Cyber Pay Equals Out at $112,000 in Government and Industry, Survey Says


Higher pay typically is not the deal breaker when information security professionals pass over military jobs for private sector positions.

Higher pay typically is not the deal breaker when information security professionals pass over military jobs for private sector positions, with the going rate now reaching $112,000 across all sectors, according to what is likely the largest-ever study of cyber professionals.

The sometimes year-long process to obtain that first paycheck is the turnoff.

According to the assessment by trade association (ISC)2, the turtle's pace of the government hiring process is a big irritation for would-be feds. The timeline for filling desks in defense and civilian agencies can range from six months to a year, whereas the turnaround for private companies is days or at most six weeks. 

"Man, can you imagine, if I’ve got to fill out this 10-page application and fax it in, what’s my everyday job going to be like?" Dan Waddell, (ISC)2 director of government affairs, said. "Especially the millennials and the people we’re trying to bring into the workforce, if that’s their first exposure to the culture . . . that painful process, they are going to run away as fast as they can."

About 1,100 military computer security pros and 730 civilian agency cyber personnel participated in the 14,000-person study, which ended in January.

In 2014, the average salary of a federal cybersecurity worker was $110,500, with federal contractors taking home $114,000. U.S. private sector cyber professionals are expected to bring in $118,000 in 2015.

Waddell, who is expected to release the results at a security professional conference today, said a high-level official at an agency Waddell could not disclose declined an invitation to the event. The official would have had the opportunity to scout out potential candidates for several job openings at his agency. 

"It would be a waste of time for me,” the official told Waddell, he said. “Thank you for giving me a free table at a career fair, but I can’t use it . . . by the time I get those candidates into my pipeline, I’ve already lost to them to the private sector."

There is no denial inside the government the federal hiring process is broken.

Right now, however, there are few ways to bypass the congestion.

The 2014 Border Patrol Agent Pay Reform Act of 2014 authorized fast-track hiring for only select Department of Homeland Security cyber aficionados. A new policymaking cyber unit inside the White House obtained permission to fill a spot under "direct authority," an expedited hiring process used when there is a critical skill need. In March, the military got the green light to speed recruitment of 3,000 civilian computer security pros

But "you can’t take advantage of those workarounds for every single job opening," Waddell said.

Over Half Don’t Always Scan Web Services for Hacker Holes

Other areas for growth in the federal government include enforcement of cyber policies and network scans, according to the report. 

Only 13 percent of government personnel found so-called CyberStat sessions effective at providing security guidance. The in-person meetings are intended to huddle an agency's leaders, DHS -- which manages governmentwide cybersecurity, and the White House cyber team for periodic reviews of the agency's security posture. 

The unit only has about $20 million to spend on such cyber-policing activities

Another reason CyberStat sessions have yet to make a mark in government is that few understand their purpose, Waddell said.

"Most of the folks that I talk to around the beltway, they’ve never participated in one and they don’t even know about the process," he said. White House officials "need to do a better job at getting the word out exactly what these things are and what’s the value? How is it going to help me other than from a compliance perspective? How will this improve my security?" 

There seems to be a need for government, somehow, to crack down on inattention to network protections. 

More than 50 percent of government security professionals do not always scan their applications for hacker holes, if those programs are maintained in the cloud.

"That one's a pretty scary statistic," Waddell said. "They either know that they aren't doing it or they have no clue," whether the cloud provider is, "so that’s just as bad." 

The Federal Risk and Authorization Management Program, a cloud security assessment initiative, is partly aimed at nailing down vulnerability-scanning requirements at the outset of a contract.

Waddell said as FedRAMP starts to gear up with a new two-year road map, hopefully the amount of inconsistent scanning will go down -- soon. Currently, the consensus on cybersecurity hiring and operations is "there isn't a lot of confidence in government initiatives," Waddell said.

(Image via Rawpixel/