Demand for security talent has never been higher. Security spending, according to market research firm Gartner, is expected to grow nearly 8% this year. And few would argue that data breaches are under control. And yet, in our discussions with many security professionals throughout all levels of experience and expertise you often hear that enterprises are simply not willing to pay what is necessary for talent.
This parallels the results of our annual State of the CSO Survey, which found security salaries are flat to down, with most security decision-makers surveyed having earned $179,600 compared to the $180,100 reported last year. In an interview for our State of the CSO story Daniel Kennedy, research director of information security and network practices at 451 Research, says his own findings parallel ours. "It's a very interesting job market dynamic. Enterprises complain that they can't attract talent, they say that they can't keep talent, and [they say] they've tried everything to do so except salary raises," he says.
A job market in disconnect
Which is surprising considering that the enterprise job demand for skilled IT security professionals continues outstrip supply. All of this suggests a market disconnect. And if the surveys and anecdotal reports are accurate, why are companies unwilling to increase the amount of pay to attract the talent they say that they want. Or, is it that security talent has too high of a level of pay expectations for the market despite reports of shortages.
We reached out to a number of CISOs, security practitioners, and industry watchers to find out.
"I think the firms that are having problems finding good information security people are the ones that are not willing to pay a reasonable salary," says Ben Rothke, an information security manager with a major international hospitality firm.
"In almost all organizations outside of the technology industry, there is stupefied sticker shock at the salary expectations of cybersecurity professionals, especially people without any significant experience or track record," adds Weatherford says Mark Weatherford, principal at the security advisory firm Chertoff Group, LLC, former CSO at the North American Electric Reliability Corporation (NERC), and CISO at the states of California and Colorado.
Part of the disconnect comes from a lack of understanding of the resources and effort needed to support a viable information security program. "There seems to be a large financial disconnect when it comes to security that goes beyond just talent," says James McMurry, founder and CEO of Milton Security Group. "We have seen that the market tends to believe security is important, but not enough to put real money behind it. In many cases, companies seem to have a lack of understanding when it comes to how much work is involved in an information security position," McMurry says.
Sign up for CIO Asia eNewsletters.