New benchmark study finds cybersecurity staff increasingly perform multiple roles amidst pressure to do more with less.
Boston, MA – February 29, 2024 – Today, IANS Research and Artico Search unveiled the Cybersecurity Staff Compensation Benchmark Report 2023-2034, a research study that provides first-hand insight into compensation data, diversity, work-from-home expectations and job satisfaction. IANS and Artico Search
captured responses from more than 560 cybersecurity staff across a range of industries and company types in the U.S. and Canada. Additionally, informal interviews with 100 CISOs took place in an effort to better understand the challenges CISOs face
in recruiting and retaining employees.
Cybersecurity leaders have been managing talent shortages in key cyber functions for several years. Amid growing financial demands and an increasing scope of responsibility, cybersecurity leaders are facing increased pressure to do more with less, resulting
in multifunctional security roles. The report illustrates that typical functional combinations within a role include architecture and engineering (A&E), application security (AppSec) and product security.
Among survey respondents, 42% have responsibilities that span multiple cybersecurity domains. Of the AppSec staff, 74% also contribute to product security and 67% are involved in identity and access management (IAM). Within product security, 63% of staff
also support IAM. However, governance, risk, and compliance (GRC) exhibits lighter ties with other roles. About 37% of GRC staff also take on A&E responsibilities, and just 25% are engaged in AppSec work.
The study also found that typical corporate bands and role categorizations often do not align with the infosec talent market. Steve Martano, a partner in Artico Search's cybersecurity practice and IANS Faculty member, states, “For years we have
heard many cybersecurity professionals discuss the number of hats they wear in their organization. This latest report clearly illustrates the sheer number of day to day responsibilities by function. Not only does each function support its own set
of core tasks, most roles also support at least two additional functions. This has many companies grappling with typical corporate salary bands as cybersecurity requires specialized compensation packages to better compete for talent and minimize attrition.”
Additional highlights from the report include:
- Vast experience, specialization and advanced degrees all lead to higher pay: Experienced staff with at least 12 years of relevant experience earn as much as 22% above the baseline. Expertise in AppSec,
product security or IAM, or a master’s degree or Ph.D., commands a premium of 21% for cash compensation. Meanwhile, staff with fewer than three years of relevant experience earn packages up to 40% below the baseline.
- Gender diversity varies across domains, while the gender pay gap remains prevalent: 20% self-identify as female, binary or other. GRC has the highest gender diversity
at 40%, followed by IAM at 25%, while A&E staff has the lowest non-male representation at 10%. Data suggests there is a 7% pay gap, which increases with experience. Self-identified females with 12-plus years of experience can be faced with a double-digit
pay gap.
- Staff recognition and job perks are associated with higher retention rates: Of four criteria, feeling valued and supported, as well as having the opportunity for career advancement, show the strongest relationship
to job change considerations.
For comprehensive staff compensation ranges and additional survey details, please download the full summary report.
Survey Methodology
IANS and Artico Search fielded a new Staff Compensation and Career survey in April 2023. From early April until the end of November, we received survey responses from 563 security professionals from companies that varied by size, location and industry.
This report is part of the 2023–2024 Compensation, Budget and Org report series that also includes the 2023 Security Budget Benchmark Report,
the 2023 CISO Compensation Benchmark Report, the 2023 Security Organization and Compensation Study, the 2023—2024 State of the CISO Report, among others.
The three largest industries in terms of representation among cybersecurity staff in the sample are finance (30%), healthcare (22%) and tech (14%). In terms of role, the sample breaks down as follows: security analyst (25%)—including GRC
analyst, risk analyst or security analyst—security managers (21%), security engineers (20%), security directors (17%) and security architects (14%). Three percent indicate “other” as their role, which includes mainly security consultants
and program managers.