Tuesday, September 23, 2008

Certification still pays for CISSPs, CISMs

Information security certifications aren't often easy to obtain, but according to new IT data, those who have them are seeing their salaries rise.


Following the release of data from its most recent quarterly IT salary survey Foote Partners LLC, a Vero Beach, Fla.-based independent research group, announced that pay for IT certifications was down for the eighth straight quarter, but a few sectors bucked the trend.
"Of the 165 certified skills we survey, only 17 increased in value over last year," said David Foote, the firm's founder and CEO. Included in that handful of skills are several security certifications, such as the Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM).
In fact, seven of the 17 certifications that increased in value were from the security sector, with those who had earned the GIAC Security Expert (GSE) certification posting a whopping 36.4% average salary increase during the last 12 months: the largest salary growth of any certified professional. Overall, pay for security certifications was up 0.4% during the last six months and 2% during the last year (through July 1, 2008), compared with the downward trend of all IT certifications, which lost 2.5% during the last six months and 3.5% during the past year.
Also measured in the annual report were the changes in value for uncertified IT skills. The increase in pay for uncertified network security management skills was in step with the salary increase of GSE certified workers at 36.4% for last year.
According to Foote, spikes in value occur when the gap between demand and skills supply widens. "There are two reasons why that can occur," he said, "and it is rarely a decline in skills supply that cause[s] gap fluctuations -- it's surging demand."

So what's making the difference for security? Foote said the upward trend started with business' compliance concerns when the Sarbanes Oxley Act (SOX) debuted in 2002; it made sense for enterprises to put some money into security infrastructure and personnel to avoid paying the penalties of being noncompliant. Security awareness, however, has grown from there.
Separately, Foote Partners' data shows that the companies surveyed have raised their budgets for IT security governance by an average of 10.8% in the past year. Enterprises are more interested in keeping their data secure following high-profile breaches like the one at TJX Companies Inc. "Businesses are starting to hold vendors' feet to the fire," Foote said. "They are asking … for products with baked-in security."
With increased awareness comes greater need for experienced security pros to manage security plans and systems. This, Foote said, is why demand for security certifications -- particularly those with security management-related certifications like GSE, CISSP and CISM -- is growing.
Foote predicts demand for certified information security practitioners will only increase. Once greater security education comes into sync with budget planning, the demand and funding for security staff will continue to rise.
The seven security certifications that gained in value over the last year were GSE, CISM at 27.3%, the Certified Hacking Forensics Investigator (CHFI) at 14.3%, the GIAC Certified Intrusion Analyst (GCIA) and GIAC Systems and Network Auditor (GSNA) both at 11.1%, the Cisco Certified Security Professional (CCSP) at 9.1% and CISSP at 8.3%.
Foote said information security has proven to be one of the most stable IT niches for those who enjoy the work and are well-trained. "Conditions are in place for a fairly sustained momentum [when it comes to] staffing skilled security people internally," Foote said.