This content is part of the Essential Guide: TechTarget 2014 Information Technology Salary and Careers Survey guide
News Stay informed about the latest enterprise technology news and product updates.

GRC, security pros seek more authority to reflect vital business role

As their roles become increasingly integral to corporate success, IT security and compliance professionals want more input during business decisions.

In the digital age, compliance operations and information risk management have become huge factors in corporate success. It's no surprise that governance, risk and compliance (GRC) professionals have seen their roles -- and profile within companies -- grow as the trend continues.

Compensation for these professionals appears to be in line with these relatively new responsibilities, according to the TechTarget IT Salary and Careers Survey 2014. From a sample size of 144 respondents who specialize in IT security and compliance, the average salary reported was $111,767. Forty-nine percent received a raise in 2014, and 42% received a bonus. In addition, 48% anticipate a raise and 61% expect to see gains in overall compensation in 2015.

Survey respondents from the IT security and compliance fields reported general satisfaction overall, with 40% describing the mood at their IT department as "optimistic" and 38% reporting being "neither optimistic nor pessimistic." But those who were more pessimistic cited limited career advancement (50%) and ineffective management (38%) as driving factors.

"It's the lack of maturity in the IT security field -- management doesn't quite understand what we do," said Gabe Stewart, a CISSP and CISO at Ohio Valley Bank. "There isn't a lot of awareness that there is a need for the position."

The huge need for IT security and compliance professionals is relatively new, with 56% of survey respondents reported only being their current position for under five years. This creates more opportunities for those professionals who have become restless in their roles. Forty-eight percent of survey respondents said they were looking to move up in their companies, or even to leave their present job, within the next three to five years.

TechTarget's IT Salary and Careers Survey results

Increased compensation may help to get these IT security and compliance professionals to stick around, but it won't be the only factor. Instead, as their roles grow these employees are seeking the proverbial "seat at the table" when it comes time for big business decisions.

"The [information security] role has become much more integral to the business process -- from a liability standpoint, from an ethical standpoint -- it is now integral to every step of the IT chain," said Winn Schwartau, president of The Security Awareness Company.

IT security and compliance professionals must adapt to this change, and develop the "soft skills" necessary to work with the entire organization toward a common goal, said Kevin Johnson, CEO of Secure Ideas.

"We need to take security and embed it into development, embed security into our project management, into our business processes, our vendor relationships," Johnson said. "We have to have security professionals who understand what the business does, what IT does, what developers do."

Training, awareness key to GRC job satisfaction

Lack of training was cited by 42% of survey respondents in the IT security and compliance field as the reason why the mood at their company's IT department was "pessimistic."

But as security and compliance become increasingly vital to business success, it's not just these professionals who need the training. Reg Harnish, Chief Security Strategist at GreyCastle Security, said security professionals should work to improve training and awareness to demonstrate how security impacts the entire organization and every employee.

"As security professionals, we have to be educators," Harnish said. "That's educating ourselves, as well as others, who may not be in this field but are impacted by it."

Too often, GRC and security professionals are seen as the department that just says "no" when it comes to new products or services because they pose too much of a risk, said ISSA International Chair Stefano Zanero. Instead, these professionals should promote their field to show how their work benefits the company as a whole, he added.

"Cybersecurity professionals in companies need to understand that they need to market their mission inside the company and make it evident that what they want is to help the company, and they are not saying 'no' but giving instructions and to help make sure that the company achieves its objectives," Zanero said.

Among survey respondents who reported an optimistic mood in their IT departments, encouraged innovation (50%) and strong management (41%) were among the top reasons. These factors will continue to be important to ensure effective GRC as corporate mobility, cloud use and data threats become more prevalent.

IT security and compliance jobs will also likely reflect these changes as well.

"People are getting a better idea of what that role really means, we are becoming more important to the organization," said Roy Wattanasin, information security officer at MIT Medical. "I see security roles expanding, I see more people involved in security as organizations see how important security is."

Let us know what you think about the story; email Ben Cole, site editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Next Steps

More from TechTarget's IT Salary and Careers Survey:
Security and cloud top priorities for CIOs in 2015
Happiness sometimes lacking for high-earning IT execs

Dig Deeper on Managing compliance teams

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Security professionals need a seat at the table not just for their egos, but because security needs to be included from the very beginning of a project. You can't define a project and then say, "Okay, now we'll bring in the security guy to make sure it's secure." Security needs to be baked in from the beginning.
Demanding respect might work with certain politicians in our country but it's not in help in IT and security. All too often I see and hear stories that management "just doesn't get it!" Yet the IT and security professionals attempting to get these people on their side are going about it in all the wrong what I wrote about here and here.

If IT and security pros want a "seat at the table", they need to exhibit the behaviors that help build their credibility and are conducive to forming/maintaining positive relationships with their peers and management...period. If, beyond this, you still don't have the ear of the decision-makers, then it's probably time to move on.