Security's Zero-Sum Salary Game

Does it seem you can't get a raise, no matter what you do? Well, you're not crazy

2:25 PM -- Everybody keeps saying that security is one of the biggest growth markets in the IT industry right now – maybe even one of the fastest-growing markets overall. Sales of security appliances and software grew 15 percent in 2005, and the market is projected to grow 32 percent by 2009, according to Infonetics Research.

More recent research supports this trend. In a report issued earlier this week, IDC reports that the number of security professionals worldwide has grown 8.1 percent in the past year. Organizations also are spending a higher percentage of their security budget dollars on people, rather than technology – a whopping 41 percent of IT security dollars are now spent on personnel. (See It's the People, Stupid.)

With all of this prosperity, however, there's one question ringing in many security professionals' heads: Why can't I get a decent pay raise?

The answer, apparently, has to do with supply and demand. According to IDC's third annual Global Information Security Workforce Study, which was sponsored by (ISC)2, there are two groups of professionals who are benefiting from the security boom: the highest-paid and the lowest-paid.

At the top end, the most highly-skilled IT security managers and technicians are in short supply, which allows them to command higher salaries. In the Americas, at least, the percentage of security pros making $100,000 a year or more has grown from about 32 percent in 2004 to about 37 percent today. And even at those salaries, IDC researchers note, there are still lots of open positions for people with high degrees of training, experience, and management skills.

On the bottom end of the scale, the Americas have seen a leap in the number of security professionals making $40,000 or less, from just over 1 percent in 2004 and 2005 to more than 5 percent in 2006. In Europe and the Middle East, that figure is growing even faster, from about 5 percent in 2004 to more than 20 percent this year.

In the case of the Americas, many of these low-salaried workers are in Central and South America, where the pay scales are lower. But IDC also says that many U.S. companies are now hiring junior-level staffers to handle security, and then paying to train them instead of hiring more experienced, higher-salaried people.

And what about the folks in the middle, the ones who make between $40,000 and $100,000 a year and still comprise the majority of the IT workforce? IDC's report indicates that the number of workers in these salary ranges has decreased steadily since 2004, both in the Americas and overseas.

What we have, then, is a frustrated group of skilled IT people who aren't benefiting from the boom in the industry. On one end, their salaries are squeezed by the growing cost of highly-skilled experts and managers, which cuts into the overall salary budget. At the other end, they are squeezed by a growing movement toward hiring less- experienced, lower-salaried workers who can (ostensibly) be trained to do the same work.

Will this trend shift anytime soon? It doesn't look like it. In the three years that IDC has done the study, the trend on both the low and high ends has shown an upward curve, while the trend in the middle is on its way down. On a broad stroke, the conventional wisdom in security seems to be to put your money at the ends of the spectrum, rather than in the middle.

And, unless you move to one end or the other, many of you will continue to feel the squeeze.

— Tim Wilson, Site Editor, Dark Reading

  • IDC
  • Infonetics Research Inc.
  • (ISC)2