Senior IT Resource with experience in all aspects of IT from entry-level help desk to Architect, who lived and thrived through the DOT COM era and crash. CISSP-Certified Information Systems Security Professional, CRISC - Certified in Risk and Information Systems Control, CEH- Certified Ethical Hacker, CPT- Certified Penetration Tester, PCIP- PCI Professional.
Silent Sector® builds and strengthens exceptional cybersecurity programs for US-based mid-market and emerging companies.
Expertise-Driven Cybersecurity®
How to Hire and Retain Qualified Cybersecurity Professionals - Part 1
The below commentary is an excerpt from a longer white paper being produced by the Silent Sector team on how to hire and retain quality security, and by extension, IT resources. This excerpt addresses compensation.
Currently there are far more open IT jobs than qualified IT resources to fill them. This has created a seller’s market and has put the job market in favor of the tech professionals, not the employers. Regardless of the market, however, most IT organizations are running very lean teams and security, since security teams are not part of IT operations or the “Keep The lights On” (KTLO) team, they often run leaner than the rest of the IT organization. Simultaneously security threats are increasing exponentially in quantity and complexity, while available qualified IT and Security staff are scarce. By the year 2021 it is estimated that there will be 3.5 million unfilled cybersecurity positions. The cost of cybercrime annually is estimated to be nearly 6 trillion dollars.
Compensation, the elephant in the room, needs to be addressed there is no way around it. Most employers are not going to like it but I must reiterate the following statistics: By the year 2021 it is estimated that there will 3.5 million unfilled cybersecurity positions the cost of cybercrime annually is estimated to be nearly 6 Trillion dollars! Corporations must revise their thinking when it comes to compensation for IT security resources.
One way to start is to decouple corporate pay structure from IT KTLO staff. You may be thinking, “that doesn’t sound fair or right" and I get where you are coming from because I have been both a KTLO resource and a security resource.” But in the job market you must remember Security Engineers are specialized, and quality engineers are becoming rare. Further, we need to dispel the notion that you can train anyone to be a good or even adequate Cyber Security Engineer much less a great one. You can’t do it any more than you can train anyone off the street to be a great developer. I have no statistics or science to back up that statement, just my experience and an IT background that goes back several decades. However, I can tell you from my experience and observation that not all IT people are talented or created with equal competence.
The stratified job families and pay structures currently in use by many corporate environments where pay is based on years of experience and in a generic “IT Engineer” basket may have worked in the past for defining resource pay. However, with the resource shortage this structured generic “IT” bucket no longer works for defining resource compensation. Ultimately, at least in the short run, resources and talent are going to go where the money and opportunity is and that will most likely be consulting. So instead of paying $130 an hour for a fully burdened resource with benefits, etc., companies will be paying $350 an hour or more for a mercenary consulting firm.
Companies need to develop specific job categories for security engineers that are not tied to their current job classification of Infrastructure engineer 1-5, or however it is defined within the organization. Companies need to develop Security Job families and pay them at a higher rate. It is simple economics, supply and demand. Right now the supply is low and there is a huge demand which is only growing. The increase in demand is likely to grow exponentially with potential actions by the Federal Government as Congress begins to discuss a data privacy law similar to GDPR and is considering holding executives (decision makers) criminally liable (as in jail time!) for breeches.
Below are examples of IT KTLO salaries and IT Security salaries. The source used was payscale.com. Similar tables can be seen at Indeed, Zip Recruiter, and others. I have matched them up based on expected experience and responsibility. There are some geographies that will pay more but the standard of living is much higher (e.g. New York City vs Mobile, AL). If you look at the numbers on those sites you can see IT salaries range anywhere from $36,000 - $324,000 in the US depending on geography and job classification.
Based on the figures above the difference in pay is insignificant between KTLO resources and Security resources until a resource reaches the Architect level. Even at the Architect level, however, the difference in pay is insignificant based on the amount of training and experience required to become a security architect, the scarcity of the qualified security architects, and the potential impact financially to the company if security is not staffed with quality resources. While I would be a fool to argue that there isn’t also a shortage of good KTLO IT resources, the supply is even lower for qualified and experienced IT Security resources. In reality I would be happy to see all IT salaries rise considering the hours we work and the sacrifices of time that are expected, but that is another conversation all together.
The argument can be made, and I have made it, without the underlying infrastructure the security resource is irrelevant. But the same argument can also be made that without the billing and accounting team, the marketing team, and the sales team, the infrastructure is irrelevant. In short while you cannot fully remove one team from a company without impacting the whole, the security team ensures that all the work done by the other teams is protected and safe for customer use which allows the company to be profitable and to have positive brand image for the long run.
IT Security resources need to be categorized differently than other IT resources and they need to be paid differently. Corporate investment in their IT resources training and CPE should be mandatory to ensure their security resources remain relevant and up to date with this rapidly changing field to ensure the security, brand integrity, and profitability of the enterprise.
When it comes to hiring and retaining IT Security staff, there are multiple factors that impact a person’s decision to either take or stay at a position. It would be foolish to deny that income may have a larger impact in the decision-making process than many other factors, excluding perhaps geography and relocation.
Geography and relocation are another excerpt from this paper where we will discuss the unwillingness of many resources to relocate especially to cities with a high cost of living like New York, LA, San Francisco, or Seattle as a justifiable argument for the expansion of remote work, but more on that later.