TRANSLATING SECURITY FOR MANAGERS
SECURITY IN NUMBERS
Pay raises for security professionals continue to outstrip other IT job categories, especially for practitioners with specialized skills and/or professional certifications.
BY DAVID FOOTE
Given the gloomy IT job climate-highly publicized layoffs, canceled projects and suddenly worthless stock options, for starters-you"d think high wages would be another casualty of the slowing economy. You"d think a flood of displaced IT workers would put a damper on the kind of salary escalation that has epitomized the "employees" market" of recent years-even for information security professionals.
You"d be wrong.
Pay for security practitioners actually is outperforming the overall market for IT professionals, and by substantial amounts. Moreover, security-related skills are earning some of the highest bonus premiums. That"s what my firm, Foote Partners, an IT compensation and workforce management research firm, discovered in its most recent quarterly IT Professional Salary Survey and Hot Technical Skills and Certifications Pay Index (HTSCPI).
Compiled from questionnaires and direct interviews with nearly 24,000 IT professionals in 55 U.S. and Canadian cities from Jan. 1 to March 31, 2001, the surveys show that overall base salaries for some 100 IT job categories grew by an average of 9.6 percent over Q1 2000. By comparison, salaries for security-related positions increased an average of 12.2 percent, while median bonus pay for security certifications increased 11.4 percent since the third quarter of last year.
Broken down, the survey results paint a far rosier picture for security professionals than any of their IT brethren.
Salaries and Bonuses
The Foote Partners" surveys incorporate responses from 1,292 security executives, managers, analysts and systems administrators from state and federal government and 26 private sector industries. The results reveal that security professionals in four out of six surveyed positions earn in excess of $100,000 in annual base salary and bonus (see Figure 1).
Comparing security management salaries from Q1 2000 to Q1 2001, corporate security directors" salaries grew the most, at 14.2 percent (see Figure 2). Pay for manager-level corporate security positions grew by a more modest 10.4 percent, lowest for all security jobs though still more than the average IT salary growth of 9.6 percent. Data warehouse and Web/e-commerce security managers round out the management-level security jobs with increases of 12.7 percent and 11.4 percent, respectively. Senior infosec analyst salaries showed a solid 12.4 percent growth for the period, while systems administrators earned 10.7 percent more in 2001.
Bonus pay in Q1 averaged a healthy 14.8 percent of base salary for all security positions surveyed. Director-level corporate security execs again earn the most, averaging 22 percent of base pay in bonuses. Next are corporate security managers at 17 percent and Web security managers" 16 percent bonus pay. At 13 percent, data warehouse security managers average the lowest bonuses, edged out by senior infosec analysts and senior systems administrators at 13.5 percent each.
For additional perspective, the only IT job families registering annual salary increases greater then the security"s 12.2 percent growth were network operations (up 16.8 percent), network engineering (up 14.1 percent) and business technology (up 12.4 percent). Dot-com failures and tentativeness in Web, e-commerce and customer relationship management (CRM) projects in the second half of 2000 produced flatter salary growth for jobs in those areas (see Figure 3).
Geographical Hot Spots
The Foote Partners" surveys indicate steeper base pay growth for security jobs in Midwest and Southern cities, compared to a marked decline in pay for some jobs on the West Coast and in the Northeast (see Figure 4).
1. Corporate security. Approximately one of every 10 cities surveyed showed pay losses for directors, managers and analysts during the last year, with one in five reporting a pay decline for at least one of these positions. This was decidedly not the trend in the Midwest and South, however, where increases of 15 percent to 25 percent were prevalent.
2. Web security management. Growth for Web security managers also was confined to specific regions. Base pay was down by as much as 10 percent in one quarter of the surveyed cities, primarily in the West Coast and Northeast regions. However, 19 cities (approximately 40 percent of those surveyed) reported increases of 15 percent or more for this job, and nearly 10 percent the cities displayed growth in excess of 35 percent, with no particular regional distinctions.
3. Data warehouse security management. This position also showed some significant fluctuations geographically, posting salary increases of 15 percent or more in nearly half of the cities surveyed and increases of 20 percent or more in nearly one-quarter of them, particularly cities in the Midwest, Pacific Northwest and South.
4. Senior systems administration. Among all security positions in the survey, salary movement for senior systems administrator jobs was the most moderate geographically, with 42 percent of all surveyed cities noting salaries fluctuations of +/-5 percent. Eight cities showed negative or no change. However, salary growth for admins was strong in the Midwest and South. Almost a third of the cities in these regions showed increases in excess of 15 percent, with six cities recording increases of 30 percent or higher.
