They are either unwilling to pay market rate, Milton says, or they believe that their current staff is capable of weaving security responsibilities into their current operation management activities. "They can fit it in between server reboots," McMurry says.
Another part of the disconnect is how tough it is to correlate good information security with the bottom line. "You have the perspective of the company as a social entity, the customers, and the shareholders. All three of these are keenly interested in avoiding security incidents, so it would seem a good investment to buy quality personnel," says Brian Martin, founder and CEO of security consultancy Digital Trust LLC. "Yet corporations have profit motives, bonus motives, cost reduction motives, and shareholders, all of whom are keenly interested in cost controls and minimal spending. These two are obviously juxtaposed and creating conflict," Martin says.
And within enterprises, good risk management is hard to implement while blame is easily cast, and ultimately no one is held responsible for the harm data breaches cause. "The CISO and CIO might be fired, but until people are held responsible personally for security failures, all the way to the board level decision, nothing will change," he says.
Not everyone agrees
Not everyone agrees that the information security salary disconnect is systemic, or that the cause of the imbalance sits squarely on enterprises. "For those with truly superior skills, they can get almost anything they demand and they are worth it. One highly skilled security professional is worth a dozen people with mediocre skills," says Weatherford. Yet, many with mediocre skills rate themselves disproportionately high. "Most people think they are far better than they actually are," Weatherford says.
Eric Cowptherwaite, currently TK at TK, but who has also worked as a CISO at multiple organizations believes security execs are paid fairly for their skills, experience, and value. "I have been through the recruiting process for security leadership positions many times over the past 10 years, or so. I've generally found the potential salary for a CISO on par with the value the individual can offer to that organization," he says.
Ultimately, value is in the eye of the buyer and seller, and as Weatherford pointed out in our exchange, an item is worth only what someone is willing to pay and initial prices paid are of little guidance. Go see what your Darryl Strawberry rookie baseball card is worth these days probably less than you paid for it. Is a mediocre football player truly worth $10M a year? If they are the best receiver available and you need a receiver, probably so. Same with security talent - if your security architect quits in the middle of a project, you need someone right now not in six months so you may pay a higher salary than you're comfortable with," says Weatherford.
Sign up for CIO Asia eNewsletters.