RSA 2010: Infosec Pros Get Raises Despite Recession

SAN FRANCISCO — (ISC)2 used RSA Conference 2010 as the backdrop to release survey results that will probably raise eyebrows among those who have lost jobs and struggled to find new ones in the aftermath of the Great Recession.

According to its 2010 Career Impact Survey, more than half of the 2,980 information security professionals polled between December and January received salary increases in 2009, while less than five percent of participants lost their jobs — a smaller number than one might expect given the severity of the recession.

Globally, 52.8 percent of respondents received salary increases in 2009. Less than 11 percent saw their salaries and/or benefits cut, while 4.8 percent were laid off by their employers. Of the 800-plus respondents who identified themselves as having hiring responsibilities, more than half — 53.3 percent — said they need to hire permanent and/or contract employees in 2010. In the U.S., this is an improvement over the previous year’s survey, when 44.5 percent of hiring managers said they expected to be hiring in the second half of 2009.

Of those hiring, 40 percent said they’ll hire three or more information security professionals this year, compared to the 2009 survey, in which just 13.1 percent said they would be hiring three or more new permanent or contract employees. Over 90 percent of hiring managers globally and in the U.S. said their biggest hiring challenges were finding candidates with the right skills and level of experience.

Ironically, the reason for these pay increases may be because of the recession, as security practitioners are called upon to protect their companies from angry, laid off employees who may feel compelled do do something malicious to computer systems on the way out the door, (ISC)2 Executive Director Hord Tipton said in an interview Wednesday morning. The rapidly shifting threat landscape is another likely reason.

“As quickly as technology has advanced and as prevalently known as the threats have become, companies realize they face huge risk,” he said. “Even though the company is going through economic problems as a whole, you have to worry about people leaving the company unhappy and the risk of malicious acts as a result.”

In the event of a large layoff, security staff are among the last to leave because they have to strip people of their keys and Internet access, Tipton said. “The people you retain you want to be your best people. It’s a distillation of the process. You pay them more for knowing more and you simply try to keep them,” he added.

Among the more specific findings:

• About half of the respondents (51.1 percent globally; 51.9 percent U.S.) saw their information security budgets decrease somewhat or significantly in 2009, while 36.9 percent (35.7 percent in the U.S.) expect no change in their budgets for 2010. This compares to over two-thirds (72 percent) of respondents who reported in the 2009 survey that their budgets had been reduced last year.
• Approximately 54 percent (54.6 percent in U.S.) of respondents expect no personnel reductions or layoffs in 2010; while 20 percent (20.8 percent in U.S.) expect additional layoffs, compared to 40 percent of respondents from the previous survey in 2009.
• In the U.S., 34.2 percent of respondents believe the economic downturn is causing an increased security risk within their organization, 37 percent of whom identified outside attacks from hackers as the most common security risk attributed to the economic downturn, compared to 31.3 percent globally. Employee misconduct was identified as the second most common risk by 31 percent in the U.S. Employee misconduct was considered the most common risk globally by 37.7 percent of respondents, who believed there was an increased security risk in their organization.
• Globally, 55.5 percent of respondents said the economic downturn had decreased their security technology purchases in 2009; 30.7 percent of respondents believe the economy will continue to cause decreased purchasing in 2010.