Skills Bonuses
For the past four years, Foote Partners has tracked the increasing popularity of bonus premiums paid to IT workers with high-value skills and certifications. Iso- lating and rewarding skills with cash pay outs (most commonly calculated as a percent of base salary) makes it easier for employers stuck with inflexible, outdated compensation systems to stay competitive in fast-moving technical labor markets. For many employers, doing so has somewhat obviated the need to hand out artificial promotions and manipulate perfor- mance evaluation systems solely to "prop up" compensation for jobs that no longer match job titles.
Corporate "portfolios" of projects, technology, vendors, workers and skills change constantly. In fact, employers can reap substantial benefits from fine-tuning individual worker compensation in between annual base salary adjustments. Improved employee retention is a common benefit that will, in turn, improve risk management and morale; produce more predictable project outcomes; and save time, money and headaches.
Like base pay, the market value for skills pay is driven by supply-and-demand economics. However, unlike salaries, skills pay tends to fluctuate much more dramatically from quarter to quarter.
Overall, security skills have maintained their value equally or better than most of the other skills tracked in the past year. For the 79 IT skills represented in Q1 2001"s survey, premium pay declined an average of 3.2 percent from Q4 and 11 percent from Q3 2000 results. Networking-related security skills specifically related to hot projects-data warehousing, CRM, ERM and e-commerce-generated the highest premium pay of all skills and certifications tracked in Q1 2001. Pay for messaging- and groupware-related skills remains virtually unchanged since mid-2000 (see Figure 5). These are two of the best places right now for security professionals to apply their skills to retain maximum pay benefit.
Conversely, the biggest decline in skills pay over the past nine months-between 12 and 16 percent less-occurred with Web/e-commerce, operating systems, data-base and enterprise applications skills categories, including security. Why the decline? Contributing factors include: (1) reduced skills pay for Linux and Solaris OSes, Sybase products and several enterprise applications software suites; and (2) the death of hundreds of well-staffed dot-coms, which created a labor glut.
Security Certification Pay
Technical certifications, though not absolute measures of technical prowess or guarantees of ROI in human capital, are viewed positively by employers and regularly factor in to compensation, selection and promotion decisions.
Median bonuses for 39 technical skills certifications tracked in Foote Partners" hot skills index increased 11.4 percent to 8.6 percent of base pay between last quarter and this quarter (see Figure 6). Further, median certification pay in the current quarter compared to Q3 2000 increased 22 percent at the median.
For workers with CISA, CISSP, CNSP and SANS/GIAC security certifications, median skills pay in early 2001 averaged nearly 7 percent of base salary, up 11.5 percent from Q3 2000. Foote Partners anticipates more accelerated growth in this segment over the next two years, exceeding the overall growth rate for certification pay by end of year.
10 Trends
The Foote Partners" analysis of these findings serves as a guide for near-term decisions on security skills and certifications pay. In particular, Foote Partners expects the following 10 trends to shape the compensation in the marketplace in coming months:
1. Employers will continue to be reluctant to pay large "security skills premiums" to junior staff or inexperienced workers. This includes workers who aren"t well matched to priority projects, as well as those whose ROI isn"t assured. In particular, this trend will affect enterprise applications/suites, Web/e-commerce, network/internetworking and OS skill areas.
2. Available funds for security skills will go to top-tier IT workers. Pay is increasingly flowing away from less-capable employees to upper-echelon or "impact" IT workers. This compensation comes in the form of larger (or more) skills bonuses, especially in development tools/languages and database areas.
3. While Web/e-commerce development skills pay plummeted between the third and fourth quarters of 2000 (-15.4 percent at median), it has since leveled off. This leveling off has been led by gains in XML and scripting language pay. Professionals with security skills associated with these areas are expected to make substantial pay gains over the next several months. This will also be true for development tools and language skills, though to a somewhat lesser extent.
4. Messaging and groupware skills will remain the most consistently valued. As such, these skills will continue to generate the highest overall skills pay as a category over the next six months, steadfastly resisting negative economic pressures.
5. Enterprise applications skills will continue trending sharply downward. Despite generating higher-than-average pay in each of the last three quarters, the value of these skills has been declining steadily and will continue to do so into Q4 2001.
6. Networking/internetworking skills will trend sharply upward in the next three quarters. This increase will be stimulated by growing extranet security concerns and hot technology markets (e.g., wireless security).
7. Security skills will continue to grow in importance, as more business is launched online in distributed systems. Also expect more team- and project-based security skills incentive pay during the economic downturn, as budgets undergo case-by-case scrutiny to focus resources on projects that produce tangible, near-term benefits.
