New and expanding regulatory compliance rules, coupled with incessant IT security threats, are influencing operations in virtually all industries. That puts an inordinate amount of pressure on governance, risk and compliance professionals as they strive to protect company assets and follow federal rules to a T.
Interestingly, many in the governance, risk and compliance (GRC) field welcome this challenge, at least according to the TechTarget IT Salary Survey 2012. Of the 220 survey respondents in the GRC and IT security field, 36% said they were satisfied with their job because it's intellectually satisfying. Of those GRC professionals who sought a new job in the past year, 23% reported that they simply wanted a new challenge, and 13% cited "general dissatisfaction."
"The security field is getting worse and worse -- the amount of risk, the amount of things we're exposed to," said Richard Jones, a senior information security analyst at the Dallas County Community College District in Texas. "[But] I like pressure; it kind of goes with the job."
The average salary of GRC professionals seems to reflect this increased pressure: The majority of respondents to the TechTarget IT Salary Survey 2012 earn $90,000 to $100,000 a year (24%), and are followed closely by those earning $70,000 to $89,000 (20%) and $110,000 to $129,000 (18%). These salary ranges are all markedly higher than the $42,979.61 national average annual wage index for 2011.
The security field is getting worse and worse -- the amount of risk, the amount of things we're exposed to.
senior information security analyst, Dallas County Community College District
In addition, 34% of the GRC professionals who responded to the survey reported receiving a raise in the last year, and 38% received a raise and a bonus. Of those who received a raise, 60% reported it being a 2% to 4.9% bump from their previous salary.
As long as the demand for GRC professionals remains high, companies will continue to pay up in order to keep well-qualified individuals, said James Angle, a senior security manager at Iowa-based Trinity Health.
"As FISMA, HIPAA, PCI and SOX become more and more complex and there is greater enforcement, there will be a demand for more trained, certified and educated professional to fill the positions," Angle said. "What will happen is the people with the desired knowledge, skills and ability will be in such high demand [that] the pay will go up."
Salary, however, does not top GRC professionals' list of concerns. Of those who sought a new job in the past year, only 15% did so because they wanted more money. And only 8% cited salary as their reason for staying in their current position. "Simply put, money is not everything," Angle said. "Yes, you have to pay employees a fair wage. However, I would take a lower salary for job satisfaction."
Organizations wishing to maintain job satisfaction among GRC professionals might want to cater to their ambitions. When asked about career goals, 32% said they wanted to move up in their current organization. The career goal question also revealed that only 3% of respondents wanted to move to a different IT discipline.
More about the TechTarget IT Salary Survey 2012
The human influence on information technology costs
Job satisfaction vital to keeping senior IT leaders
Survey: Considerable industry gaps for senior IT salary
IT leader, CIO salaries for women not equal to male peers, survey finds
Patricia Moulder, a senior security subject matter expert at Virginia-based government IT service provider The Centech Group Inc., said that learning and growing on the job is crucial to career satisfaction. "I think that professional development is as important as salary," she said. "For me, if I'm not intellectually challenged, then I get very bored with my job -- I like to be involved professionally."
Jones noted that professional development is important, not only from a job satisfaction standpoint but also from a risk management perspective. Even just a few years ago, the number of IT compliance regulations was only a fraction of the number of regulations that exist now, and hacker groups such as LulzSec and Anonymous did not exist, he said.
This increased risk, security and compliance burden might be the reason why half of GRC professionals responding to the survey have been in their current position only 1 to 5 years. Only 11% have been in their current position for 11 to 20 years, and 17% have been there less than one year.
"Training is a necessity to staying alive in this business," Jones said. "You have to stay ahead of the hackers that are out there, and they are growing in numbers. If you're sitting still, you've lost the game."
It will be up to these GRC professionals' bosses to take advantage of their employees' enthusiasm and passion for their work, Trinity Health's Angle said. Those bosses will likely be people fairly high up in the organization: Forty-seven percent of GRC professionals report to an IT executive or another manager, while 18% report to the CIO, chief technical officer or the equivalent.
"Over the years, I have worked with many compliance people, and I found the ones that seek additional training or advanced degrees are passionate about their jobs," Angle said. "All you have to do to keep them is encourage and guide them."