Demand for security talent has never been higher. Security spending, according to market research firm Gartner, is expected to grow nearly 8% this year. And few would argue that data breaches are under control. And yet, in our discussions with many security professionals throughout all levels of experience and expertise you often hear that enterprises are simply not willing to pay what is necessary for talent.
This parallels the results of our annual State of the CSO Survey, which found security salaries are flat to down, with most security decision-makers surveyed having earned $179,600 compared to the $180,100 reported last year. In an interview for our State of the CSO story Daniel Kennedy, research director of information security and network practices at 451 Research, says his own findings parallel ours. "It's a very interesting job market dynamic. Enterprises complain that they can't attract talent, they say that they can't keep talent, and [they say] they've tried everything to do so except salary raises," he says.
A job market in disconnect
Which is surprising considering that the enterprise job demand for skilled IT security professionals continues outstrip supply. All of this suggests a market disconnect. And if the surveys and anecdotal reports are accurate, why are companies unwilling to increase the amount of pay to attract the talent they say that they want. Or, is it that security talent has too high of a level of pay expectations for the market despite reports of shortages.
We reached out to a number of CISOs, security practitioners, and industry watchers to find out.
"I think the firms that are having problems finding good information security people are the ones that are not willing to pay a reasonable salary," says Ben Rothke, an information security manager with a major international hospitality firm.
"In almost all organizations outside of the technology industry, there is stupefied sticker shock at the salary expectations of cybersecurity professionals, especially people without any significant experience or track record," adds Weatherford says Mark Weatherford, principal at the security advisory firm Chertoff Group, LLC, former CSO at the North American Electric Reliability Corporation (NERC), and CISO at the states of California and Colorado.
Part of the disconnect comes from a lack of understanding of the resources and effort needed to support a viable information security program. "There seems to be a large financial disconnect when it comes to security that goes beyond just talent," says James McMurry, founder and CEO of Milton Security Group. "We have seen that the market tends to believe security is important, but not enough to put real money behind it. In many cases, companies seem to have a lack of understanding when it comes to how much work is involved in an information security position," McMurry says.
They are either unwilling to pay market rate, Milton says, or they believe that their current staff is capable of weaving security responsibilities into their current operation management activities. "They can fit it in between server reboots," McMurry says.
Another part of the disconnect is how tough it is to correlate good information security with the bottom line. "You have the perspective of the company as a social entity, the customers, and the shareholders. All three of these are keenly interested in avoiding security incidents, so it would seem a good investment to buy quality personnel," says Brian Martin, founder and CEO of security consultancy Digital Trust LLC. "Yet corporations have profit motives, bonus motives, cost reduction motives, and shareholders, all of whom are keenly interested in cost controls and minimal spending. These two are obviously juxtaposed and creating conflict," Martin says.
And within enterprises, good risk management is hard to implement while blame is easily cast, and ultimately no one is held responsible for the harm data breaches cause. "The CISO and CIO might be fired, but until people are held responsible personally for security failures, all the way to the board level decision, nothing will change," he says.
Not everyone agrees
Not everyone agrees that the information security salary disconnect is systemic, or that the cause of the imbalance sits squarely on enterprises. "For those with truly superior skills, they can get almost anything they demand and they are worth it. One highly skilled security professional is worth a dozen people with mediocre skills," says Weatherford. Yet, many with mediocre skills rate themselves disproportionately high. "Most people think they are far better than they actually are," Weatherford says.
Eric Cowptherwaite, currently TK at TK, but who has also worked as a CISO at multiple organizations believes security execs are paid fairly for their skills, experience, and value. "I have been through the recruiting process for security leadership positions many times over the past 10 years, or so. I've generally found the potential salary for a CISO on par with the value the individual can offer to that organization," he says.
Ultimately, value is in the eye of the buyer and seller, and as Weatherford pointed out in our exchange, an item is worth only what someone is willing to pay and initial prices paid are of little guidance. Go see what your Darryl Strawberry rookie baseball card is worth these days probably less than you paid for it. Is a mediocre football player truly worth $10M a year? If they are the best receiver available and you need a receiver, probably so. Same with security talent - if your security architect quits in the middle of a project, you need someone right now not in six months so you may pay a higher salary than you're comfortable with," says Weatherford.