Our annual salary survey indicates that security pros aren't getting a sufficient sense that their work and expertise are valued.
We're just now beginning to sort through the data from our annual salary survey, which drew more than 20,000 respondents. You'll find a preview of responses from some 850 information security professionals.
Each year, we see subtle shifts in the data that reflect changes both in our industry and in the overall mood across the country. One of the most interesting questions in our survey simply asks: "What matters most to you about your job?" In both 2008 and 2009, base pay topped the list for managers, followed by the challenge of the job, and then benefits. In 2009, 60% cited base pay as the most important factor, as uncertainty about the recession and jobs gripped us all. This year, we see a much more nuanced view of what matters, with the top four options in a statistical dead heat: my opinions and knowledge are valued (45%); job challenge and responsibility (44%); base pay (44%); and job/company stability (43%).
My read on these statistics is that information security managers sense that the fortunes of their organizations are beginning to stabilize, and they want to be recognized for their contributions to making that happen. And, to put it bluntly, they're feeling burned out and want their lives back. This point is best illustrated by looking at options that swung at least 10 percentage points from last year to this one: my opinions are valued (up 10 points); base pay (down 16 points); vacation time (up 12); benefits (down 12); recognition of work well done (up 10); potential for promotion (up 10); ability to create new innovative IT solutions (down 14).
It seems that security pros get the reality of corporate finances. Our survey shows that, on average, no raises were given this year, and other data indicates that many workers were asked to kick in more for healthcare. Yet base pay and benefits don't matter as much to workers this year as they did last year. What IT security pros aren't getting is a sufficient sense that their work and expertise are valued.
In tough economic times, survival instincts drive C-level execs and boards of directors. They'll do anything they can to make the quarter's financials look good--including laying off employees critical to the operation of the company, and trading risk for income even when the risk is too high. The poor CISO has to either stand in opposition to this survivalist mentality, and risk being ignored or even fired, or go along with dangerous short-term decisions in hopes that an economic uptick will let the organization reverse course.
We need to believe the data here. It's human nature to want most what we don't have. These numbers say loud and clear: My organization doesn't value my opinion and doesn't recognize when I'm doing my job well, so it can keep innovation. I just want a job that I can actually do and that occasionally lets me go home and spend some time with my family.
Security pros are putting in long hours defending the company's interests as best they can, just as business leaders are making dangerous decisions against (or without) the advice of security managers. Smart CIOs will facilitate a discussion about resetting risk management expectations as business gets on a better footing. Business practices that trade information security for short-term profits are the sort that come back to bite hard, and form an abject lesson for the need to constantly align business priorities and IT realities.
Art Wittmann is director of InformationWeek Analytics, a portfolio of decision-support tools. Write to him at firstname.lastname@example.org.
To find out more about Art Wittmann, please visit his page.