recommended reading

Shortage of skilled cyber specialists fuels debate over pay

The White House, Congress, academia and industry seem to be in rare agreement that the shortage of government cybersecurity specialists is a national security threat, but no one seems to agree which cyber jobs are the most needed -- and therefore should garner the highest salaries.

According to the most frequently quoted estimate, the United States is lacking some 20,000 or 30,000 people with the requisite skills to defend cyberspace. That was the conclusion of former intelligence officer Jim Gosler, the first director of the CIA Clandestine Information Technology Office, who offered that projection in 2008, when there were about 1,000 expert cyber professionals by his accounting. Since then, a slew of nationwide competitions have been launched to attract today's texting-obsessed youth and reformed hackers into the cybersecurity field. But little has been said about the wages aspiring cyber warriors should expect to earn.

Some experts have said the greatest need is for so-called hunters -- the network operators and penetration testers skilled at probing for vulnerabilities. Others believe hiring priority should be given to information assurance analysts, including auditors and security administrators.

The latter currently make more money than most hunters, but some researchers said the compensation for compliance analysts and certain security administrators will decline because much of their work is becoming automated. On the other hand, hunters are a rare commodity that will see their earnings climb, they argue.

In 2010, the average salary for certified information systems auditors was $100,855; certified security administrators took home on average $99,512, according to a report by IT training and certification firm Global Knowledge and the media outlet TechRepublic. But auditors and administrators -- to the extent they inspect compliance -- are seeing their responsibilities become digitized, as the White House calls for real-time continuous monitoring of systems rather than analysts' periodic certification and accreditation reports.

Operators and testers, who monitor log files, manage system configurations and hack networks to identify weaknesses, were earning about $76,000 last summer, according to a survey conducted by Alan Paller, research director at the SANS Institute, a computer security education center. Some pros in this category who have more technical skills, such as computer forensics, were receiving $88,000.

"The more general jobs -- security officers and auditors -- continue to pay more, but the number of these jobs has fallen off because of the decline in [certification and accreditation] work," Paller said. "So on average their salaries have stagnated or are falling."

In contrast, operator and tester wages are rising sharply because organizations are competing for the few specialists in the market who can do the work well, he added. "Colleges are pumping out lots of people for the jobs that do not exist and almost none for the technical jobs," Paller said.

The majority of federal information security posts are filled by private contractors, he noted. In the private sector, some hunters supporting the government are pulling down paychecks approaching $175,000, according to Paller's research.

Not all experts believe hunters are the most prized professionals.

"Those folks are valuable and they are paid well, but it represents somewhere from 1 percent to 2 percent of the people who [possess the] skills needed across the board," said Hord Tipton, executive director of (ISC)2 , a nonprofit group that certifies and trains information security professionals. "You can't expect your hunters to solve problems across-the-board."

He provided a rundown of the salaries information assurance personnel are commanding. Staff with master's degrees and specialized experience -- at the top of the GS-15 level -- can bring in up to $130,000. Information assurance senior executives, such as chief information security officers, are paid up to $180,000, but can earn premiums boosting that sum to $220,000 if an agency uses paybands. Paybanding is a compensation system that gives agencies latitude in setting higher salaries and granting bonuses.

Tipton, a former Interior Department chief information officer, said his CISO made more money than him after taking a Treasury Department CISO post that was compensated using the payband system.

The government typically doesn't hire entry-level college graduates for information assurance work because departments prefer employees with more experience, he said.

Other factors that can increase a cyber specialist's wages include the particular agency at which the person works, as well as the employee's level of certification and education.

"Some agencies argue that their data is more critical, therefore their pay should be higher," Tipton said. For example, a professional at the Defense Department who has the same experience, certification and educational background as a professional at the Labor Department might earn more money. Of the (ISC)2 members working in the federal government, Pentagon personnel reported the highest average annual salary -- $103,330 -- among (ISC)2 civil service members, according to a study the organization released in February. At a Cabinet-level agency, a CISO can take in about $150,000, without paybanding -- while CISOs at smaller agencies earn around $130,000.

Surveys by (ISC)2 indicate certified personnel earn 10 percent to 25 percent more money than noncertified staff. Agencies will pay extra for job applicants with doctorates, but prospective employees usually have to convince the human resources department their skills warrant the bonus, Tipton said.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.