"At the moment, if you're a cybersecurity professional, and you have the skills, it's a very good market. You can do very, very well," Stroud says.
High salaries reflect the demand. The average IT starting salary is expected to climb 5.7% in 2015, according to Robert Half Technology (RHT). Five out of six security titles in RHT's annual salary guide are getting larger-than-average bumps in pay for new hires:
- Chief security officer: starting pay ranges from $134,250 to $204,750, a gain of 7.1% compared to 2014;
- Data security analyst: $106,250 - $149,000, up 7.4%;
- Systems security administrator: $100,000 - $140,250, up 6%;
- Network security administrator: $99,250 - $138,500, up 5.3%;
- Network security engineer: $105,000 - $141,500, up 6.7%; and
- Information systems security manager: $122,250 - $171,250, up 6.6%
Certifications drive starting salaries even higher, RHT notes. In the security category, having a Certified Information Systems Security Professional (CISSP) certification adds 6%, on average, to IT salaries, while Check Point Firewall administration skills are worth a 7% bump, Cisco network administration skills add 9%, and Linux/Unix administration skills add 9% to starting pay.
The allure of compensation contributes to another staffing challenge for enterprises: turnover. It's particularly tricky to keep top security talent. CISOs and other senior security executives leave after 2.5 years, on average, according to research from Ponemon Institute.
Qualified people at the c-level and just below titles such as director of information security, chief security architect, chief security officer -- generally come from two different tracks, says Andy Ellis, chief security officer at Akamai. There's the mostly homegrown security pro with deep technical experience who worked his or her way up in an organization, knows everything about how that organization works, and can make that business transition.
The second type is the experienced security pro who hops from company to company. "Some of these are really astounding CISOs, they'll work a three-to-four-year stint at a company, turn it around, and that's what they love doing," Ellis says. "They're not big fans of the maintenance, they'd rather just do that and turn it around."
Both types are in danger of being lured to the start-up world, Ellis notes. "What I find a lot of companies are competing with is the experienced c-level folks saying, 'I could go do this job again, or I could go be the CTO of a security company.' There are more and more of these really good technical senior staff that are going to either be a CTO or a chief strategist or CEO of a small security startup because the payoff is so much better if they can make it work."
Just how hard is it to find people?
Sign up for Computerworld eNewsletters.