IT Security Salaries Expected To Rise In 2011

wiredmikey writes "IT security professionals in the United States can expect starting salaries to increase in 2011, according to a new salary report released today. The guide suggests larger increases in base compensation expected in high-demand segments including information security related positions. According to the report, companies are hiring security professionals to help foil fraud, prevent network breaches and comply with new regulations, to keep confidential information safe and secure."

WooHoo!

[WrongSizeGlass]

Time to raise my rates! I'm sure my clients are going to be thrilled, but if they took my advice about security they'd only pay for my advice and not pay me repeatedly to delouse their PC's.

Not Based on Surveys - Based on Actual Placements

[joelleo]

bodes well for the article's accuracy that its based upon actual placements rather than a "salary survey." Here's to a slightly higher salary in '11! *clinks rum & coke glass with the slashdotter next to him*

Already for me

[c0mpliant]

I got a raise a month ago for the first time in two years since I started this Security job and not a token raise either. There is demand there for Security officers from Security Admin jobs to Pen testing jobs and everything inbetween

Re:On my way to graduation

[h4rr4r]

And that is why we require degrees around here for all but the sharpest tacks. Too many know-nothing test takes. If you do not know how it really works you probably can't figure it out when it breaks.

gold

[buravirgil]

"Industries forecasting particularly strong demand for IT professionals in 2011 include business services, transportation and healthcare."

"There is a strong need for IT professionals in healthcare in particular. We've seen a strong demand for IT professionals, from developers to help desk, to assist with the conversion to electronic medical records," Reed noted."

Pfft. Only corporations will steal medical information, through regulation. And breaches will still be whole databases left in a taxi on a laptop. Transportation? Business services? Keeping safe the growing gambling gold, posted just below, is a more likely source of a spike in salary dollars.

Re:Not Based on Surveys - Based on Actual Placemen

[betterunixthanunix]

Rum and coke? With that higher salary, I would expect some single malt scotch...

Re:On my way to graduation

[h4rr4r]

Nope, note I said we exclude the sharpest tacks. It just happens to be the normal way for folks who actually know how spanning tree works, or where broadcast domains should be split or how to script their way out of wet paper bag. Sure the test takers can tell you the vendor approved method, but they sure as hell can't tell you what other methods might be better or why the vendors docs are wrong.

Re:gold or where is the data this week?

[WillAffleckUW]

Actually, one of the most amusing security breaches in history was when a General left his laptop with Top Secret info on it in a taxi.

I'm farming Cataclysm. They pay in Yuan for archeological items.

Re:Not Based on Surveys - Based on Actual Placemen

[joelleo]

/me searches for his bottle of Caol Ila
/me realizes he hasn't bought it yet because HIS share of the higher salaries hasn't come through yet
/me frowns in consternation and turns to his bottle of Jack in the meantime

Re:On my way to graduation

[Beerdood]

I went to a technical school for my Comp Sci training. The bulk of the courses was what you'd expect (databases, programming basics, languages etc..) but there were 3 mandatory courses on "business" or "communications". This included things like how to write your resume, a simulation of a project manager dealing with consultants, how to write a proposal, actually communicating with people etc... Also, the final project of our last semester had people in groups developing a new application for a client from scratch - most schools have a co-op program in place like that

So if you learned everything in your mother's basement and I learned it at school, maybe we have the same qualifications for a job. But they're going to hire me because there's a better chance that my writing and communication skills are superior. You don't learn how to deal with people by teaching yourself to code and your writing skills probably need some work (ever wonder why English 101 is required for your university degree?)

Re:Get in line...

[sjs132]

There may be 9-10% people who already have a degree looking for the same job you are. You picked a lousy time to graduate. Go back in for a masters, you can get four more years of beer drinking and racking up the loans.

Re:gold or where is the data this week?

[sjs132]

I hate farmville to...