8. Security professionals will need to diversify skill sets to maintain higher pay levels. While continuing to master new technologies for protecting IT systems, security professionals, especially those in top-level positions, will be under more pressure to understand their company"s entire business and pinpoint the security risks that are most threatening to the company"s bottom line.
9. The following security skills will be highly valued over the next 12 to 24 months: Complying with new security and privacy regulations in health care and finance; developing stronger user-awareness policies; and addressing security issues pertaining to wireless access, business-to-business exchanges and application service providers (ASPs).
10. "Soft" skills will reap additional rewards. Beyond purely technical skills, security professionals will increasingly be rewarded for softer skills, including attitude, diplomacy, patience, attention to detail and tenacious abstract problem solving.
Crystal Ball
Looking forward, beginning early next year Foote Partners anticipates more accelerated growth in security skills and certification pay, routinely beating the overall growth rate for skills premium pay. Base salary movement is somewhat less predictable, for several reasons: Compan-ies have a lot of critical decisions still to make regarding outsourcing solutions; new vendors and products are still arriving; and vigorous debate on standards continues. However, Foote Partners is convinced that security-related salaries will continue to substantially outperform overall IT compensation. Here"s why:
The inclusion of basic network engineering and operations skills into security jobs regardless of specialization.
Rapid growth in new security niches-for example, forensics and intrusion detection.
New technologies with broad appeal (e.g., Microsoft"s XP and .NET).
The continued supply-and-demand gap for security professionals
(one of the widest of any IT job category).
Over the next few years, security managers will need to focus hard on complying with new security and privacy regulations in health care and finance, developing stronger user-awareness policies, and addressing a bigger basket of security issues, including wireless access, B2B exchanges and outsourcing. While knowledge of the technical side of security is obviously important, critical success factors for security professionals will also include being adept at corporate politics; possessing business skills and aptitudes; having good relationship management; and being able to market, sell and negotiate outcomes. Therefore, employers would be wise to scrutinize job candidates for how well they work with others, on small teams and with customers. Building pay programs that reward hard and soft skills equally will ensure a return on investment in infosecurity human capital.
DAVID FOOTE (dfoote@footepartners.com) is co-founder, president and research director at Foote Partners LLC, an IT compensation and workforce management research firm located in New Canaan, Conn. For a copy of the complete quarterly survey, visit www.footepartners.com.
SECURITY IN NUMBERS
Pay raises for security professionals continue to outstrip other IT job categories, especially for practitioners with specialized skills and/or professional certifications.
BY DAVID FOOTE
Given the gloomy IT job climate-highly publicized layoffs, canceled projects and suddenly worthless stock options, for starters-you"d think high wages would be another casualty of the slowing economy. You"d think a flood of displaced IT workers would put a damper on the kind of salary escalation that has epitomized the "employees" market" of recent years-even for information security professionals.
You"d be wrong.
Pay for security practitioners actually is outperforming the overall market for IT professionals, and by substantial amounts. Moreover, security-related skills are earning some of the highest bonus premiums. That"s what my firm, Foote Partners, an IT compensation and workforce management research firm, discovered in its most recent quarterly IT Professional Salary Survey and Hot Technical Skills and Certifications Pay Index (HTSCPI).
Compiled from questionnaires and direct interviews with nearly 24,000 IT professionals in 55 U.S. and Canadian cities from Jan. 1 to March 31, 2001, the surveys show that overall base salaries for some 100 IT job categories grew by an average of 9.6 percent over Q1 2000. By comparison, salaries for security-related positions increased an average of 12.2 percent, while median bonus pay for security certifications increased 11.4 percent since the third quarter of last year.
Broken down, the survey results paint a far rosier picture for security professionals than any of their IT brethren.
Salaries and Bonuses
The Foote Partners" surveys incorporate responses from 1,292 security executives, managers, analysts and systems administrators from state and federal government and 26 private sector industries. The results reveal that security professionals in four out of six surveyed positions earn in excess of $100,000 in annual base salary and bonus (see Figure 1).
Comparing security management salaries from Q1 2000 to Q1 2001, corporate security directors" salaries grew the most, at 14.2 percent (see Figure 2). Pay for manager-level corporate security positions grew by a more modest 10.4 percent, lowest for all security jobs though still more than the average IT salary growth of 9.6 percent. Data warehouse and Web/e-commerce security managers round out the management-level security jobs with increases of 12.7 percent and 11.4 percent, respectively. Senior infosec analyst salaries showed a solid 12.4 percent growth for the period, while systems administrators earned 10.7 percent more in 2001.
