The top 10% of cybersecurity professionals in the US drew as much as $783,000 on average in 2023, according to according to a joint IANS and Artico Search study.
Although well-compensated, cybersecurity roles are often multifunctional, and typical functional combinations within a role include IAM, application security (AppSec), and product security, the study noted.
The study, which is based on responses from 563 security professionals from April 2023 to November 2023, primarily surveyed security analysts and security managers working in the finance, healthcare, and technology sectors.
âThe global cybersecurity talent shortage is a perennial issue. In the US alone, there are only enough qualified cybersecurity professionals to meet 72% of current demand â which is hovering near a ten-year low,â said William Candrick, director analyst, security and risk management, Gartner. âUnfortunately, labor market supply-and-demand issues in cybersecurity will not be solved anytime soon. As a result, cybersecurity leaders and professionals often wear multiple hats and work long hours.â
The study also underlined gender diversity has improved across various security domains while the pay gap persists, and recognition and job perks help retention rates.
Security roles are well-compensated
Cybersecurity directors, managers, architects, engineers, and analysts were all well compensated, with high quartiles (top 10%-25%) having annual salaries considerably higher than the median pay for their roles.
âTop quartile total earnings across the various roles in the sample are considerably higher than the median pay,â the study added. âIn many cases, the top 10% average is as much as three times the median total compensation, indicating a significant pay band within each of the roles.â
For cybersecurity directors, the total annual compensation was $330,000 on average, with $250,000 being the cash compensation they received annually. The compensation was at $402,000 and $325,000 respectively for senior directors, who are more experienced, and those who have a larger span of control compared to directors.
âSalaries continue to increase for security professionals,â said Stefan. âAgain, not much of a surprise, especially given that those professionals need to have expertise in a variety of different IT and GRC disciplines, thus making it that much more difficult to find qualified resources.â
The top 25% compensation for senior directors was found to be at $424,000, while the top 10% drew as much as $783,000 on average, more than double the median salary for this role ($353,000).
Cybersecurity architects, managers, engineers, and analysts were compensated at $256,000, $183,000, $174,000, and $118,000 annually on average, which included an equity value component ranging between 15% to 40% of their basic salaries.
Security domains were revealed to be carrying better gender diversity with respondents self-identifying as female accounting for 40% in GRC roles, 25% in IAM roles, 19% in A&E, and 10% in SecOps roles, even as the pay gap persists at 7% on average, which increases with experience.
Money comes at the cost of demanding
Among the survey respondents, 42% had responsibilities that span multiple cybersecurity domains, according to the study. Disciplines that naturally complement each other were AppSec, product security, and IAM.
âAmong AppSec staff, 74% also contribute to product security, and 67% are involved in IAM. Within product security, 63% of staff also support IAM,â the study said.
âThis report confirms something that most security professionals have always known that the best security practitioners are also very good IT generalists, as they have to be,â said Chris Steffen, vice president â research at Enterprise Management Associates. âTo some degree, it is difficult to secure something unless you know something about what you are trying to secure. While there will always be specialists that focus on a particular area or problem, most organizations do not have that luxury, and those hired to secure their entire organizations need to know a little everything.â
Candrick, however, believed the multi-functionality ask could sometimes be a little too much for security professionals, adding âWhile this extra work can fuel professional development and create career growth opportunities – it also leads to burnout and poor mental health. In fact, the cybersecurity profession is facing a mental health crisis, and the talent shortage is a major driver of this unfortunate trend.â
As security jobs get more demanding, retaining talent becomes a key challenge for organizations. The top two incentives that can help with retention rates were found to be staff recognition and job perks. Candrick pointed out that organizations investing in cybersecurity-specific personal resilience programs will help. âGartner anticipates that the cybersecurity industry will shift from more generic, HR-driven approaches to wellness, to structured personal resilience programming that caters specifically to cybersecurity professionals,â he added.