For Candy Alexander, the difference between cybersecurity professionals and everyone else in the information-technology sector isn’t just a matter of skill set, it’s also a matter of mindset.
“Technologists want to see how something runs,” says Alexander, who directs the Cyber Security Career Lifecycle program for the Information Systems Security Association. “Security people want to see how something breaks.”
The Association has served as a resource for people working in the information security field for over three decades—effectively growing up with the field as it’s matured and cybersecurity issues have come to regularly dominate the headlines. While there have been frequent lamentations about a shortage of qualified cybersecurity talent, Alexander notes that is hasn’t resulted in an outsized spike in salaries for cybersecurity professionals—at least, not across the board.
“Technologists want to see how something runs. Security people want to see how something breaks.”
“Generally speaking, the salaries for cybersecurity professionals are very similar to those for IT professionals—from a generalist perspective,” she explains. “When you get into more of the specialty areas like pen tester, application security, or some of those really focused exerciser areas, the salaries are going to be higher because of supply and demand. That’s where you’re seeing it rise above those salaries in IT.”
It’s in those areas of specialization that the salaries start to diverge, simply due to the relatively small number of people with the requisite expertise.
In an interview earlier this year, Ladar Levinson—the founder of the now-shuttered encrypted webmail system Lavabit, which was so secure that it counted NSA leaker Edward Snowden among its users—said that he’s had a lot issues finding qualified talent to work on his next-generation secure email system, DarkMail, because the number of people on the planet with expertise in both building large-scale email systems and cryptography is likely only a few hundred.
However, climb the corporate ladder above specialist technicians and mid-level managers, and the salary differences start to move in the other direction. Alexander notes that in the top echelon of managers within the C-suite, chief information officers can earn $100,000 a year more than chief information security officers in the same company and often count the CISO as one of their subordinates.
For Alexander, companies not putting information security at the same level of information technology isn’t a smart move. “A lot of companies believe their CIO can do security leadership, but ultimately those organizations are finding that’s not really working because of an extra piece they’re missing,” she says.
“As cybersecurity professionals, we are technologists. Therefore, we need to learn the technology and be on top of it just as much as IT,” she continues. “However, we have the additional challenge of understanding what the potential threats are in relation to using that technology and therefore how to mitigate them or how to circumvent those risks. That’s a caveat: we are IT, but we’re more than that. We have to learn what they learn but then jump ahead and learn the threats and vulnerabilities and the mitigation to control those risks.”
Data provided to the Daily Dot by Salary.com outlines the median salary for a number of common cybersecurity job titles:
- Chief Information Security Officer – $195,620
- Top Systems/Applications Security Executive – $184,086
- Information Security Director – $156,230
- Data Security Director – $143,394
- Disaster Recovery Director – $135,943
- Cross-Platform Security Manager – $129,612
- Data Warehouse Information Security Manager – $124,125
- Data Security Manager – $120,812
- IS Security Manager – $114,438
- Disaster Recovery Manager – $119,132
- Web Security Administrator – $102,250
- Web Security Manager – $99,851
- Data Security Supervisor – $98,771
- Systems/Application Security Analyst – $83,972
- Disaster Recovery Analyst – $80,642
- Security Administrator – $74,307
- Information Security Analyst – $57,067 to $115,444
- Data Security Analyst – $54,234 to $116,323
Contact the Author: Aaron Sankin, [email protected]