Shortage of skilled cyber specialists fuels debate over pay

Network operators and penetration testers could earn more than compliance analysts and auditors.

The White House, Congress, academia and industry seem to be in rare agreement that the shortage of government cybersecurity specialists is a national security threat, but no one seems to agree which cyber jobs are the most needed -- and therefore should garner the highest salaries.

According to the most frequently quoted estimate, the United States is lacking some 20,000 or 30,000 people with the requisite skills to defend cyberspace. That was the conclusion of former intelligence officer Jim Gosler, the first director of the CIA Clandestine Information Technology Office, who offered that projection in 2008, when there were about 1,000 expert cyber professionals by his accounting. Since then, a slew of nationwide competitions have been launched to attract today's texting-obsessed youth and reformed hackers into the cybersecurity field. But little has been said about the wages aspiring cyber warriors should expect to earn.

Some experts have said the greatest need is for so-called hunters -- the network operators and penetration testers skilled at probing for vulnerabilities. Others believe hiring priority should be given to information assurance analysts, including auditors and security administrators.

The latter currently make more money than most hunters, but some researchers said the compensation for compliance analysts and certain security administrators will decline because much of their work is becoming automated. On the other hand, hunters are a rare commodity that will see their earnings climb, they argue.

In 2010, the average salary for certified information systems auditors was $100,855; certified security administrators took home on average $99,512, according to a report by IT training and certification firm Global Knowledge and the media outlet TechRepublic. But auditors and administrators -- to the extent they inspect compliance -- are seeing their responsibilities become digitized, as the White House calls for real-time continuous monitoring of systems rather than analysts' periodic certification and accreditation reports.

Operators and testers, who monitor log files, manage system configurations and hack networks to identify weaknesses, were earning about $76,000 last summer, according to a survey conducted by Alan Paller, research director at the SANS Institute, a computer security education center. Some pros in this category who have more technical skills, such as computer forensics, were receiving $88,000.

"The more general jobs -- security officers and auditors -- continue to pay more, but the number of these jobs has fallen off because of the decline in [certification and accreditation] work," Paller said. "So on average their salaries have stagnated or are falling."

In contrast, operator and tester wages are rising sharply because organizations are competing for the few specialists in the market who can do the work well, he added. "Colleges are pumping out lots of people for the jobs that do not exist and almost none for the technical jobs," Paller said.

The majority of federal information security posts are filled by private contractors, he noted. In the private sector, some hunters supporting the government are pulling down paychecks approaching $175,000, according to Paller's research.

Not all experts believe hunters are the most prized professionals.

"Those folks are valuable and they are paid well, but it represents somewhere from 1 percent to 2 percent of the people who [possess the] skills needed across the board," said Hord Tipton, executive director of (ISC)2 , a nonprofit group that certifies and trains information security professionals. "You can't expect your hunters to solve problems across-the-board."

He provided a rundown of the salaries information assurance personnel are commanding. Staff with master's degrees and specialized experience -- at the top of the GS-15 level -- can bring in up to $130,000. Information assurance senior executives, such as chief information security officers, are paid up to $180,000, but can earn premiums boosting that sum to $220,000 if an agency uses paybands. Paybanding is a compensation system that gives agencies latitude in setting higher salaries and granting bonuses.

Tipton, a former Interior Department chief information officer, said his CISO made more money than him after taking a Treasury Department CISO post that was compensated using the payband system.

The government typically doesn't hire entry-level college graduates for information assurance work because departments prefer employees with more experience, he said.

Other factors that can increase a cyber specialist's wages include the particular agency at which the person works, as well as the employee's level of certification and education.

"Some agencies argue that their data is more critical, therefore their pay should be higher," Tipton said. For example, a professional at the Defense Department who has the same experience, certification and educational background as a professional at the Labor Department might earn more money. Of the (ISC)2 members working in the federal government, Pentagon personnel reported the highest average annual salary -- $103,330 -- among (ISC)2 civil service members, according to a study the organization released in February. At a Cabinet-level agency, a CISO can take in about $150,000, without paybanding -- while CISOs at smaller agencies earn around $130,000.

Surveys by (ISC)2 indicate certified personnel earn 10 percent to 25 percent more money than noncertified staff. Agencies will pay extra for job applicants with doctorates, but prospective employees usually have to convince the human resources department their skills warrant the bonus, Tipton said.