A new study released today confirms that there is indeed a growing market for IS expertise.
Alan Paller, director of research at The SANS Institute, a respected IT research and education organization, suggests that people "are waking up to the fact that there’s a shortage of security talent."
The SANS Institute’s 2005 Information Security Salary and Career Advancement study of over 4,250 IS pros finds that compensation for IS jobs is strong and growing. For U.S. IS professionals, the median income, including bonuses, is now $81,558. In Great Britain, it’s $76,389. In Canada, it’s $67,982. In the rest of the world, it’s $51,250.
Paller says his organization has not conducted a salary survey since 2002 because it didn’t want to “pile on” during a time when salaries were under pressure. But he contends salaries in 2005 were significantly higher than three years earlier.
An infosec salary survey released in 2003 by Foote Partners LLC noted that compensation declined the previous year. The Foote survey found that in the fourth quarter of 2002, the overall base salaries for some 100 IT positions declined by an average of 2.8 percent from the fourth quarter of 2001. Yet even so, during this period salaries for corporate security positions rose an average of 5.5 percent, suggesting that even in bad times, good security remains a valuable commodity.
One noteworthy finding in the SANS study is that there’s essentially no difference in terms of compensation between IS workers with high school degrees and those with bachelor’s degrees. However, those with advanced degrees -- a Master’s or Doctorate – can expect to earn significantly more than those with lesser academic credentials.
Another finding of note: certifications from The International Information Systems Security Certification Consortium, Inc. (ISC) and the Information Systems Audit and Control Association (ISACA) translate into greater earnings than other certifications, such as those bestowed by individual vendors like Microsoft or Cisco.
Respondents indicated that those certifications offered an edge in management or policy-centric jobs -- typically highly paid positions. But for hands-on security, survey takers said the Global Information Assurance Certification (GIAC), administered by SANS, and certifications offered by vendors were more advantageous.
Paller interprets this as an indication that there’s no substitute for real world experience. “You can’t become a pilot by studying airplanes,” he says, suggesting that employers should be wary of computer security pros who have never wrestled with securing actual systems.
Perhaps the most unexpected finding, according to Paller, is that those taking the survey rated communication skills, both verbal and written, as more important than technical knowledge in terms of career advancement.