Article Table 1 Table 2 Table 3 Table 4
Table 5 Table 6 feb2006.tar

What Makes Salaries Rise for Security Professionals?

Alan Paller

Systems administrators and security administrators work hard all day, protect critical assets, keep systems operating, clean up after the messes that users make, and generally keep the organization operating smoothly. Yet, at the end of the day, they rarely know whether all that work is going to be rewarded and whether they are being treated fairly for the effort they are putting in.

Now a new survey, sponsored jointly by Sys Admin magazine, Certification Magazine, and the SANS Institute offers a few answers. The answers may not work for every reader, but they just might provide a clue about what matters most in getting raises.

The data used for this article reflects answers from 1,597 Technical Security Professionals with titles like Systems Administrator, Network Administrator, Programmer, Security Engineer, Systems Engineer, Security Analyst/Consultant (hands-on), Security Auditor (hands-on), Systems Integrator, Security Penetration Tester, and Web Security Manager. Each of these people provided detailed answers to a 30-question survey between October 20 and November 10, 2005. Their answers constitute one of the clearest pictures ever of the developed of the technical security professional's job.

Let's get to know the people who completed the survey.

  • 11% are women, and 89% are men.
  • Nearly a quarter (22%) are government contractors, reflecting the huge market for security professionals in government.
  • They are a well-educated group -- 54% have undergraduate degrees, and 18% have Masters or Ph.D. degrees.
  • Most are individual performers, but 15% manage one to three subordinates, and 7% manage four or more subordinates.
  • Their employers range from very small to very large. The respondents are approximately evenly divided among the following employee size categories:

    Under 250 (18%)

    251-2,000 (20%)

    2,001-10,000 (22%)

    10,001 - 50,000 (21%)

    More than 50,000 (19%)

  • Nearly 90% have earned certifications:

    29% have earned vendor certifications, such as those from Microsoft or Cisco.

    22% have earned GIAC certifications.

    21% have earned CISSP or another ISC2 certification.

    12% have earned Security+ or Network+ or A+ certifications.

    4% have earned CISA or CISM certifications from ISACA.

    11% have earned no certifications.

  • They have been working a long time:

    5% have fewer than 3 years of experience.

    8% have 3 to 5 years of experience.

    27% have 5 to 10 years of experience.

    36% have 10 to 20 years of experience.

    24% have more than 20 years of experience.

Now that we know a little about who provided the information, let's try to determine what controls their salaries.

We compared their salaries with the industries in which they work (see Table 1). From the table, one might think that moving to work for a utility or construction/resource industry or transportation company would be a good move. Sadly, there are very few jobs in those industries. So to get higher pay, one might have to move to government or banking or telecommunications companies, but that may also be hard because it requires learning an entirely new industry.

We compared their salaries with the size of their employers (see Table 2). Not surprisingly, larger employers paid more, up to a point. Beyond 10,000 employees, there was no impact. If you work for a small- or medium-sized company, you could do better working for a larger company or government agency. But that, too, is hard. Larger organizations can be very bureaucratic and difficult for people used to a more free-wheeling smaller organization.

How Can You Earn More?

So we started looking for what you can do inside your existing organization to earn more money.

We asked whether having a certification was worthwhile (see Table 3). The data showed that technical certifications matter and that multiple certifications matter more.

We asked whether people with any of the three technical certifications groups earned more money (see Table 4). People holding the management-oriented certifications from ISC2 (CISSP) and ISACA (CISA, CISM) earned more than those holding more technical certifications. Of the three technical certifications, GIAC holders had the highest salaries while vendor-specific certification and CompTIA certification holders made less.

Then we went deeper and asked what respondents thought was most important to career advancement (see Table 5). Not surprisingly, 98% felt that technical skills were important or very important (80% felt they were very important).

The tough question is how can professionals prove they have great technical security skills? Employers usually learn otherwise only when hackers have taken over the computers and stolen critical information or when some other incident has occurred.

To try to get an answer, we asked people who held certifications (and obviously knew what they were worth) which of the certifications would be the best indicator of hands-on technical security skills (see Table 6).

Not surprisingly, respondents holding certain certifications thought that those certifications reflected strong hands-on security skills. For example, 75% of those holding vendor-specific certifications (e.g., Checkpoint or MCSE or CCNA) thought their certifications proved they had solid technical skills. Similarly, 91% of those who hold GIAC certifications said their certifications reflected strong hands-on security skills.

What was surprising was that neither CompTIA certification holders (Security+, A+, etc.) nor ISC2 certification holders (CISSP, etc.) thought their certifications demonstrated strong hands-on security skills. These professionals voted nearly two to one that vendor-specific certifications and GIAC certifications were far better indicators of hands-on security skills than their own certifications were.

Salary Isn't Everything

Regardless of pay, you really need to like your job to have a satisfying career. We ended the survey by asking what respondents liked best and what they hated most about their employers. We didn't prompt them at all, but gave them a blank form in which to write their answers.

In the "liked best" category the most often repeated entries included:

  • Gives me freedom to make decisions and try new ideas.
  • Listens to me and trusts me.
  • Allows me to get advanced training to keep my skills current.
  • Appreciates what I do and thanks me.
  • Gives me interesting and challenging projects.
  • Gives me flexibility in hours.
  • Provides a relaxed work environment (most of the time).

In the "liked least" category the most often repeated entries included:

  • Job overload and schedules that are too short.
  • Bureaucracy, layers of management, clueless bosses.
  • Dumb users I have to teach the same things to over and over.
  • Low salary.
  • No training budget.
  • Not responding to ideas for improvement, even when they solicited the ideas.
  • Doesn't give us authority to make decisions.
  • Politics.

Alan Paller is Director of Research for The SANS Institute. He can be reached at: paller@sans.org.