In the digital age, compliance operations and information risk management have become huge factors in corporate...
success. It's no surprise that governance, risk and compliance (GRC) professionals have seen their roles -- and profile within companies -- grow as the trend continues.
Compensation for these professionals appears to be in line with these relatively new responsibilities, according to the TechTarget IT Salary and Careers Survey 2014. From a sample size of 144 respondents who specialize in IT security and compliance, the average salary reported was $111,767. Forty-nine percent received a raise in 2014, and 42% received a bonus. In addition, 48% anticipate a raise and 61% expect to see gains in overall compensation in 2015.
Survey respondents from the IT security and compliance fields reported general satisfaction overall, with 40% describing the mood at their IT department as "optimistic" and 38% reporting being "neither optimistic nor pessimistic." But those who were more pessimistic cited limited career advancement (50%) and ineffective management (38%) as driving factors.
"It's the lack of maturity in the IT security field -- management doesn't quite understand what we do," said Gabe Stewart, a CISSP and CISO at Ohio Valley Bank. "There isn't a lot of awareness that there is a need for the position."
The huge need for IT security and compliance professionals is relatively new, with 56% of survey respondents reported only being their current position for under five years. This creates more opportunities for those professionals who have become restless in their roles. Forty-eight percent of survey respondents said they were looking to move up in their companies, or even to leave their present job, within the next three to five years.
Increased compensation may help to get these IT security and compliance professionals to stick around, but it won't be the only factor. Instead, as their roles grow these employees are seeking the proverbial "seat at the table" when it comes time for big business decisions.
"The [information security] role has become much more integral to the business process -- from a liability standpoint, from an ethical standpoint -- it is now integral to every step of the IT chain," said Winn Schwartau, president of The Security Awareness Company.
IT security and compliance professionals must adapt to this change, and develop the "soft skills" necessary to work with the entire organization toward a common goal, said Kevin Johnson, CEO of Secure Ideas.
"We need to take security and embed it into development, embed security into our project management, into our business processes, our vendor relationships," Johnson said. "We have to have security professionals who understand what the business does, what IT does, what developers do."
Training, awareness key to GRC job satisfaction
Lack of training was cited by 42% of survey respondents in the IT security and compliance field as the reason why the mood at their company's IT department was "pessimistic."
But as security and compliance become increasingly vital to business success, it's not just these professionals who need the training. Reg Harnish, Chief Security Strategist at GreyCastle Security, said security professionals should work to improve training and awareness to demonstrate how security impacts the entire organization and every employee.
"As security professionals, we have to be educators," Harnish said. "That's educating ourselves, as well as others, who may not be in this field but are impacted by it."
Too often, GRC and security professionals are seen as the department that just says "no" when it comes to new products or services because they pose too much of a risk, said ISSA International Chair Stefano Zanero. Instead, these professionals should promote their field to show how their work benefits the company as a whole, he added.
"Cybersecurity professionals in companies need to understand that they need to market their mission inside the company and make it evident that what they want is to help the company, and they are not saying 'no' but giving instructions and to help make sure that the company achieves its objectives," Zanero said.
Among survey respondents who reported an optimistic mood in their IT departments, encouraged innovation (50%) and strong management (41%) were among the top reasons. These factors will continue to be important to ensure effective GRC as corporate mobility, cloud use and data threats become more prevalent.
IT security and compliance jobs will also likely reflect these changes as well.
"People are getting a better idea of what that role really means, we are becoming more important to the organization," said Roy Wattanasin, information security officer at MIT Medical. "I see security roles expanding, I see more people involved in security as organizations see how important security is."