-critical IT assets to compromises, nor their executives to prison terms for regulatory non-compliance. But even as security budgets expand, firms will remain as vulnerable to financial priorities as other IT line items.
Still, the infosec profession remains a smart career choice, for both its compensation and advancement opportunities.
David Foote is president and chief research officer of Foote Partners LLC