• United States



by Simone Kaplan

Security Salaries 2003: Coming of Wage

Jun 01, 20036 mins

The only clear trend when it comes to security salaries is that they're likely to rise as the function matures.

There’s no such thing as an industry standard when it comes to the executive security position—not for title, job scope, responsibility or reporting structure. And that goes double for compensation.

Security salaries are still shaking out as the executive-level security role comes into its own. Partly, that’s because the story of the typical CSO is not a simple one. Just about every security officer out there is a variation on a theme. Likewise, there’s no clear consensus on exactly what a CSO’s worth is—certainly not among the recruiters nor even the CSOs themselves. “I’d say most make at least $100,000,” says the chief of security for a large credit union. But the gap between that and the top end of the market for CSOs is wide. “Large companies hiring security executives can pay up to $500,000,” says Marc Lewis, president for the North American division of Morgan Howard, a global technology executive recruiter. The disparity can be chalked up to the fact that no aspect of the CSO role itself is clearly defined.

As part of our annual compensation survey of more than 400 security executives, we asked CSOs to give us an idea of how much they make, what their jobs entail, what their professional titles are, how long they’ve been at their jobs and in what industries they work.

The results were not what we were expecting. Our respondents indicate that having a C-level title doesn’t necessarily translate to a higher salary. In fact, most of the respondents at that level are making about the same in terms of total compensation, regardless of titlein other words, security managers earn basically what CSOs do. Compensated most highly are vice presidents or directors, but only 8 percent of them make more than $300,000 per year.

We may have been caught off-guard, but the lack of a connection between title and compensation was no surprise to CSOs we talked to. According to Marcia LaManna, corporate director of systems security for Lifetime Healthcare, title isn’t the point. “I don’t care much about title,” LaManna says. “I’m the last word on security at my company. If I were at another company, I’d probably have the CISO or CSO title. But I don’t think the C in the title matters in terms of salary.”

Our survey also revealed that there were almost as many names for top security executives as there were companies queried. Well, maybe that’s an exaggeration, but we discovered that a security manager at one company can be doing the same job as an executive vice president or a CSO at another. That’s probably why, at least for now, compensation levels are predicated more on the scope of the CSO’s job responsibilities than on title. And that’s the way it should be, LaManna says. “The bottom line is accountability and responsibility.” Basically, the more you’re responsible for, the more you make. A security executive in charge of traditional and information security will command more than someone overseeing only infosecurity, and an executive at a 2,000-person company will make less than someone responsible for protecting 40,000 people.

Also, industries with a high risk level tend to pay higher salaries to their security executives, says LaManna. Salaries in health care, for example, are starting to reflect the increase in security responsibilities caused by demands for data privacy, she says, although compensation still doesn’t compare favorably with that of the financial services sector. “That’s partly because portions of the health-care industry are still nonprofit,” LaManna says. “But now, with HIPAA and the Gramm-Leach-Bliley Act adding to the privacy responsibilities of the security officer, salaries are starting to go up.”

In general, though, companies have been slow to define the scope of the CSO job, which means they don’t know how to properly compensate the people they hire. CSOs say that companies that have created new executive-level security positions aren’t paying what the position is worth. “They’re totally lowballing it,” says the CSO at a large university who has had offers in the range of $60,000 to $90,000 from companies trying to fill new security positions. “They’re not going to find a qualified CSO for that salary.”

A correlation between a company’s emphasis on security and how much it pays security executives definitely exists, says another CSO. “Companies that are new to security usually don’t place a lot of value on the function,” he says. “But companies that have had senior-level security positions for a while understand exactly how important it is, and they pay accordingly.”

Compensation also depends on the industry in which a CSO works, and that is where the survey numbers were truly surprising. Our findings show that the computer industry pays its security executives more than any other industry, including financial services, which most of the CSOs we talked to assumed was top of the list. “The computer industry pays more because until recently, it was the hottest thing around,” says Rob Graven, a managing director specializing in technology and security services for Boyden Global Executive Search. “Computer and software companies have had the biggest IT departments with the largest budgets, and even though the boom is over, the salaries have held.”

Financial services has other benefits, however, that make up for relatively lower security salaries. “The financial services industry does pay well,” says the CISO at one of New York’s exchanges, but it is also more conservative than the technology industry and thus can offer greater job stability as well. “The computer companies can’t do that right now,” he says.

With the economy in a holding pattern and the country recovering from war, CSO salaries probably won’t experience any major ups or downs for a while, says Graven, though he sees greater demand for qualified security personnel developing once the economy gets back on track. More important, Graven says, the CSO role needs to gain greater definition and become more of a known quantity to corporations and CSOs alike. Once that happens, security executives can expect to receive more recognition, responsibility and respect in their jobs and, probably, more negotiating power over paychecks.