Many companies continue to struggle to secure their data and identify and address system vulnerabilities. But chief information security officers (CISOs) are finding the best way to defend against hackers might be to hire a hacker of their own.
However, that expertise and security assurance comes at a hefty price, according to Matt Comyns, global co-head of search firm Russell Reynolds Associates' cybersecurity practice in this recent article.
CISOs themselves can command between $500,000 and $700,000 a year, with compensation at some technology companies reaching as high as $2 million, with generous equity grants included, Comyns says. In comparison, CISOs who have been with a company for five or more years are on average receiving $200,000 to $300,000 per year, Comyns said.
Hackers for Hire
"If you're a CISO and you're looking to build a great security team, one of the best places to start is with a white-hat hacker, or a certified ethical hacker," says Ryan Lee, COO of online IT skills training firm CBT Nuggets.
"Of course, some companies shy away because these folks are expensive, but without an emphasis on proactive security, the costs to a company could be even more disastrous," Lee says. Certified ethical hackers can command salaries upwards of six figures, he says, though the specific range depends on each company individually.
The demand for CISOs and security specialists like white-hat hackers is somewhat anecdotal, but overall the IT community is becoming increasingly nervous about security issues and there is an uptick in interest in security and ethical-hacking related content, says IT security expert and training professional James Conrad, who develops and teaches security and ethical hacking courses for CBT Nuggets.
"One of the things I've noticed is the escalating need for security pros at all levels, especially in the last few years," Conrad says. "When the Web was young, security was a secondary priority, but as unscrupulous people found ways to exploit vulnerabilities, it moved quickly to the top of the list, and it has stayed there," he says.
However, while the demand for highly skilled security pros hasn't lessened, the available talent pool has, especially among specialized talent like vulnerability testers, penetration testers and white-hat hackers, he says.
"Most IT security pros are already working between 40 and 60 hours a week maintaining, building, patching systems and otherwise putting out fires," Conrad says. "They just don't have the time to do much more, especially in the area of finding new vulnerabilities. Sure, there are teams of security personnel, and in an ideal world they could devote their time to these issues. But in the real world, that stuff is pushed aside in favor of day-to-day routine work," he says.
Sign up for Computerworld eNewsletters.