Pay up for talent? Is there a security salary disconnect?

Demand for security talent has never been higher. Security spending, according to market research firm Gartner, is expected to grow nearly 8% this year. And few would argue that data breaches are under control. And yet, in our discussions with many security professionals throughout all levels of experience and expertise you often hear that enterprises are simply not willing to pay what is necessary for talent.

[Five CISO skills critical to your success in the next five years]

This parallels the results of our annual State of the CSO Survey, which found security salaries are flat to down, with most security decision-makers surveyed having earned $179,600 compared to the $180,100 reported last year. In an interview for our State of the CSO story Daniel Kennedy, research director of information security and network practices at 451 Research, says his own findings parallel ours. "It's a very interesting job market dynamic. Enterprises complain that they can't attract talent, they say that they can't keep talent, and [they say] they've tried everything to do so except salary raises," he says.

A job market in disconnect

Which is surprising considering that the enterprise job demand for skilled IT security professionals continues outstrip supply. All of this suggests a market disconnect. And if the surveys and anecdotal reports are accurate, why are companies unwilling to increase the amount of pay to attract the talent they say that they want. Or, is it that security talent has too high of a level of pay expectations for the market despite reports of shortages.

[Are you immune to this very real risk to your tenure as CSO?]

We reached out to a number of CISOs, security practitioners, and industry watchers to find out.

"I think the firms that are having problems finding good information security people are the ones that are not willing to pay a reasonable salary," says Ben Rothke, an information security manager with a major international hospitality firm.

"In almost all organizations outside of the technology industry, there is stupefied sticker shock at the salary expectations of cybersecurity professionals, especially people without any significant experience or track record," adds Weatherford says Mark Weatherford, principal at the security advisory firm Chertoff Group, LLC, former CSO at the North American Electric Reliability Corporation (NERC), and CISO at the states of California and Colorado.


Part of the disconnect comes from a lack of understanding of the resources and effort needed to support a viable information security program. "There seems to be a large financial disconnect when it comes to security that goes beyond just talent," says James McMurry, founder and CEO of Milton Security Group. "We have seen that the market tends to believe security is important, but not enough to put real money behind it.  In many cases, companies seem to have a lack of understanding when it comes to how much work is involved in an information security position," McMurry says.

[Today's top skill sets in security -- and why they're in demand]

They are either unwilling to pay market rate, Milton says, or they believe that their current staff is capable of weaving security responsibilities into their current operation management activities. "They can fit it in between server reboots," McMurry says.

Another part of the disconnect is how tough it is to correlate good information security with the bottom line. "You have the perspective of the company as a social entity, the customers, and the shareholders. All three of these are keenly interested in avoiding security incidents, so it would seem a good investment to buy quality personnel," says Brian Martin, founder and CEO of security consultancy Digital Trust LLC. "Yet corporations have profit motives, bonus motives, cost reduction motives, and shareholders, all of whom are keenly interested in cost controls and minimal spending. These two are obviously juxtaposed and creating conflict," Martin says.


And within enterprises, good risk management is hard to implement while blame is easily cast, and ultimately no one is held responsible for the harm data breaches cause. "The CISO and CIO might be fired, but until people are held responsible personally for security failures, all the way to the board level decision, nothing will change," he says.

Not everyone agrees

Not everyone agrees that the information security salary disconnect is systemic, or that the cause of the imbalance sits squarely on enterprises. "For those with truly superior skills, they can get almost anything they demand and they are worth it. One highly skilled security professional is worth a dozen people with mediocre skills," says Weatherford. Yet, many with mediocre skills rate themselves disproportionately high. "Most people think they are far better than they actually are," Weatherford says.

Eric Cowptherwaite, currently TK at TK, but who has also worked as a CISO at multiple organizations believes security execs are paid fairly for their skills, experience, and value. "I have been through the recruiting process for security leadership positions many times over the past 10 years, or so. I've generally found the potential salary for a CISO on par with the value the individual can offer to that organization," he says.

[CISOs taking a leap of faith]

Ultimately, value is in the eye of the buyer and seller, and as Weatherford pointed out in our exchange, an item is worth only what someone is willing to pay and initial prices paid are of little guidance. Go see what your Darryl Strawberry rookie baseball card is worth these days probably less than you paid for it.  Is a mediocre football player truly worth $10M a year?  If they are the best receiver available and you need a receiver, probably so.  Same with security talent - if your security architect quits in the middle of a project, you need someone right now not in six months so you may pay a higher salary than you're comfortable with," says Weatherford.

Join the CSO newsletter!

Error: Please check your email address.

Tags security professionalssalariessecuritystaffingSecurity Leadership

More about CSOGartner

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place