News Stay informed about the latest enterprise technology news and product updates.

IT Salary Survey 2012: GRC professionals looking for a challenge

As compliance rules and IT risk expand, GRC professionals are looking forward to new challenges, according to the TechTarget IT Salary Survey 2012.

New and expanding regulatory compliance rules, coupled with incessant IT security threats, are influencing operations...

in virtually all industries. That puts an inordinate amount of pressure on governance, risk and compliance professionals as they strive to protect company assets and follow federal rules to a T.

Interestingly, many in the governance, risk and compliance (GRC) field welcome this challenge, at least according to the TechTarget IT Salary Survey 2012. Of the 220 survey respondents in the GRC and IT security field, 36% said they were satisfied with their job because it's intellectually satisfying. Of those GRC professionals who sought a new job in the past year, 23% reported that they simply wanted a new challenge, and 13% cited "general dissatisfaction."

Why compliance professionals sought a new job last year
Why compliance professionals sought a new job last year.

"The security field is getting worse and worse -- the amount of risk, the amount of things we're exposed to," said Richard Jones, a senior information security analyst at the Dallas County Community College District in Texas. "[But] I like pressure; it kind of goes with the job."

The average salary of GRC professionals seems to reflect this increased pressure: The majority of respondents to the TechTarget IT Salary Survey 2012 earn $90,000 to $100,000 a year (24%), and are followed closely by those earning $70,000 to $89,000 (20%) and $110,000 to $129,000 (18%). These salary ranges are all markedly higher than the $42,979.61 national average annual wage index for 2011.

The security field is getting worse and worse -- the amount of risk, the amount of things we're exposed to.

Richard Jones,
senior information security analyst, Dallas County Community College District

In addition, 34% of the GRC professionals who responded to the survey reported receiving a raise in the last year, and 38% received a raise and a bonus. Of those who received a raise, 60% reported it being a 2% to 4.9% bump from their previous salary.

As long as the demand for GRC professionals remains high, companies will continue to pay up in order to keep well-qualified individuals, said James Angle, a senior security manager at Iowa-based Trinity Health.

"As FISMA, HIPAA, PCI and SOX become more and more complex and there is greater enforcement, there will be a demand for more trained, certified and educated professional to fill the positions," Angle said. "What will happen is the people with the desired knowledge, skills and ability will be in such high demand [that] the pay will go up."

Salary, however, does not top GRC professionals' list of concerns. Of those who sought a new job in the past year, only 15% did so because they wanted more money. And only 8% cited salary as their reason for staying in their current position. "Simply put, money is not everything," Angle said. "Yes, you have to pay employees a fair wage. However, I would take a lower salary for job satisfaction."

Organizations wishing to maintain job satisfaction among GRC professionals might want to cater to their ambitions. When asked about career goals, 32% said they wanted to move up in their current organization. The career goal question also revealed that only 3% of respondents wanted to move to a different IT discipline.

More about the TechTarget IT Salary Survey 2012

The human influence on information technology costs

Job satisfaction vital to keeping senior IT leaders

Survey: Considerable industry gaps for senior IT salary

IT leader, CIO salaries for women not equal to male peers, survey finds

Patricia Moulder, a senior security subject matter expert at Virginia-based government IT service provider The Centech Group Inc., said that learning and growing on the job is crucial to career satisfaction. "I think that professional development is as important as salary," she said. "For me, if I'm not intellectually challenged, then I get very bored with my job -- I like to be involved professionally."

Jones noted that professional development is important, not only from a job satisfaction standpoint but also from a risk management perspective. Even just a few years ago, the number of IT compliance regulations was only a fraction of the number of regulations that exist now, and hacker groups such as LulzSec and Anonymous did not exist, he said.

This increased risk, security and compliance burden might be the reason why half of GRC professionals responding to the survey have been in their current position only 1 to 5 years. Only 11% have been in their current position for 11 to 20 years, and 17% have been there less than one year.

How long have compliance professionals been in their current position

How long have compliance professionals been in their current position?

"Training is a necessity to staying alive in this business," Jones said. "You have to stay ahead of the hackers that are out there, and they are growing in numbers. If you're sitting still, you've lost the game."

It will be up to these GRC professionals' bosses to take advantage of their employees' enthusiasm and passion for their work, Trinity Health's Angle said. Those bosses will likely be people fairly high up in the organization: Forty-seven percent of GRC professionals report to an IT executive or another manager, while 18% report to the CIO, chief technical officer or the equivalent.

"Over the years, I have worked with many compliance people, and I found the ones that seek additional training or advanced degrees are passionate about their jobs," Angle said. "All you have to do to keep them is encourage and guide them."

Let us know what you think about the story; email Ben Cole, Associate Editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Dig Deeper on Regulatory compliance training

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you consider tackling challenges important to your job satisfaction?
I certainly do. Finding ways to address a challenge is the fun, creative part of the job. If there’s no challenge it quickly becomes trivial and/or mundane, and therefore not very interesting for me.
For me, yes, I am a problem solver and enjoy fixing things. I would not call it one of the most important aspects of my job satisfaction, though. 
Tackling challenges seems to be a major part of the job for GRC professionals, likely because of the numerous compliance regulations modern companies have to contend with. These challenges aren't going anywhere either,  especially as the number  of compliance regulations across industries continues to grow. Our 2015 TechTarget Salary survey found that GRC pros' skills are in high demand as this regulatory trend continues:
A big YES.  I started out in computer operations in the early 80's. That got old real quick. No challenge . You could do your job in your sleep. I like being mentally challenged and enjoy problem solving so the more the better.
In general - yes, though it really depends on what kind of challenge. Overcoming some stupid problems again and again is not fun.
Professional challenges, continual learning and a chance to apply those will almost always trump salary.
it needs to be important too
GRC is always full of challenges, so it makes sense that people that thrive on challenges will be drawn to that area. Still, every field has its share of “grunt work” that needs to be done, and people to do it, so I don’t think we can make a blanket statement that challenges, continual learning and a chance to apply those skills applies to everyone in the field.