Cybersecurity salaries - April 2016

Forward: Kathy and I just had dinner with a senior security person that was just laid off. He has started the process of speaking with recruiters, who, as he put it, need to be led through the interview. We do work in a complex field. I just read an interesting, well researched, article from Rutrell Yasin @Darkreading and wanted to make a few comments.

Cybersecurity salaries continue to rise as organizations grapple with an increasing shortage of cyber talent. Given the current climate, job-hopping might seem like a way to earn more money in the short term.

With apologies to Independence Day: 

President Thomas Whitmore: Mr. Levinson, contrary to what you may have read in the tabloids, there is no Area 51. There is no spaceship...

Albert Nimzicki: Uh... excuse me, Mr. President? That's not entirely accurate.

David Levinson: What, which part? 

That salaries continue to rise and that there is a labor shortage is widely reported, but not entirely accurate. And that is right in Rutrell's article:

Pete Lindstrom, research director of security products at IDC says “the vast majority” aren’t as “exorbitant” as you would expect. At the top, CISOs of large security organizations are paid well, and a security professional with distinct skills, such as hacking, get paid well in consulting firms and technology companies.

But if you are a typical jack-of-all trades, security organizer/risk assessment/auditing professional, “you shouldn’t get your hopes up” for the big bucks, says Lindstrom, who co-authored an IDC study last year, IDC Security Survey: As the Jobs Churn. 

Yes, there are hot skills, I am not sure "hacking" in 2016 really counts, (and hope the person meant ethical hacking). However, in a large enterprise things like:

•  Big data analysis for security artifacts, (i.e. making a SIEM produce actionable results)
•  Being able to manage certificates in a sane manner, for code signing and Identity management
• Deep understanding of advanced network protocols

Are all examples of specialties that are rare and once an organization is mature enough to understand why they need that skill, they will budget for it (and therein lies the rub). It is also important to keep in mind that you need a LOT more jack-of-all-trades than super specialists. Penetration testing, remediation, monitoring, audit/inventory, policy, incident response/forensics, awareness are tasks that consume the majority of hours budgeted for security.

The article ends with an excellent observation by Karen Evans, "For instance, application developers who can develop more secure applications reduce the need for high-end professionals, she says, because this would be a way for organizations to be more proactive about their security.

An organization could increase salaries of application developers who demonstrate they have developed secure code, for example. “If you have a finite set of dollars, maybe you pay more for people who are developing applications that have less vulnerabilities,” Evans says."

Amen to that! This is the only way off this merry-go-round. Instead of increasing the security budget every year, we need to focus on needing less reactive security. It isn't sexy, but it is important.