IT security professionals living outside of Silicon Valley and the Northeast are getting substantial raises. An eight-year study by the SANS Institute shows that security professionals working in the rest of the country -- especially the Midwest, the Northwest, and the Southeast -- are catching up to their better-paid security brethren. When it comes to getting the best raises, these areas have been at the top of the charts since the end of the last century, with salary growth exceeding 7.5% yearly. "There has been a leveling," said Alan Paller, director of research at the SANS Institute, in an interview with InformationWeek. "It used to be that from New York to Boston and then in California, salaries were way ahead. That's where you went if you wanted a lot of money. Then the rest of the country discovered they were just as much a target for attacks as the California and New York firms were. It's not that they're getting paid more than New Engand, but they're getting bigger raises and catching up." Have they caught up, yet, though? According to Paller, the Mid-Atlantic region -- Pennsylvania, Maryland, Virginia and Washington -- has the biggest paychecks for security professionals, coming in at a mean salary of $95,615 for 2006. The Northeast came in second with $92,452, while the West, which includes Silicon Valley, rang in with $86,368. The Midwest is seeing a mean salary of $84,120, as the Northwest comes in at $81,186. The Southeast comes in at $80,123 and the U.S. Central, which includes Kansas, Oklahoma and Texas, came in at $78,666. Paller, though, was quick to point out that salary satisfaction doesn't come from having the highest salary. It comes from having consistent increases in your salary. "Satisfaction is less related to the absolute value of your salary than with the change," he explained. "People who are getting good raises every year are feeling appreciated. Those people will be much more satisfied with their compensation than people who are paid well but haven't gotten raises in two years. Satisfaction in security is much higher in areas outside of the traditional high-paid areas, like Silicon Valley." The SANS survey also shows that Federal Information Security Management Act and the advancement of China's technology capabilities are propelling salaries in industries like aerospace and professional service providers who work for government agencies, handling jobs like security assessments and auditing. Those are two of the industry segments that showed an eight-year total salary increase of 65%.
Just a few weeks ago, the Department of Defense released a report saying that the People's Liberation Army in China is building up its cyberwarfare capabilities, even creating malware that could go after enemy computer systems in first-strike attacks.
"It's two-thirds FISMA and one-third that the Chinese are all over the aerospace industry and government computers," said Paller. "We're trying to build protections against attacks. ... [The DOD] wouldn't have said it publicly if they didn't think that some action really needed to be taken. It's been known for some time but talking about it means they're really worried."
Paller noted that salaries for security professionals working in the telecommunications and finance industries are growing strong, but that's not surprise since they have been for years.
Who's not doing so well?
Salaries in manufacturing, health care, and education aren't fairing nearly so well, coming in at the low end of the pay spectrum. "They've always been the lowest paid and they're getting the lowest raises," said Paller.
As for what jobs are doing well, and not so well, it looks like managers are seeing more raises than the people they're managing.
Some of the positions that saw their salaries grow by more than 65% in the past eight years are IT director; director or manger in information security or audit; CISO; CSO; chief compliance officer; chief privacy officer; chief of audit, and security auditor.
Those who got smaller raises include security architects; systems or network managers; intrusion detection specialists; forensics investigators, and desktop support.
"It's basically appreciation of the value of these people," said Paller. "Through these last seven years, people have valued writing about security higher than doing security and that's because of regulations. FISMA is not measured on how secure your systems are but how well-done your reports are. It's more or less the same with HIPAA and SOX. Most of the money went to people who wrote about security rather than those who did security. That's what these attacks from the Chinese and cybercrimals has changed. IT's moving security back into the operational people's hands " operational directors."
SANS is in the process of running another salary survey. The new study will focus on the past year, as opposed to this study which focused on an eight-year span. To participate in the new study, go to this Web site.