2 min read

Paychecks For Security Pros In The Heartland Catching Up To Northeast, Silicon Valley

Federal regulations and a growing fear of China's cyber capabilities are helping to drive up salaries for security professionals.
Just a few weeks ago, the Department of Defense released a report saying that the People's Liberation Army in China is building up its cyberwarfare capabilities, even creating malware that could go after enemy computer systems in first-strike attacks.

"It's two-thirds FISMA and one-third that the Chinese are all over the aerospace industry and government computers," said Paller. "We're trying to build protections against attacks. ... [The DOD] wouldn't have said it publicly if they didn't think that some action really needed to be taken. It's been known for some time but talking about it means they're really worried."

Paller noted that salaries for security professionals working in the telecommunications and finance industries are growing strong, but that's not surprise since they have been for years.

Who's not doing so well?

Salaries in manufacturing, health care, and education aren't fairing nearly so well, coming in at the low end of the pay spectrum. "They've always been the lowest paid and they're getting the lowest raises," said Paller.

As for what jobs are doing well, and not so well, it looks like managers are seeing more raises than the people they're managing.

Some of the positions that saw their salaries grow by more than 65% in the past eight years are IT director; director or manger in information security or audit; CISO; CSO; chief compliance officer; chief privacy officer; chief of audit, and security auditor.

Those who got smaller raises include security architects; systems or network managers; intrusion detection specialists; forensics investigators, and desktop support.

"It's basically appreciation of the value of these people," said Paller. "Through these last seven years, people have valued writing about security higher than doing security and that's because of regulations. FISMA is not measured on how secure your systems are but how well-done your reports are. It's more or less the same with HIPAA and SOX. Most of the money went to people who wrote about security rather than those who did security. That's what these attacks from the Chinese and cybercrimals has changed. IT's moving security back into the operational people's hands " operational directors."

SANS is in the process of running another salary survey. The new study will focus on the past year, as opposed to this study which focused on an eight-year span. To participate in the new study, go to this Web site.