Bonus pay in Q1 averaged a healthy 14.8 percent of base salary for all security positions surveyed. Director-level corporate security execs again earn the most, averaging 22 percent of base pay in bonuses. Next are corporate security managers at 17 percent and Web security managers" 16 percent bonus pay. At 13 percent, data warehouse security managers average the lowest bonuses, edged out by senior infosec analysts and senior systems administrators at 13.5 percent each.
For additional perspective, the only IT job families registering annual salary increases greater then the security"s 12.2 percent growth were network operations (up 16.8 percent), network engineering (up 14.1 percent) and business technology (up 12.4 percent). Dot-com failures and tentativeness in Web, e-commerce and customer relationship management (CRM) projects in the second half of 2000 produced flatter salary growth for jobs in those areas (see Figure 3).
Geographical Hot Spots
The Foote Partners" surveys indicate steeper base pay growth for security jobs in Midwest and Southern cities, compared to a marked decline in pay for some jobs on the West Coast and in the Northeast (see Figure 4).
1. Corporate security. Approximately one of every 10 cities surveyed showed pay losses for directors, managers and analysts during the last year, with one in five reporting a pay decline for at least one of these positions. This was decidedly not the trend in the Midwest and South, however, where increases of 15 percent to 25 percent were prevalent.
2. Web security management. Growth for Web security managers also was confined to specific regions. Base pay was down by as much as 10 percent in one quarter of the surveyed cities, primarily in the West Coast and Northeast regions. However, 19 cities (approximately 40 percent of those surveyed) reported increases of 15 percent or more for this job, and nearly 10 percent the cities displayed growth in excess of 35 percent, with no particular regional distinctions.
3. Data warehouse security management. This position also showed some significant fluctuations geographically, posting salary increases of 15 percent or more in nearly half of the cities surveyed and increases of 20 percent or more in nearly one-quarter of them, particularly cities in the Midwest, Pacific Northwest and South.
4. Senior systems administration. Among all security positions in the survey, salary movement for senior systems administrator jobs was the most moderate geographically, with 42 percent of all surveyed cities noting salaries fluctuations of +/-5 percent. Eight cities showed negative or no change. However, salary growth for admins was strong in the Midwest and South. Almost a third of the cities in these regions showed increases in excess of 15 percent, with six cities recording increases of 30 percent or higher.
Skills Bonuses
For the past four years, Foote Partners has tracked the increasing popularity of bonus premiums paid to IT workers with high-value skills and certifications. Iso- lating and rewarding skills with cash pay outs (most commonly calculated as a percent of base salary) makes it easier for employers stuck with inflexible, outdated compensation systems to stay competitive in fast-moving technical labor markets. For many employers, doing so has somewhat obviated the need to hand out artificial promotions and manipulate perfor- mance evaluation systems solely to "prop up" compensation for jobs that no longer match job titles.
Corporate "portfolios" of projects, technology, vendors, workers and skills change constantly. In fact, employers can reap substantial benefits from fine-tuning individual worker compensation in between annual base salary adjustments. Improved employee retention is a common benefit that will, in turn, improve risk management and morale; produce more predictable project outcomes; and save time, money and headaches.
Like base pay, the market value for skills pay is driven by supply-and-demand economics. However, unlike salaries, skills pay tends to fluctuate much more dramatically from quarter to quarter.
Overall, security skills have maintained their value equally or better than most of the other skills tracked in the past year. For the 79 IT skills represented in Q1 2001"s survey, premium pay declined an average of 3.2 percent from Q4 and 11 percent from Q3 2000 results. Networking-related security skills specifically related to hot projects-data warehousing, CRM, ERM and e-commerce-generated the highest premium pay of all skills and certifications tracked in Q1 2001. Pay for messaging- and groupware-related skills remains virtually unchanged since mid-2000 (see Figure 5). These are two of the best places right now for security professionals to apply their skills to retain maximum pay benefit.
Conversely, the biggest decline in skills pay over the past nine months-between 12 and 16 percent less-occurred with Web/e-commerce, operating systems, data-base and enterprise applications skills categories, including security. Why the decline? Contributing factors include: (1) reduced skills pay for Linux and Solaris OSes, Sybase products and several enterprise applications software suites; and (2) the death of hundreds of well-staffed dot-coms, which created a labor glut.
Security Certification Pay
Technical certifications, though not absolute measures of technical prowess or guarantees of ROI in human capital, are viewed positively by employers and regularly factor in to compensation, selection and promotion decisions.
Median bonuses for 39 technical skills certifications tracked in Foote Partners" hot skills index increased 11.4 percent to 8.6 percent of base pay between last quarter and this quarter (see Figure 6). Further, median certification pay in the current quarter compared to Q3 2000 increased 22 percent at the median.
