The state of security hiring: Jobs, skills & salaries

Even in today's tough job market, demand for security pros remains high. We look at the hottest industries and markets for cyber security jobs — and what it will take to land a one of these top jobs.

Aspects of employment / communication / networking / partnership / collaboration / teams / hiring
Metamorworks / Getty Images

As the country has wrestled this spring and summer with unemployment rates the likes of which haven’t been seen since the Great Depression, information security professionals have not been immune from the major disruptions in the workforce.

Even as the need for information security services has grown, especially in sectors such as healthcare, government and financial services, the ability of many organizations to fund these key positions has taken a decided hit, with many budgets flat or even reduced.

Regardless which industry a security professional may work in, the stakes have gotten higher for experience, skills, personal traits and attitude. Like all job roles that haven’t been cut back or cut entirely, those working in a full-time job must bring real value to the position as all organizations struggle to position themselves for growth.

“Finding people with a range of specific tools or technical experience is easy compared to finding people who know how to translate what they know into mission enablement in an organization,” stresses Paul Rivers, chief information security officer at Yale University. “Technical prowess and detailed arcane infosec knowledge is not enough. People who have a track record of understanding how to deliver solutions to hard problems that advance organizational objectives will always be in high demand.”

Where hiring is the most robust

Despite well-publicized layoffs in many sectors, there are some industries where information security pros are definitely flourishing right now. Among them are banking and financial services, where many organizations have fallen victim to countless cyber attacks since the pandemic began.

Indeed, the banking and financial services sector helped fuel a surge in new info security jobs, says Tracy Lenzner, president of Lenzner Group LTD., a boutique executive search firm specializing in cyber security and technology risk positions.

“There was a 65% upswing in demand in the U.S. and more than 5% in the U.K., driven by big banks, technology giants and niche info security companies. Moving forward, based on recent discussions with industry executives, we expect hiring demand in IT security to continue through Q4, with another significant uptick in 2021 and more,” Lenzner says.

In terms of the top industries overall for IT security pros, Burning Glass Technologies, a partner of job site Dice.com, says the following are the top five based on job posting volume as of July, 2020:

  1. Professional, scientific and technical services
  2. Finance and insurance
  3. Manufacturing
  4. Public administration
  5. Administrative and support and waste management and remediation

Information security skills in top demand

While the COVID-19 pandemic is certainly adding to demand in some industries, Lenzner cites a number of other factors, including increasing cybercrime, geopolitical challenges, terrorism and new government regulations and restrictions.

Taken all together, Lenzner says the above challenges have made the following among the top areas for IT security work:

  • Mobile security, 5G networks and infrastructure convergence
  • Cloud security, disruption technologies such as artificial intelligence and machine learning
  • IOT security, cyber defense, application security and security services
  • Biometrics, next generation authentication systems
  • Critical infrastructure and industries subject to complex regulations and tech innovation
  • Security engineering, development and implementation
  • Data intelligence, privacy, cyber law, investigation and incident response
  • Advanced encryption, quantum computing, and blockchain

What the top information security jobs pay

It comes as little surprise that banking and finance are among the top-paying sectors for IT security pros, Lenzner says, along with high tech firms and consulting. In these sectors, compensation can reach up to seven figures for elite top performers.

“These top security professionals are highly sought after and compensated, with rich benefits packages that can include competitive salary, bonuses, stock/stock options (if a public employer), deferred pension and golden parachute incentives,” Lenzner says.

In terms of specific IT security salaries, SecurityDegreeHub.com cites the following as the average national salaries for top-paying jobs, as of July 2020:

  1. Chief information security officer - $249,000
  2. Security architect - $124,600
  3. Risk manager - $101,404
  4. Security, network and/or web penetration tester - $83,137
  5. Network security engineer - $82,760
  6. Network security administrator - $76,500
  7. Cybercrime investigator - $75,000
  8. Information security analyst - $71,309
  9. Security analyst - $67,419
  10. Security manager - $55,000

The above numbers represent national averages only. How closely an IT security pro actually matches against any salary shown depends on a number of factors, including region and industry. But there are a number of other factors that can help boost the base salary.

“Variables that impact compensation and career advancement can include track record and years [of] experience in current role, experience in prior roles, key accomplishments, organization size, location, type of industry, global or regional operational scope, business and technical experience, IT and cyber security domain expertise, reporting relationships, track record in leading and building complex organizations and/or secure systems, strategic and tactical leadership, overseeing matrixed-operations and/or technical teams, academic degrees, relevant certifications and licenses, advanced training, patents, industry contributions and memberships, top communication / presentation acumen, diplomacy, sense of humor, resilience, proven ability to drive stakeholder buy-in and champion security initiatives at executive, business and technical levels,” Lenzner says.