That's great

[dnaumov]

Now if there were any actual IT security jobs around...

tricksters sell to scared idiots, news at 11

[FuckingNickName]

Yeah, there's also an increase in demand for physical security, more funding for anti-terror tools/research, etc. The western world is currently more scared of nothing than it's been for decades, and IT security "experts" are the latest in a line of technically mediocre conjurers who manage to charge a lot to turn people from feeling scared to feeling slightly less scared while achieving absolutely nothing.

You know who you are.

Re:tricksters sell to scared idiots, news at 11

[c0mpliant]

Are you denying rising need for additional security in our ever expanding interconnected world? In the era when more than ever before, a persons personal data is stored on dozens of different, independent sources each one of them has to be secure and if its not you may as well have no security any where. Then you need to actively monitor it for ensured protection against the latest threats. This is no snake oil that is being sold, this is as much requirement for business as accountants, HR and physical security.

I grant you that some companies out there are selling products that are being labeled as all in one software packages which provide "security out of the box", which we all know are farce, but I find these to be no more prevalent than any other sector.

Re:tricksters sell to scared idiots, news at 11

[Securityemo]

The clinch is of course, that in computer security the client has no idea what the hell you are doing whatsoever. There is no direct way for the client to observe if he has been ripped off, so people will therefore intuitively feel that a larger moral burden rests on the "comp sec guy."

Re:tricksters sell to scared idiots, news at 11

[CAIMLAS]

If someone can turn a buck telling people trivial things which improve security - simply because he's an 'expert' - I'm all for it. I'd love such an easy job.

"Lock your doors at night"
"Don't leave valuables in plain sight"
"Look both ways before crossing"
"Don't trust the panhandlers"
"Cabbies are even worse"

All of this is common sense, but take a Bushman into a city and see how much sense it makes. He'd probably give many shiny beads to be led to safety.

Re:tricksters sell to scared idiots, news at 11

[Beryllium+Sphere(tm)]

Part of my practice is telling clients when not to worry. They'll ask about some overhyped threat, and I'll put it in perspective for them.

Re:tricksters sell to scared idiots, news at 11

[bzipitidoo]

Security needs have not fundamentally changed!

GP is right. We've been jumping at shadows. And dealing poorly with the problems by having an army of "security specialists" try to plug leaks before they happen. They're constantly analyzing code, patching systems, quarantining spam, checking logs, tweaking firewalls, and other similar measures. It's like managing dikes by hiring boys to walk along them and plug holes with their fingers. Mitre's CVE program is all very well, but is hardly all that we can do. And SE Linux is obnoxious, the way it can too easily block a great deal of functionality.

If we were to get really serious about it, we'd pursue some real solutions. Many security problems arise from bugs. Instead of approaching this problem from a viewpoint of security, we should approach this from a quality standpoint. Reduce defects in software, make more use of safeties, and we eliminate a lot of problems, including ones that affect security. Focusing only on those that affect security is too narrow an approach that creates a lot of work that may not be necessary. Perhaps formal verification is worth trying. Even if formal verification can't be done, the efforts may produce much of use. It would be great to have a microkernel OS such as Minix 3 mature enough for practical, everyday use. Then there's customs such as the traditional login by querying for a username and password, and the basic "rwx" owner, group, and world permissions for files. Revamping file permissions is delicate. Don't want to go overboard defining dozens of different permissions beyond rwx. But also don't want to be inflexible. For instance, why can't a file belong to multiple owners and/or groups?

3 other problems are a tendency to seek security through obscurity, the relentless push to keep costs down by skimping on the coding quality, and complexity. The obscurity problem is compounded by trying to enforce the secrecy through law, as well as abuse it to hide problems and try to keep technical secrets, as if reverse engineering is a threat. Code cannot be evaluated if the source is not available! On the next, all kinds of horrors of programming are routinely written in great haste. A similar problem is choosing performance over safety. And on the last, nothing can blow the security like a completely lunatic requirement for some trivial convenience. Rather than be put to the trouble of learning or making new software, people will insist on using their favorite application no matter how many holes it has squirreled away in obscure features. Or they'll design websites that cannot function without ActiveX or Java applets. It's hard to take an organization's desire for security seriously when they require the use of ancient versions of IE and Outlook.

