RSA: IT security pros get raises despite recession

CSO - (ISC)2 used the RSA Conference 2010 as the backdrop to release survey results that will probably raise eyebrows among those who have lost jobs and struggled to find new ones in the aftermath of the Great Recession.

According to its 2010 Career Impact Survey, more than half of the 2,980 information security professionals polled between December and January received salary increases in 2009, while less than five percent of participants lost their jobs -- a smaller number than one might expect given the severity of the recession.

Globally, 52.8% of respondents received salary increases in 2009. Less than 11% saw their salaries and/or benefits cut, while 4.8% were laid off by their employers. Of the 800-plus respondents who identified themselves as having hiring responsibilities, more than half -- 53.3% -- said they need to hire permanent and/or contract employees in 2010. In the U.S., this is an improvement over the previous year's survey, when 44.5% of hiring managers said they expected to be hiring in the second half of 2009.

Of those hiring, 40% said they'll hire three or more information security professionals this year, compared to the 2009 survey, in which just 13.1% said they would be hiring three or more new permanent or contract employees. Over 90% of hiring managers globally and in the U.S. said their biggest hiring challenges were finding candidates with the right skills and level of experience.

Ironically, the reason for these pay increases may be because of the recession, as security practitioners are called upon to protect their companies from angry, laid off employees who may feel compelled to do something malicious to computer systems on the way out the door, (ISC)2 Executive Director Hord Tipton said in an interview Wednesday morning. The rapidly shifting threat landscape is another likely reason.

"As quickly as technology has advanced and as prevalently known as the threats have become, companies realize they face huge risk," he said. "Even though the company is going through economic problems as a whole, you have to worry about people leaving the company unhappy and the risk of malicious acts as a result."

In the event of a large layoff, security staff are among the last to leave because they have to strip people of their keys and Internet access, Tipton said. "The people you retain you want to be your best people. It's a distillation of the process. You pay them more for knowing more and you simply try to keep them," he added.

Among the more specific findings:

• About half of the respondents (51.1% globally; 51.9% U.S.) saw their information security budgets decrease somewhat or significantly in 2009, while 36.9% (35.7% in the U.S.) expect no change in their budgets for 2010. This compares to over two-thirds (72%) of respondents who reported in the 2009 survey that their budgets had been reduced last year.
• Approximately 54% (54.6% in U.S.) of respondents expect no personnel reductions or layoffs in 2010; while 20% (20.8% in U.S.) expect additional layoffs, compared to 40% of respondents from the previous survey in 2009.
• In the U.S., 34.2% of respondents believe the economic downturn is causing an increased security risk within their organization, 37% of whom identified outside attacks from hackers as the most common security risk attributed to the economic downturn, compared to 31.3% globally. Employee misconduct was identified as the second most common risk by 31% in the U.S. Employee misconduct was considered the most common risk globally by 37.7% of respondents, who believed there was an increased security risk in their organization.
• Globally, 55.5% of respondents said the economic downturn had decreased their security technology purchases in 2009; 30.7% of respondents believe the economy will continue to cause decreased purchasing in 2010.

Read more about security leadership in CSOonline's Security Leadership section.

• Security execs express surprise over CISO's firing following RSA talk
• Security industry faces attacks it cannot stop
• Pennsylvania fires CISO over RSA talk
• Google attacks, Web 2.0 fuel FUD at RSA
• Analysis: Does the storm over cloud security mean opportunity?
• Microsoft's tax-for-hacks 'horrible' idea, say security experts
• FBI Director: Hackers have corrupted valuable data
• CISOs rain on cloud-computing parade at RSA
• FBI embeds cyber-investigators in Ukraine, Estonia
• Tweet this: Social network security is risky business

Full coverage: RSA 2010