Demand for security talent has never been higher. Security spending, according to market research firm Gartner, is expected to grow nearly 8% this year. And few would argue that data breaches are under control. And yet, in our discussions with many security professionals throughout all levels of experience and expertise you often hear that enterprises are simply not willing to pay what is necessary for talent.[Five CISO skills critical to your success in the next five years]This parallels the results of our annual State of the CSO Survey, which found security salaries are flat to down, with most security decision-makers surveyed having earned $179,600 compared to the $180,100 reported last year. In an interview for our State of the CSO story Daniel Kennedy, research director of information security and network practices at 451 Research, says his own findings parallel ours. "It's a very interesting job market dynamic. Enterprises complain that they can't attract talent, they say that they can't keep talent, and [they say] they've tried everything to do so except salary raises," he says.A job market in disconnectWhich is surprising considering that the enterprise job demand for skilled IT security professionals continues outstrip supply. All of this suggests a market disconnect. And if the surveys and anecdotal reports are accurate, why are companies unwilling to increase the amount of pay to attract the talent they say that they want. Or, is it that security talent has too high of a level of pay expectations for the market despite reports of shortages.[Are you immune to this very real risk to your tenure as CSO?]We reached out to a number of CISOs, security practitioners, and industry watchers to find out.\u00a0\u201cI think the firms that are having problems finding good information security people are the ones that are not willing to pay a reasonable salary,\u201d says Ben Rothke, an information security manager with a major international hospitality firm.\u201cIn almost all organizations outside of the technology industry, there is stupefied sticker shock at the salary expectations of cybersecurity professionals, especially people without any significant experience or track record,\u201d adds Weatherford says Mark Weatherford, principal at the security advisory firm Chertoff Group, LLC, former CSO at the North American Electric Reliability Corporation (NERC), and CISO at the states of California and Colorado.\u00a0Part of the disconnect comes from a lack of understanding of the resources and effort needed to support a viable information security program. \u201cThere seems to be a large financial disconnect when it comes to security that goes beyond just talent,\u201d says James McMurry, founder and CEO of Milton Security Group. \u201cWe have seen that the market tends to believe security is important, but not enough to put real money behind it.\u00a0 In many cases, companies seem to have a lack of understanding when it comes to how much work is involved in an information security position,\u201d\u00a0McMurry says.[Today's top skill sets in security -- and why they're in demand]They are either unwilling to pay market rate, Milton says, or they believe that their current staff is capable of weaving security responsibilities into their current operation management activities. \u201cThey can fit it in between server reboots,\u201d McMurry says.Another part of the disconnect is how tough it is to correlate good information security with the bottom line. \u201cYou have the perspective of the company as a social entity, the customers, and the shareholders. All three of these are keenly interested in avoiding security incidents, so it would seem a good investment to buy quality personnel,\u201d says Brian Martin, founder and CEO of security consultancy Digital Trust LLC. \u201cYet corporations have profit motives, bonus motives, cost reduction motives, and shareholders, all of whom are keenly interested in cost controls and minimal spending. These two are obviously juxtaposed and creating conflict,\u201d Martin says.\u00a0And within enterprises, good risk management is hard to implement while blame is easily cast, and ultimately no one is held responsible for the harm data breaches cause. \u201cThe CISO and CIO might be fired, but until people are held responsible personally for security failures, all the way to the board level decision, nothing will change,\u201d he says.Not everyone agreesNot everyone agrees that the information security salary disconnect is systemic, or that the cause of the imbalance sits squarely on enterprises. \u201cFor those with truly superior skills, they can get almost anything they demand and they are worth it. One highly skilled security professional is worth a dozen people with mediocre skills,\u201d says Weatherford.\u00a0Yet, many with mediocre skills rate themselves disproportionately high. \u201cMost people think they are far better than they actually are,\u201d Weatherford says.Eric Cowptherwaite, currently vice president of advanced security and strategy at Core Security, but who has also worked as a CISO at multiple organizations believes security execs are paid fairly for their skills, experience, and value. \u201cI have been through the recruiting process for security leadership positions many times over the past 10 years, or so. I\u2019ve generally found the potential salary for a CISO on par with the value the individual can offer to that organization,\u201d he says.[CISOs taking a leap of faith]Ultimately, value is in the eye of the buyer and seller, and as Weatherford pointed out in our exchange, an item is worth only what someone is willing to pay \u2013 and initial prices paid are of little guidance. Go see what your Darryl Strawberry rookie baseball card is worth these days \u2013 probably less than you paid for it. \u00a0Is a mediocre football player truly worth $10M a year?\u00a0 If they are the best receiver available and you need a receiver, probably so.\u00a0 Same with security talent - if your security architect quits in the middle of a project, you need someone right now not in six months so you may pay a higher salary than you\u2019re comfortable with,\u201d says\u00a0Weatherford.