The SANS Institute, which administers the security-focused GIAC certification program, has concluded its first-ever career development survey. The study involved about 4,250 respondents—2,647 of which held one or more IT credentials—and had a few interesting findings pertaining to security certification, said Allan Paller, director of research at the SANS Institute.
The report covered subjects such as job tasks, industries and regions of employment, and professional education and certification. Of the participants, 1170 held (ISC)2 certifications (largely CISSP), 1135 held vendor-specific credentials like MCSE, CCSA and others, 901 had GIAC certs, 460 held ISACA certifications (CISA,CISM), and 442 had CompTIA credentials (A+, Network+, Security+, etc.). “Just under half—45 percent—were the people with hands-on sys admin, network admin or security responsibilities,” Paller said. “Another 19 percent were the people who had that and a little policy responsibility.”
One of the findings that impressed Paller was the copious compensation reported by many of those who held security certifications. “Within that group, except for three sub-sets, the salaries for the people with had gotten above $80,000 at the median, which is a big number,” he said. “The only two groups that fell significantly below that were the people with no certification at all, and they fell down to $70,500, and the people with CompTIA certifications, who were at $66,000. A lot of the guys who had CompTIA were the hardware guys.”
He was also surprised by the number of people who said they held multiple high-level security certifications. “It’s not multiple certifications like Security+ and A+,” Paller said. “It’s multiple certifications like both SANS and (ISC)2, or both (MSCE: Security) and ISACA.” Not surprisingly, these also were the folks who reported the highest salaries. “If you had an (ISC)2 certification, you’d get about $90,000, but if you had it with a SANS certification, you’d get about $93,000,” he added.
One of the primary implications of these numbers is that employers in the IT security field are really relying on these credentials as a means for gauging their workers’ qualifications. “It says the companies are having trouble knowing who can do it and who can’t do it, and they’re turning more and more to certifications as a surrogate,” Paller said. “They just don’t have the senior security people who can tell the difference.”
I would encourage those who might want to explore security certifications and their impact on income to check out CertMag’s annual Salary Survey, the cover story in this month’s issue, at http://www.certmag.com/articles/anmviewer.asp?a=1524&z=1, as well as our Salary Survey discussion board at http://www.certmag.com/forums.