August 28, 2016
For Candy Alexander, the difference between cybersecurity professionals and everyone else in the information-technology sector isn’t just a matter of skill set, it’s also a matter of mindset.
“Technologists want to see how something runs,” says Alexander, who directs the Cyber Security Career Lifecycle program for the Information Systems Security Association. “Security people want to see how something breaks.”
The Association has served as a resource for people working in the information security field for over three decades—effectively growing up with the field as it’s matured and cybersecurity issues have come to regularly dominate the headlines. While there have been frequent lamentations about a shortage of qualified cybersecurity talent, Alexander notes that is hasn’t resulted in an outsized spike in salaries for cybersecurity professionals—at least, not across the board.
“Generally speaking, the salaries for cybersecurity professionals are very similar to those for IT professionals—from a generalist perspective,” she explains. “When you get into more of the specialty areas like pen tester, application security, or some of those really focused exerciser areas, the salaries are going to be higher because of supply and demand. That’s where you’re seeing it rise above those salaries in IT.”
It’s in those areas of specialization that the salaries start to diverge, simply due to the relatively small number of people with the requisite expertise.
In an interview earlier this year, Ladar Levinson—the founder of the now-shuttered encrypted webmail system Lavabit, which was so secure that it counted NSA leaker Edward Snowden among its users—said that he’s had a lot issues finding qualified talent to work on his next-generation secure email system, DarkMail, because the number of people on the planet with expertise in both building large-scale email systems and cryptography is likely only a few hundred.
However, climb the corporate ladder above specialist technicians and mid-level managers, and the salary differences start to move in the other direction. Alexander notes that in the top echelon of managers within the C-suite, chief information officers can earn $100,000 a year more than chief information security officers in the same company and often count the CISO as one of their subordinates.