The collapse of the dot-com bubble has finally had an impact on salary increases for information security jobs--a job family that was long considered a safe harbor for IT professionals. The percent of annual increases of salary declined from 11.6 percent in December 2000 to just 7 percent last year, according to a salary report released today by the SANS (System Administration, Networking, and Security) Institute, a nonprofit organization of security professionals.
The reason for the salary increase slippage is that dot-com companies had been doling out enormous raises to retain their security people, according to SANS Director Alan Paller. "[Dot-coms] were offering people 20 percent, 25 percent raises to leave old-economy companies and to come work for them," said Paller, in Bethesda, Md. "That pushed everybody else up. But they stopped hiring a year ago, and everyone else stopped having to give these extreme raises. Its a supply-and-demand rather than a value equation."
The fact that security salaries are still increasing at all is an anomaly in these hard times. Recent research from Foote Partners LLC found that only three out of 17 IT job families are experiencing salary growth: security, network operations and SAP (to read the story, click here). Indeed, the lingering level of security salary increases actually reflects the fact that security hiring is down and companies are trying to hang onto the security staff they have, Paller said.
"Were not seeing a lot of hiring," he said. "Were seeing huge numbers of companies deciding to keep their existing people happy. They are getting them training in new fields and technologies, such as security technologies, project management and databases. But were not seeing a lot of hiring from outside."
However, according to Paller, there are some industries and sectors where security hiring is still robust. Those include government agencies such as the Department of Defense, the CIA and the National Security Agency, as well as the principal consulting firms that support them, including companies such as Science Applications International Corp., The Mitre Corp. and Computer Sciences Corp.
The bulk of available security positions are senior technical jobs as opposed to security policy jobs, Paller said. "The demand is for people who really understand and have practiced forensics, for people who really understand and have practiced intrusion detection, system testing, vulnerability testing and penetration testing" he said. "A year ago, there was a large demand for people who could talk about those things, but thats disappeared completely."
The salary survey, titled "The SANS 2002 Salary Survey," summarizes data collected from 1,214 security and system administration professionals during April and May 2002.
In other survey findings, the United States for the first time slipped from being the worlds top region for security salaries. Asia reported the highest pay, at 7.5 percent over the worldwide average. The United States came in second, at 5.6 percent over average.
Paller pointed out that these findings are likely influenced by the fact that most of the Asians who participated in the survey live in Hong Kong and Singapore, which are two of the highest-paid technology centers in Asia. "Theres a very high urban concentration near the biggest [Asian] cities, and no smaller cities [are represented] in Asia," he said. "So theres a small skew in that data. If we picked only New York, San Francisco, Washington and Chicago, thered be much higher [average] salaries [in the United States]."
Western European and United Kingdom security professionals got better raises over the past year—about twice as large--as did their U.S. counterparts. But thats probably because their employers realize theyve been underpaying security professionals, Paller conjectured. The United Kingdom and Western Europe reported salaries 10 percent and 13 percent lower, respectively, than the worldwide average, the study found.
Some other results of the survey include:
- The average salary paid to all security and systems staff who participated in the survey was $69,340.
- Bonuses paid in 2001 averaged 14.5 percent (median 10 percent) of base salaries.
- Within the United States, New England/New York/New Jersey reported the highest salaries, (9 percent over the U.S. average). West Coast security salaries are 4 percent higher than average, and Mid-Atlantic security salaries are 3 percent higher than the countrys average.
- Employers with more than 10,000 employees paid their security and system administration staff nearly 10 percent more, on average, than smaller employers.
- Security and system administrators who work with Unix make almost 25 percent more than those who work primarily with Microsoft Corp. Windows systems.
- Employers in consulting, system integration, aerospace, banking, computer and network manufacturing, and telecom pay the highest salaries. Education and other non-profit and government agencies pay the lowest salaries.
IT Careers Center Managing Editor Lisa Vaas can be reached at email@example.com.