For workers with CISA, CISSP, CNSP and SANS/GIAC security certifications, median skills pay in early 2001 averaged nearly 7 percent of base salary, up 11.5 percent from Q3 2000. Foote Partners anticipates more accelerated growth in this segment over the next two years, exceeding the overall growth rate for certification pay by end of year.
10 Trends
The Foote Partners" analysis of these findings serves as a guide for near-term decisions on security skills and certifications pay. In particular, Foote Partners expects the following 10 trends to shape the compensation in the marketplace in coming months:
1. Employers will continue to be reluctant to pay large "security skills premiums" to junior staff or inexperienced workers. This includes workers who aren"t well matched to priority projects, as well as those whose ROI isn"t assured. In particular, this trend will affect enterprise applications/suites, Web/e-commerce, network/internetworking and OS skill areas.
2. Available funds for security skills will go to top-tier IT workers. Pay is increasingly flowing away from less-capable employees to upper-echelon or "impact" IT workers. This compensation comes in the form of larger (or more) skills bonuses, especially in development tools/languages and database areas.
3. While Web/e-commerce development skills pay plummeted between the third and fourth quarters of 2000 (-15.4 percent at median), it has since leveled off. This leveling off has been led by gains in XML and scripting language pay. Professionals with security skills associated with these areas are expected to make substantial pay gains over the next several months. This will also be true for development tools and language skills, though to a somewhat lesser extent.
4. Messaging and groupware skills will remain the most consistently valued. As such, these skills will continue to generate the highest overall skills pay as a category over the next six months, steadfastly resisting negative economic pressures.
5. Enterprise applications skills will continue trending sharply downward. Despite generating higher-than-average pay in each of the last three quarters, the value of these skills has been declining steadily and will continue to do so into Q4 2001.
6. Networking/internetworking skills will trend sharply upward in the next three quarters. This increase will be stimulated by growing extranet security concerns and hot technology markets (e.g., wireless security).
7. Security skills will continue to grow in importance, as more business is launched online in distributed systems. Also expect more team- and project-based security skills incentive pay during the economic downturn, as budgets undergo case-by-case scrutiny to focus resources on projects that produce tangible, near-term benefits.
8. Security professionals will need to diversify skill sets to maintain higher pay levels. While continuing to master new technologies for protecting IT systems, security professionals, especially those in top-level positions, will be under more pressure to understand their company"s entire business and pinpoint the security risks that are most threatening to the company"s bottom line.
9. The following security skills will be highly valued over the next 12 to 24 months: Complying with new security and privacy regulations in health care and finance; developing stronger user-awareness policies; and addressing security issues pertaining to wireless access, business-to-business exchanges and application service providers (ASPs).
10. "Soft" skills will reap additional rewards. Beyond purely technical skills, security professionals will increasingly be rewarded for softer skills, including attitude, diplomacy, patience, attention to detail and tenacious abstract problem solving.
Crystal Ball
Looking forward, beginning early next year Foote Partners anticipates more accelerated growth in security skills and certification pay, routinely beating the overall growth rate for skills premium pay. Base salary movement is somewhat less predictable, for several reasons: Compan-ies have a lot of critical decisions still to make regarding outsourcing solutions; new vendors and products are still arriving; and vigorous debate on standards continues. However, Foote Partners is convinced that security-related salaries will continue to substantially outperform overall IT compensation. Here"s why:
The inclusion of basic network engineering and operations skills into security jobs regardless of specialization.
Rapid growth in new security niches-for example, forensics and intrusion detection.
New technologies with broad appeal (e.g., Microsoft"s XP and .NET).
The continued supply-and-demand gap for security professionals
(one of the widest of any IT job category).
Over the next few years, security managers will need to focus hard on complying with new security and privacy regulations in health care and finance, developing stronger user-awareness policies, and addressing a bigger basket of security issues, including wireless access, B2B exchanges and outsourcing. While knowledge of the technical side of security is obviously important, critical success factors for security professionals will also include being adept at corporate politics; possessing business skills and aptitudes; having good relationship management; and being able to market, sell and negotiate outcomes. Therefore, employers would be wise to scrutinize job candidates for how well they work with others, on small teams and with customers. Building pay programs that reward hard and soft skills equally will ensure a return on investment in infosecurity human capital.
DAVID FOOTE (dfoote@footepartners.com) is co-founder, president and research director at Foote Partners LLC, an IT compensation and workforce management research firm located in New Canaan, Conn. For a copy of the complete quarterly survey, visit www.footepartners.com.
댓글을 달아 주세요