Re:tricksters sell to scared idiots, news at 11

[Glonoinha]

For instance, why can't a file belong to multiple owners and/or groups?

Without going so far as calling it 'secure' - I will go out on a limb and say that Windows has been able to do this since ... like NT 4.0
Now that I think about it, I'm pretty sure Novell had this ability as far back as ... maybe Netware 2.15 or 2.2 (ie, early 90's.)

Re:tricksters sell to scared idiots, news at 11

[gtall]

Damn, you are right, if software didn't have bugs, we wouldn't have such severe security issues. I propose we ban software bugs from now on, call your senator, call your congresscritter; we can do this!!

what the hell is a "Pre Sales Engineer"?

[Nadaka]

And why is it at the bottom of a list that otherwise includes IT professions that I can recognize?

Re:what the hell is a "Pre Sales Engineer"?

Pre Sales Engineer would probably be the assistant to the sales team who listens to the potential customer's needs and then devises potential configurations (of the product) for the customer to consider for their SOLUTION ?

Re:what the hell is a "Pre Sales Engineer"?

[tyen]

Anonymous Coward pretty much answered what a presales engineer does, but didn't explain why it is at the bottom of the list. The list appears to be sorted by salary range or percent increase. Note that presales engineer had the largest percent increase, but the lowest salary range in the list.

Many presales engineers (especially at the big companies) have a compensation plan that is part salary, part commission and part incentive bonus plans, so this table might not be an accurate reflection of what they really take home. There are many people who dislike the road warrior-esque nature of many presales engineering positions, so it is difficult to recruit really good, seasoned staff to this position who have the right mix of technical and sales personas to pull off the role well. The really good ones are pretty much visually indistinguishable from the sales and account execs (ditch the shorts and sandals that are fine when you're coding at the office for coat and tie), engender confidence in the customer when they present the technical solution, and write up the sales proposals from soup to nuts. What usually sets them apart from the pure sales function is they might not necessarily be quite as extroverted as the sales people.

Re:what the hell is a "Pre Sales Engineer"?

[wiredmikey]

That's correct -- a more "tech savvy" sales assistant essentially that can help translate customer needs into a solution the company can supply.

Re:what the hell is a "Pre Sales Engineer"?

[wiredmikey]

Hi Tyen -- The report focuses on "Base Compensation" -- and that is noted. I absolutely agree with you, the column just didn't include any bonus, commissions, etc (for any positions listed) that are often part of a total comp plan. You're 100% spot on with your comment. Just that the main focus is base salary.

Re:what the hell is a "Pre Sales Engineer"?

[Nadaka]

It is bad enough that they are calling programmers "engineers" these days, maybe 5% or less of them actually apply engineering principals in the design of software. But a sales guy?

An engineer is an practitioner of applied science, someone who takes theoretical advances and implements them. In most countries and engineer must be tested and certified. An engineer has an ethical obligation to the general public, the users of his design and his clients. An engineer may face legal consequences if his designs are flawed and result in loss of life, work or property.

Re:gold or where is the data this week?

[WillAffleckUW]

I hate farmville to...

FrontierVille is Zyngastic!

Don't hate the player, hate the cow-clicking game. Now excuse me while I click on these dragons.

Re:On my way to graduation

[keeboo]

But they're going to hire me because there's a better chance that my writing and communication skills are superior. You don't learn how to deal with people by teaching yourself to code and your writing skills probably need some work (ever wonder why English 101 is required for your university degree?)

Don't delude yourself... They will probably hire you because:

- The CVs will be filtered by a non-technical HR employee who will blindly search for buzz words and academic qualifications.
- Then those filtered CVs will be reviewed by someone who don't want the hassle of trying to find a "hidden gem", so that person will pick the safer options (academic qualifications and formal experience with the exact very technologies they want you to work with) for interview.

Quick!

[CAIMLAS]

Quick! Increase the H1B quota!

Only half serious on that one, folks: you know they're going to push for it. It doesn't matter if they think they can get someone for 10%-20% than they could've 2 years ago if they can get someone for 30%+ less on account of statistics.