What it takes to land top pay

To receive top pay in any information security position, work experience obviously counts for a lot.

Art Zeile, president and CEO, DHI Group, Inc. DHI Group, Inc.

Art Zeile, president and CEO, DHI Group, Inc.

“I recommend that security-focused technologists work their key systems and processes into their interview answers, irrespective of the question asked,” says Art Zeile, president and chief executive officer at DHI Group, Inc., the parent of job sites Dice.com. “I would also advise that security professionals have one or more insights they can provide the employer that represents true wisdom that they had not heard before, demonstrating that the candidate is a life-long learner in the craft. Since cybersecurity is a constant battle, relevant real-time tactics and information are greatly respected.”

It may also surprise IT security pros that many top job areas for those with security skills may not be traditional security roles at all. For example, according to Burning Glass Technologies, the top tech jobs with the highest percentage of job postings requesting that an application have some level of cybersecurity skills are as follows:

  1. Cyber/information security engineer/analyst
  2. Software developer/engineer
  3. Network engineer/architect
  4. Network/systems administrator
  5. Computer systems engineer/architect

The top markets for information security professionals

As noted, the salary of an IT pro is primarily driven by experience, industry and region. Traditionally, top markets for IT security hiring have included large metropolitan areas like the New York City metro area, Boston, the Washington DC beltway, Chicago, the Dallas/Austin/San Antonio market, Atlanta, Seattle, the San Francisco Bay area, Los Angeles and San Diego. And, of course, along with the soaring salaries in these areas comes a high cost of living, which must also be factored in.

But certain states overall are best bets for IT pros. The top five as of July 2020, according to Burning Glass Technologies are:

  1. California
  2. Virginia
  3. Texas
  4. New York
  5. Florida

The right attitude for information security

While direct job experience is obviously important for many IT security roles, attitude counts more with some employers, even in government, which is one of the top industries for security jobs.

That is the case at the County of San Bernardino, CA, where Chief Information Security Officer Robert K. Pittman Jr. says he finds most of his information security professionals internally.

“Skillsets are critical, but just as critical is the individual’s mindset, as derived from my definition,” Pittman explains. “The mindset or attitude of a security professional includes being mindful to being open-minded (e.g., intellect, innovative, creative), ambitious, resourceful, possessing energy, altruism and trust, understanding ethics and one’s moral duty in appropriate decision-making and resolving conflicts (i.e., consensus building, conflict resolution) for the greater common good of the organization, and understanding an organization culture and behavior from different perspectives.”

Robert K. Pittman, CISO, City of San Bernardino County of San Bernardino

Robert K. Pittman Jr., CISO, County of San Bernardino

“Understandably, as one progresses through an IT security career as opportunities afford themselves, it is based on a stairway approach, not an elevator ride — it will take time to grow and develop to the highest IT security position as a CISO,” Pittman says.

Pittman says he does his fair share of recruiting and hiring from the publicly available job market, but he says the majority of the time it is very challenging in terms of finding individuals that are passionate about their craft. 

“Consequently, most of my hiring has been through osmosis or developing security professionals internally,” Pittman says. 

How job candidates can put their best foot forward

In any job market, even for in-demand security skills, it is important that job candidates show potential employers not only that they have the relevant technical expertise, but that they are committed to helping the business succeed.

“Focus, focus and focus again on your core certifications and technical knowledge, and understand the larger picture,” advises Arthur F. Ream, chief information security officer at Cambridge Health Alliance in Berwick, ME. The reasons are simple.

Arthur F. Ream, CISO, Cambridge Health Alliance Cambridge Health Alliance

Arthur F. Ream, CISO, Cambridge Health Alliance

“Managers that hire individuals smarter and faster than them to produce a team are being proactive, positive and driving change in security for the organization. To the candidate: Become an integral part of the business operations enabling safe transactions and operational initiatives.”

Finally, if an IT security job candidate understands how to fit a security program into an organization’s objectives and culture, rather than the other way around, and can solve those challenges with urgency, that’s worth a lot to any organization, advises Rivers.

“It’s old, but relevant, advice: understand the mission, speak in terms of that mission, and build a track record of solving hard problems that translate to that mission,” Rivers stresses.

Related:

Copyright © 2020 IDG Communications, Inc.

21 best free security tools to make your job easier