While CISO paypackets are growing at an accelerating rate, wages for mid-tier cyber security workers appear to be stagnating. Sooraj Shah investigates
High-profile data breaches such as that suffered by US retailer Target have led to cyber security moving higher up corporate agendas.
So much so, that the likes of financial services giant JPMorgan Chase, drinks company PepsiCo and US healthcare firm Cardinal Health have decided to recruit chief information security officers (CISOs) to shore up their cyber defences.
Furthermore, while CISOs have traditionally reported to the CIO, many of these new blue-chip CISOs are being told to report directly to the CEO and the board - and in some cases are actually getting their own seat on the board.
Not surprisingly, salaries for senior cyber security professionals are continuing to rise, especially in the US. According to research by the SANS Institute, 49 per cent of security managers in the US who responded to a survey are earning $100,000 or more a year - a rise from 38 per cent in 2008.
And according to Robert Half Technology's 2014 Salary Guide, the biggest rise in salaries of all IT leaders' roles in the UK this year will be for CISOs.
But while salaries for entry-level cyber security workers in the US have risen to an average of $73,697, wages for mid-tier staff appear to have stagnated. The SANS Institute research found that many of those earning $80,000 to $90,000 a year in 2008 can expect to earn only slightly more this year.
"This pay range should be higher, given the tough nature of the job IT security professionals shoulder, and the specialised skills and business acumen required in such positions," the SANS report states.
According to Stephanie Crates, head of the information security practice at recruitment firm Harvey Nash, the reason why senior-level salaries are rising while mid-level salaries seem to be stalling is that enterprises are increasingly willing to pay a premium for people who excel at communication and relationship-building, and may only have a general understanding of the technology.
To illustrate this, she described how Harvey Nash recently put four candidates forward for a global CISO role at a fast-moving consumer goods (FMCG). Three of the candidates had a history of successfully managing information security and risk programmes for global organisations and also had strong technical backgrounds. However, the candidate who was appointed wasn't chosen for their technical or specialist expertise, but because they could influence and build relationships at a high level, and unite historically disjointed areas of an organisation.
"The role of the CISO has definitely shifted towards building and almost selling security across an organisation. So you don't have to be technical anymore, you just need to be able to work and influence stakeholders," she suggested.
But for training provider QA's cyber security director, Greg Newton-Ingham, the reason for the disparity simply comes down to experience.
"We are seeing a lot of people [in the industry] who have technical capability but not experience; managers are getting paid more, not for being managers but for experience," he said.
He believes that CISO salaries are rising faster because those at the very top of the profession now have the experience to be able to spot a problem before it happens, and that this is a skill many businesses are willing to pay big bucks for.
But despite the high wages CISOs can increasingly expect, many cyber security workers do not want to take on managerial responsibilities, claimed Newton-Ingham.
"I know people who are very capable in cyber security but do not want to be a manager. But because of the HR process, [companies] want to turn these employees into managers as it is the obvious next step," he added.
US vs UK
The SANS Institute Research was limited to the US, but Harvey Nash's Crates believes the situation in the UK is developing in a similar way.
"[The idea of recruiting a CISO] is like the advent of the chief digital officer [CDO] role recently, or the CIO role 15 years ago: the US leads the creation and marketing of these roles and the UK follows quite soon after, albeit with our own interpretation of the job itself," she said.
"Mid-level security salaries have increased slightly in the UK but are definitely nothing to write home about if you compare it to the CISO position. CISOs meanwhile are paid on a similar level and more often than not, more than the CIO," she added.
Although Newton-Ingham agrees with Crates that the US and UK are closely aligned, he believes the main difference is that politics plays a big part in the way US companies operate.
"I would expect the UK to be following the US. The slightly different thing is that there have been a lot of high-profile attacks against the US and so it could be a bigger target, and therefore the perceived value of people is probably a bit higher. We are getting there but we will be slightly behind just because of the nature of US politics," he said.
• Computing and QA Training's Securing Talent campaign aims to raise awareness of the growing need for people with cyber security skills in industry and government, and for clearer pathways into the cyber security profession.