Cybersecurity salaries continue to rise as organizations grapple with an increasing shortage of cyber talent. Given the current climate, job-hopping might seem like a way to earn more money in the short term.
With apologies to Independence Day:
President Thomas Whitmore: Mr. Levinson, contrary to what you may have read in the tabloids, there is no Area 51. There is no spaceship...
Albert Nimzicki: Uh... excuse me, Mr. President? That's not entirely accurate.
David Levinson: What, which part?
Pete Lindstrom, research director of security products at IDC says “the vast majority” aren’t as “exorbitant” as you would expect. At the top, CISOs of large security organizations are paid well, and a security professional with distinct skills, such as hacking, get paid well in consulting firms and technology companies.
But if you are a typical jack-of-all trades, security organizer/risk assessment/auditing professional, “you shouldn’t get your hopes up” for the big bucks, says Lindstrom, who co-authored an IDC study last year, IDC Security Survey: As the Jobs Churn.
Yes, there are hot skills, I am not sure "hacking" in 2016 really counts, (and hope the person meant ethical hacking). However, in a large enterprise things like:
- Big data analysis for security artifacts, (i.e. making a SIEM produce actionable results)
- Being able to manage certificates in a sane manner, for code signing and Identity management
- Deep understanding of advanced network protocols
The article ends with an excellent observation by Karen Evans, "For instance, application developers who can develop more secure applications reduce the need for high-end professionals, she says, because this would be a way for organizations to be more proactive about their security.
An organization could increase salaries of application developers who demonstrate they have developed secure code, for example. “If you have a finite set of dollars, maybe you pay more for people who are developing applications that have less vulnerabilities,” Evans says."
Amen to that! This is the only way off this merry-go-round. Instead of increasing the security budget every year, we need to focus on needing less reactive security. It isn't sexy, but it is important.