New compensation trends in the cybersecurity sector

For several years, cybersecurity leaders have grappled with talent shortages in crucial cyber roles. In the face of escalating financial requirements and expanding responsibilities, these leaders are under heightened pressure to achieve more with fewer resources, creating roles encompassing multiple security functions.

Security roles are often multifunctional

A new report illustrates that typical functional combinations within a role include architecture and engineering (A&E), application security (AppSec), and product security. IANS and Artico Search captured responses from more than 560 cybersecurity staff across various industries and company types in the U.S. and Canada. Additionally, informal interviews with 100 CISOs took place to understand better the challenges CISOs face in recruiting and retaining employees.

Among survey respondents, 42% have responsibilities that span multiple cybersecurity domains. Of the AppSec staff, 74% also contribute to product security, and 67% are involved in identity and access management (IAM).

Within product security, 63% of staff also support IAM. However, governance, risk, and compliance (GRC) exhibit lighter ties with other roles. About 37% of GRC staff also take on A&E responsibilities, and just 25% are engaged in AppSec work.

The study also found that typical corporate bands and role categorizations often do not align with the infosec talent market. “For years we have heard many cybersecurity professionals discuss the number of hats they wear in their organization. This latest report clearly illustrates the sheer number of day-to-day responsibilities by function. Not only does each function support its own set of core tasks, but most roles also support at least two additional functions. This has many companies grappling with typical corporate salary bands as cybersecurity requires specialized compensation packages to better compete for talent and minimize attrition,” said Steve Martano, a partner in Artico Search’s cybersecurity practice and IANS Faculty member.

Vast experience, specialization, and advanced degrees all lead to higher pay

Experienced staff with at least 12 years of relevant experience earn as much as 22% above the baseline. Expertise in AppSec, product security or IAM, or a master’s degree or Ph.D commands a premium of 21% for cash compensation.

Meanwhile, staff with fewer than three years of relevant experience earn packages that are up to 40% below the baseline. Likewise, cybersecurity professionals who do not hold college credentials beyond an associate degree also tend to receive below-average comp levels.

Gender diversity varies across domains, while the gender pay gap remains prevalent

20% self-identify as female, binary, or other. GRC has the highest gender diversity at 40%, followed by IAM at 25%, while A&E staff has the lowest non-male representation at 10%.

The research data suggests a gender pay gap of about 7%. The gender gap is more pronounced among staff with 12-plus years of experience, for whom researchers see a double-digit pay gap between males and females. Among respondents with up to three years of infosec experience, there is a 3% gap in favor of gender-diverse professionals.

Staff recognition and job perks are associated with higher retention rates

Of the four criteria, feeling valued and supported and having the opportunity for career advancement shows the strongest relationship to job change considerations.