I'd not be surprised if this statistic is somehow funded by industry groups which want the IT wage to go down further.

I suspect part of the reason why there may be increased demand is healthcare. There are huge demands on healthcare IT right now on account of the spending the government is requiring to get hospitals (particularly rural healthcare) 'compliant'. If they're not compliant, they won't get any compensation for procedures, so spending $1-5 million on some updated EMR package seems "reasonable". Even for a 20 bed hospital.

"According to Robert Half" == standard propaganda

[walterbyrd]

Asking Robert Half if IT salaries are going to go up, is like asking a Century 21 agent if it's a good time to buy a house. The answer is a forgone, agenda driven, conclusion.

These sorts of surveys are always meaningless. Did anybody predict the massive layoffs of IT workers in 2009? How about the total collapse in 2000/2001? Do we ever seen any sorts of warnings about massive offshoring, and/or inshoring, from these industry puff pieces?

The industry propaganda is unwaveringly optimistic of the future for IT workers. But, reality often tells a very different story.

Re:On my way to graduation

[ls671]

Well, I would say you learn basic IT principles, or how things work, in the first year or year and a half of a university degree. After that, you go into specialization and schools have a tendency to lag behind compared to the industry because things move fast and teachers just aren't available for a technology that is only a few years old. I found that my first years in university were the most interesting ones. After that I started to learn cutting edge stuff by myself because no teachers were available to teach it.

So, you are both right, the actual truth resides in the middle of your respective points.

Security+

[Scarletdown]

So, was it a good thing I just recently got my Security+ certification after all? I trust it was not a waste of my time?

Re:Security+

[gandhi_2]

On the contrary! You can now help us unload the delivery trucks at Walmart!

Re:Security+

[walterbyrd]

I have one, and I have found it to be a waste of time. Companies want the CISSP.

CompTIA is now making an Advanced Security+ cert. I think that is supposed to compete with the CISSP.

Whatever

[Jethro]

Is there someone I get to punch when this ends up not happening for the 5th year in a row?

Re:"According to Robert Half" == standard propagan

[wiredmikey]

Maybe for IT workers overall but not right now as far as security talent. Not enough talent right now for people with information security skills.

Re:"According to Robert Half" == standard propagan

[Ethanol-fueled]

I love the phoney American optimism that the economy will soon "turn around."

Guess what, guys? This was the recovery!

Re:On my way to graduation

[Eivind]

Both true, and nontrue. Yeah, universities aren't teaching the newest-and-hottest in Programming 101. But nor do they need to.

Thing is, the fundamental concepts do NOT move quickly. Not at all. To the contrary, if I had a dime for every Ruby on Rails app I've seen that, for example, essentially re-implements the filesystem - poorly - I could probably afford a bigmac by now.

They tend to repeat ALL the mistakes too. Some examples ? If you're organizing stuff in a tree-structure, what do you do about stuff that logically belong 2 or more places ? Do you reinvent windows "shortcuts" (which don't work well), or do you engineer your basic structure to allow an object to have more than one place in the tree (i.e. the unix-way). If the latter, do you allow hardlinking to directories, and if yes, how many of the 17 problems that causes, does your app have ? What about locking of resources ? What about permissions ? Deadlocks ? Cache coherency ?

Thing is, problems tend to show up again, at different levels. Several of the problems I've mentioned above go deeper, in some cases down to the hardware-level. (SMP-systems with separate cache for each core, needs to deal with cache-coherency) then it gets repeated at each layer. The OS needs to deal with cache-coherency. As do various systems for speeding up high-level scripting-languages, say the Zend-Optimizer for php. And lastly, you'll discover, the very same concepts are useful, indeed required, if you're (for example) caching objects in memcached way up in the stratosphere of a webservice.

The more things change, the more they stay the same.

If you think modern web-apps, have nothing to learn from the time-sharing systems of yesteryear, you'll end up solving the same problems they solved back then, the painful way: by repeating the same mistakes.

Re:gold or where is the data this week?

[sjs132]

:)