Supply and Demand

Heightened awareness stemming from the terrorist attacks of Sept. 11 may drive a boom in salary increases for security-savvy IT staff.

Over the past year, security-savvy administrators enjoyed the largest pay raises of any specialists in the IT sector, according to an Interactive Week/Advantage Business Research study, with salaries jumping 12.6 percent over 2000 figures. But heightened awareness stemming from the terrorist attacks of Sept. 11 may make the increases of the past year look minuscule.

Security experts throughout the country are saying that highly skilled IT people who know how to secure computer systems against attacks are in extremely high demand. The terrorist attacks, combined with the recent Code Red and Nimda worms, which together caused more than $3 billion in damage, have made computer security the issue that everyone is talking about. And there are simply too few security folks to go around.

Scarce Supply

"Demand continues to outstrip supply," says Gene Spafford, director of Purdue Universitys Center for Education and Research in Information Assurance and Security. And while universities continue to produce computer science graduates, few of them are ready to address the security needs that are now emerging, he says.

Salary hikes have accelerated in the last few months at Digital Defense, a San Antonio security company that focuses on the financial sector. "I was starting junior security analysts at $40,000 and it is now taking $45,000," says Marc Enger, the companys executive vice president of security operations. "These are folks who are trainable -- not necessarily good," Enger adds. "My senior analysts were $70,000 to $80,000 and are now at $75,000 to $90,000, depending on talent and experience."

The Interactive Week/ABR study found security administrators making an average of $63,593 in 2001, up from $56,470 a year earlier.

H.D. Moore, a Digital Defense senior security analyst, says all of the security pros that he knows are continually getting job offers from big technology firms like Microsoft, Sun Microsystems and Yahoo!

"Theres not a single Windows NT shop that wasnt hit by the Nimda worm," Moore says. "Thats really opened their eyes on security and how quickly these things can spread. Security people are getting paid more as companies start to realize how valuable they are to the company. That realization has created a bigger demand, and that has meant a continuing increase in salaries."

While Enger and Moore say the market is getting tighter, some companies in Silicon Valley say the dot-com bust has made their hiring easier and less costly.

"The run-up in salaries has abated. They havent gone down, just abated," says Barry James Folsom, president and CEO of PlaceWare, a Mountain View, Calif., Web conferencing company thats currently looking for technical people. "Thats true for security people as well. The good ones we need are working at very large companies, and they arent eager to move to a smaller company," he says.

Bill Trau, vice president of Christian & Timbers, an executive recruiting firm, agrees with Folsom. Although the demand for IT security talent is definitely increasing, he says the entire industry is "still mired in recessionary hiring practices. Chief financial officers and chief information officers arent spending money. They arent spending money on all the infrastructure they need." But Trau predicts the situation will change very soon and companies will begin spending more money on security.

That stance is supported by research firm IDC, which reported last month that it expects the security services market to grow at an annual compound growth rate of 25.5 percent between now and 2005. IDC says the spending will be driven not only by heightened awareness of computer security threats, but also by the increasing use of remote access and wireless devices. Total spending will soar from $6.7 billion in 2000 to $21 billion by 2005.

The increasing numbers of systems that are attacked by worms and viruses underscore the need for better-qualified security personnel, says Spafford, who believes the greatest demand in the sector is for people who are able to build and maintain firewalls and intrusion detection systems.

Unprecedented Demand

The clearest sign that security people are in higher demand may be the responses received by the SANS (System Administration, Networking and Security) Institute, the well-regarded nonprofit organization that focuses on IT security education. The organization has 250,000 subscribers to its security newsletters. Alan Paller, research director of SANS, says the surge in interest in security personnel during the past few weeks has been unprecedented.

Until Sept. 11, Paller says, all personnel with a general knowledge of security were in demand. Since the terrorist attacks, "senior management started asking a different question. They stopped asking how is security doing in risk management and security policies and started asking the readiness question. That is: Are our systems ready to withstand an attack? "

The truly valuable people now, Paller says, are those who "know how to break in, and know how to fix systems and make them impermeable. They can write their own tickets. Because right now, you cant find them at all."