How much is a security professional worth annually?

A number of factors go into this equation, but suffice it to say, the security industry and the salaries have not felt the recession the same as other professions. And with suggested security professional unemployment at zero, it’s no wonder young security professionals are opting for (formal) education in information assurance.

As someone who resides on two higher education curriculum advisory committees, I’ve seen firsthand the influx in interest in building security programs for students while the market is hot. Supply and demand has been a big driver in recent years.

For what it’s worth, several in the academia field fill students full of hope that their first gig is going to pay $90,000+ with nothing more than an undergraduate degree.

What (some) institutions are not saying, not because they are holding back, but because they are not seeing the full picture, is the relationship to location, industry, and experience.

As a result, future employees are expecting bigger salaries simply because a professor suggested searching for “security analyst.” Again, location among other factors obviously matter.

In fact a recruiter for a well-known agency recently said; “companies don’t pay cost of living, they pay cost of labor.” To anyone who has been around the block a bit, this makes a lot of sense. To a young graduate, not so much. They may fail to see that while salaries in Washington DC or San Francisco may advertise $90,000, the cost of living is outrageous. But, students get caught up on the top number and assume that’s the going rate wherever they go.

Have security salaries and positions in the market started to peak? Have companies met their quota? There’s been little to no indication that this has been happening and that security is still one of the fields to consider when looking for a career. Or has that recently changed?

SANS recently published a professional trends survey comparing salaries across roles, level of education, and often debated certifications. SANS’ report shows that will salaries are still on the rise, they don’t appear to be rising as sharply as assumed. So while positive growth is encouraging, their survey does not show the spike many claim.

Granted, surveys are surveys and a lot of variables make up the results. SANS cited a majority of respondents believe certifications are big contributors to their success and have added up to a 5% increase as a result. This is great for SANS given their specialization in advanced technical certifications which are highly respected.

Not everyone agrees with the SANS survey, in particular, David Foote of Foote Partners. David recently responded to the SANS survey with the following:

This SANS research is flawed but then among the many great things SANS is, a professional compensation survey firm they are not. We are, tracking and reporting pay at 2,600 employers in US and Canada. Our data going back to 2008 does indeed show a few tough years in the 2008 – 2011 time period but it generally disputes any notion that growth in infosec pay has been as anemic on a CAGR since then as the SANS survey may be showing. We also track pay premiums for 53 individual security certifications: pay for those was up 5.6% in just the twelve months ending April 1, 2014. We like SANS a lot for what they do well. We don’t think their compensation numbers are up to their usual standards but it’s great that they’re entering the debate on pay for security professionals. That debate deserves to be given the light of day.” Source:

The debate will continue and many factors should play into evaluation of salaries. What’s helpful is to be able to compare publically-accessible data from various sources, some of which require payment. SANS now adds more recent data to this list. SANS is one survey, what other sources exist to assist hiring managers with offering an appropriate salary? The following are various sources to consider when seeking to benchmark new or existing roles.

Foote Partners: Foote Partners has been conducting salary surveys for years across many areas of IT, and in particular, information security. Data requires payment, but a sample report is available as a general guide at: (updated as of April 2014)

Robert Half: Robert Half conducts research on IT and security as well as other areas outside of technology. The security-related data is available starting on page 14:

Ponemon and SecureWorld Insight: Recent collaboration produced a benchmark report of compensation and role of security teams. The report was conducted across 133 companies with more than 1,000 employees. The report is available for purchase at:

United States Bureau of Labor Statistics: The Bureau of Labor Statistics provides supplemental information to use in the technology industry. While not an industry report, it does serve as a complimentary guide to additional resources and is located at:

Global Knowledge: The training firm, Global Knowledge, helps organizations who are looking to benchmark staff with certifications. The salary will vary by geographic location (included in the table) but this serves as a quick glance supplement to other resources which may not specifically reference certifications in the salary range and is located at:

Semper Secure: In partnership with NetApp and Northrop Grumman, Semper Secure hosts the results from the cyber security census and has a heavier focus on government positions. The study is available for download at:

Certainly salary negotiation is not a perfect science and a lot of factors go into salaries and surveys. Many find comparing more than one source as an effective benchmark. Especially during a time when breaches are occurring and security spend isn’t slowing down. Business leaders are asking if these salaries are worth it and to prove it.

Leave a Reply