In many ways, IT security professionals today know they are in the driver’s seat. Shortages of cybersecurity skills plague modern businesses. If you’re a security pro, it’s easy to think that you can call your own shots.
And you can, to a point. That’s one takeaways from ITPro Today’s latest salary survey, which interviewed IT security professionals on a variety of topics, including job satisfaction, compensation, and perks.
The survey found that while most IT security professionals are satisfied with both their current positions and their total compensation, satisfaction numbers were only 67% and 64%, respectively. In fact, 22% said they are dissatisfied with their total compensation.
Those numbers aren’t at all surprising, given the proliferation of unfilled cybersecurity positions, said Ken Coffman, an IT systems administrator and engineer who participated in the survey. Coffman works directly with the security team at Tri-Tech Medical, a medical equipment manufacturer in Avon, Ohio.
“I see a lot of crazy-high offers coming through just in my daily emails from recruiters who have found my resume online,” Coffman said. “It’s pretty much ‘Name your price’ from a lot of them, but it’s really a [‘Let the buyer beware’] situation. It might be good for three to six months, but how long is that gig actually going to last? Will it be better for you in the long run?”
Pam Nigro, vice president of security for health management company Medecision and an ISACA board chair, noted the current economic conditions, with its rising inflation rates, has made some IT security professionals more flexible.
“Before, [when] I offered someone a position, they came back with a counter, I met their counter, and then they came back with another counter,” Nigro said. “But when I spoke with someone more recently about a different position, I mentioned that we could meet their salary expectations and they were fine with that. They wanted other things,” such as the ability to work from home and avoid travel.
The survey also found that about one in four IT security professionals are likely to seek alternative employment in the next 12 months. Twenty-six percent of respondents said they would seek new jobs outside their current organization, while 24% said they would look within their current organization. Those results make sense to Keatron Evans, principal security researcher and cybersecurity expert at Infosec Institute.
“Those who have tangible, marketable, demonstrable skills can pretty much write their own ticket and move either horizontally or vertically as they see fit,” Evans said.
However, there aren’t many professionals at that level, and Evans suspected that most of the survey-takers were IT security professionals that have years of experience. “Those people are definitely looking to make moves,” he said. Indeed, about 93% of the security pros that took the survey said they have 10 or more years of experience in tech.
Marketing and press can also influence security professionals into thinking there is always someplace where the grass is greener. “Everybody has the Hollywood view of cybersecurity, where you’re a hacker who does exciting work, but cybersecurity is really boring if you’re doing it right,” Nigro said. “It’s about looking at controls and doing assessments, not looking for bad guys on the dark web. It’s easy to think that the next job will be more exciting.”
At the same time, most of the survey respondents had a positive view of their current jobs. When asked if they love their job, 39% of respondents said they strongly agreed and 40% said they somewhat agreed.
“You can love your job and still be seeking better opportunities,” Evans noted. “The market for people with the right skills is so ripe and favorable that you can love your job and the people you work with and still want to explore new opportunities.”
What Makes IT Security Professionals Happy?
In addition to compensation and basic benefits like insurance and vacation time, IT security professionals value having the right tools, access to enough training, and, increasingly, the ability to work from home.
Twenty-six percent of respondents strongly agreed they have all the tools they need to perform their jobs, while 49% only somewhat agreed. About a quarter of respondents were either neutral or said they lacked the necessary tools.
As the cybersecurity landscape continues to evolve, attitudes toward the tools are bound to change.
“Cybersecurity professionals will never have all the tools they want,” Nigro said. “During my entire career, I’ve focused on the process, with tools enabling the process. That’s a better method than building your process on the tool. But then people will go to conferences and see a shiny new tool, and [they will] find out that it’s way over [their] budget. But as a manager, I try to ask them what they liked about the tool and find a way to get them those capabilities."
Meanwhile, about two-thirds of survey respondents said they have all the training they need to do a good job.
Training is a complicated issue, Nigro noted. Training budgets can be limited, but there are other ways to get training. Amazon, Microsoft, Google, and many security-focused vendors will provide free training for their platforms. She added that while her company can’t send everyone to the RSA Conference, for example, it does occasionally give staff a few hours off to attend a security association meeting or training session.
When companies offer training, it sometimes comes with strings attached, however. “I’ve been burned in the past where the company paid for training but then makes you sign something saying that you would remain with the company for the next three to five years or would have to pay them back,” Coffman said. “That actually happened to me, and I had to pay it all back. Now I just pay for my own training.”
To ensure that you get the training you expect, Evans recommended pushing for it in your contract negotiations.
And then there are the intangible job benefits, which make a big difference to all employees. One of the most important of these today is the ability to work from home. In general, younger employees are more eager to work remotely. That’s fine, but they must be flexible, Nigro noted.
“The job of a security professional isn’t 9 to 5. Sometimes it can be 24/7,” Nigro said. “If something blows up, you have to be there on the front lines. Flexibility and trust are key.”
Less experienced IT security professionals can have unrealistic expectations for their employers, according to Evans.
“Some people are being sold a bill of goods indicating that they can go through a quick [educational] process and make $200,000 a year, but that’s clearly not true,” Evans said. “Sure, the security field needs people, but they still need experience and training. The people going through those [IT security] bootcamps can still get good jobs, but it’s nowhere what they thought they were going to get."
It’s also important to understand the culture of the company, Coffman added. “When you’re looking for your next job, make sure it’s a good fit, because once you get in, it’s hard to get the company to change.”
At the same time, hirers should cast a wider net for job candidates, Evans said. “People in charge of hiring need to stop thinking the way we thought 30 years ago, where people needed a computer science degree or an IT background to be a good cybersecurity person,” he said. “It just isn’t true today.”
Some of the best cybersecurity professionals that Evans has hired have no security or IT background whatsoever. “It’s more about the way they problem-solve and their ability to learn new information,” he explained. “Allow some room for some people with nontraditional backgrounds. I think you might find some value there.”