Prospective security employees see too many low-ball offers

In this 3-part series, I’ll deal with the issue of a shortage of people in the information security sector.

careers 49

Taylor Armerding’s insightful article Confronting the widening infosec skills gap provided interesting insights into the current state of information security hiring and the challenges firms are facing finding qualified talent.

Before I get to those points, Pete Lindstrom and Christina Richmond of IDC spent a lot of time researching the issues of information security, salaries, and jobs. This is detailed in their report IDC Security Survey: As the Job Churns, where they make two important observations.

First is that the perceived job shortage in security is not happening at the entry levels, where expectations are basic and it takes about three months to fill a position; rather, the shortage comes at the higher-experience levels (after about 10 years) - even though there are fewer positions to fill - where expectations are much higher than for the early-career individuals.

[ ALSO ON CSO: The security talent shortage and your leadership opportunity ]

Also, their survey shows that respondents have changed jobs on average more than six times in their careers. Accordingly, while there appears to be a job shortage in security, it is unlikely to be solved with entry-level training; the real problem is retention and churn at the higher levels. To put it more succinctly, the real question is, "Why are people leaving the field as they progress up the ranks, and why are senior positions being filled by individuals from other areas in a business?

Information security wages

I have found that compensation ranges in what many organizations are offering for full time information security employees and contract consultants often don’t match current market rates. They are sometimes lower, partly due to increased reliance on third-party recruitment process outsourcing staffing firms that are expanding their reach from general IT to cyber-security.

These firms are charging additional fees on top of contracted hourly rates. Despite a significant increase in cyber-attacks and a widening threat landscape, other factors such as highly technical roles, expanded responsibilities, program maturity, and limitations in staffing resources; companies still appear unwilling, unaware and not in sync with competitive rates and salaries for information security talent.

Here are some recent examples I found of where salaries/rates were simply not in sync:

  • Senior Information Security Engineer, reporting to the Senior Director, Information Security - $70 per hour on W2. This had a long list of significant and highly technical duties and responsibilities
  • Senior Security Architect - Application Security Manager $90,000
  • VP- Information Security Manager- Investment Bank $130,000
  • Senior Security Engineer $60 per hour
  • IT Risk and Security Consultant $45 per hour
  • CISO Cyber Security Policy Compliance Analyst - $50 per hour
  • Cloud Operations Engineer – major NJ pharmaceutical - $80 per hour
  • VP Level Information Risk Management - Global Financial Firm $90,000
  • Incident Response Analyst - $50,000

For security applications, one of the most in-demand roles is that of RSA Archer administrator and developer. And there is where I found some of the most out of scale numbers. The most egregious was for a developer with eight to 10 years of experience at $40 per hour on a W2. Another wanted someone with expert knowledge of Archer 5.x platform configuration and development at $55 per hour.

As an information security professional with many years of industry experience, recruiters frequently reach out to me seeking candidates for client opportunities. Given my network and colleagues who would be interested in new roles, the dollars quoted on average, are often well below market rates.

In addition to lowball compensation, the positions are typically not well defined, may not offer advancement or incentive to leave. As a result, the recruiters often reply they would continue looking for candidates, but often come back with higher salaries, after spending months to find subpar and unqualified candidates. This lack of understanding about competitive market rates, only serves to delay their procurement of finding candidates by months, with unwanted risks and exposure for organizations needing this talent.

Ben Rothke CISSP (@benrothke) is a Senior eGRC Consultant with Nettitude, writes the Security Reading Room book review blog and is the author of Computer Security: 20 Things Every Employee Should Know.

Copyright © 2015 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.