A chronic shortage of cybersecurity talent and a spike in threats during the Covid-19 pandemic have not translated into pay rises for security professionals. Although 35% of organisations still struggle to find cyber talent, 61% of CISOs and security specialists’ salaries stayed the same during the past year according to new research. Industry insiders fear this pay stagnation may make it even harder to attract and retain top talent.
The salary study by tech recruitment firm Harvey Nash, which surveyed more than 1,700 technology experts from 69 countries, including the US, the UK, Australia and Germany, also found that half of the organisations saw an increase in cyberattacks since the beginning of the pandemic and 43% want to grow their cyber team within the next year to meet the challenge.
How much do senior cybersecurity jobs pay?
The cybersecurity jobs most in demand include ethical hackers, CISOs, cybersecurity consultants and information security analysts, but these professionals have also seen their pay stall in the past year. CISOs and security specialists alone ranked 14th amongst technology roles worldwide receiving a pay rise in the last 12 months. This reverses the trend which saw strong cybersecurity salaries that were less likely to suffer a decrease. In the UK, permanent CISO pay ranges between £75,000-£110,000 and in the US between $144,326-$205,626.
“With cybersecurity of such key strategic importance, clearly many professionals in teams are already well-remunerated,” Harvey Nash’s director Rob Grimsey told Tech Monitor. “Nevertheless, if security professionals see others in the tech team receiving higher increases, there will be a demotivating effect – particularly when many have worked such long hours during the pandemic to help keep organisations safe.”
Why is cybersecurity pay stagnating?
Grimsey said that although during the past five years the demand for cyber talent has generally matched remuneration, the recent “crisis” reflects the customer-centric focus of today's organisations and a tendency to reward front-office and agility-related roles rather than back-office jobs such as security.
Tech roles that saw salary increases in the past 12 months include development management/team leadership, quality assurance, and design, which mirror the importance that businesses are placing on customer-related functions. However, Grimsey warned that investment in cybersecurity is also an essential element of customer satisfaction: “No customer-facing investment will truly deliver value if it fails to deliver customer trust.”
Don MacIntyre, interim chief executive of industry body UK Cyber Security Council, thinks that a reason for the stagnation of cyber professionals' salaries is many hiring managers and HR directors failing to produce clear and concise job descriptions, where salary is key to attract experienced and qualified talent.
“Emphasis must be placed on attracting as well as retaining cybersecurity talent,” Macintyre says. He adds that, to better understand the role of the cybersecurity professional and what it brings to companies, businesses need to work with industry bodies and insiders in the profession.
Lack of pay rises could hit the cyber talent pipeline
Grimsey fears that the lack of remuneration rewards might jeopardise what is already a fragile pipeline of cybersecurity talent. In a global survey of IT decision-makers by security vendor McAfee, 82% said there is a shortage of cybersecurity skills, and 53% said the shortage is worse than talent deficits in other IT fields.
If cyber professional salaries do not keep pace with other technology roles, Grimsey said there is a danger that the skills shortage and the “war for talent” will worsen: “It will become harder to attract and retain the talent needed as cyber professionals become less loyal or even begin to specialise in other high-demand areas instead.”