Security pros being rewarded

Although these are hard times for many in the IT industry, the status of information security professionals is on the rise – at least based on how much they’re getting paid.

A survey conducted by market researchers Foote Partners LLC of 29,600 IT workers in dozens of occupations – from data warehousing to e-commerce – shows that those with security-related jobs received a 9 per cent pay hike, on average, from last year. No other category saw an increase, the survey of 1,840 corporate and government organizations found.

In a separate survey, Foote Partners found that security professionals with certifications from outfits such as the SANS Institute Inc. and the International Information Systems Security Certification Consortium are being paid particularly well – as much as 12 per cent more than those without such certifications.

One Foote Partners’ challenge in conducting its surveys was determining which employees have security-related jobs, because there is considerable crossover between security and other jobs. “Titles can be a problem,” says David Foote, Foote Partners president.

At Sony Pictures Entertainment Inc., for instance, two Windows NT engineers are part of a “tiger team” for security and incident response, says Jeff Uslan, director of information protection and security. Such cross pollination is desirable, especially because Uslan has fewer than 10 people on his staff to deal with IT security.

For purposes of its survey, Foote Partners put security director at the top rung of the security job ladder, with security directors earning an average of US$124,513 compared with $116,226 last year. Bonuses are rising from $25,570 last year to $29,261 this year.

The security director’s primary responsibility is to devise security policies for user-account management, network access, incident response and emergency backup, and then get those policies put into action.

“We also have normalized audits, such as performing network penetration, to test for security vulnerabilities,” says Matt Archibald, director of security services at handheld maker Palm, who has a staff of four security specialists. “But you may turn firewall management over to the network guys, expecting them to build the firewall based on your specifications.”

The next rung down on the security job ladder, according to Foote Partners, is the security manager, whose pay has increased to $107,812, from $103,257 last year. But the bonus package dipped to $12,937 from $17,554 last year.

The main difference between a security manager and director, Foote Partners says, is years of experience. A manager has seven or more years of experience in IT with four to five years in security, whereas a director has 10 years or more in IT and six to seven years in data security.

Foote Partners didn’t include the title “chief security officer,” which was lumped in with other “executives.”

In a separate survey of 1,214 security administration professionals, the SANS Institute also paints a bright picture for security professionals.

The 2002 SANS Security and System/Network Administration Salary Survey shows that salaries over the past year have risen 7 per cent for security-related jobs, with an average 14.5 per cent increase in bonuses. The average salary paid to all security and systems staff who participated in the survey is $69,340, with those in Asia faring slightly better than those in the U.S. Those in the U.K. and Western Europe fared worst.