But both managers and employees need to remember that while employees need a satisfactory salary, money alone is insufficient to promote employee productivity and longevity in the workplace. In addition to salary and benefits; position growth, promotion potential, training opportunities, conference and professional association participation, and simply being treated as a valued and respected professional are also considerations.

The security field traditionally has been a relatively low-skilled, low-pay, and cost-based function. Lately, thanks to recent cyber-threats and vulnerabilities, security management is enjoying new vitality, and cyber-crime will continue to outpace the expertise needed to create adequate defenses. As a result, demand for security specialists will continue to grow. Instead of being absorbed in traditional information technology fields, cyber-security will ultimately become a recognized discipline requiring unique skills and knowledge.

If it's time for you to test your value in the marketplace, consider these rules of thumb:

• Identify what is most important to you in a security position. It may be experience with new security, operating system, or network software; opportunities for advancement in an identifiable company career ladder; frequent training seminars; or the ability to work autonomously with a broad range of applications.
• Be realistic when analyzing what you offer and how important you can be to employers. If you do not have a college degree in a relevant field, or have little formal training to support your knowledge claims, you may top out at the position for which you are hired.
• Don't make salary your preeminent job criterion. Employers who sense this goal in applicants often discount their suitability for the organization. While salary level is important, it pales compared to working conditions, collegial relationships, and career advancement.

The corporate challenge

If you're a corporate executive, you're on the other side of the fence. You can't ignore the urgent need to assure online survival, but you may not be able to afford the new, higher salaries for your security professionals. You're in danger of losing your security professionals to firms where they can make more money. If that happens, the less qualified security staffers who remain may be burdened with responsibilities that are over their heads, making for unhappy employees and disgruntled managers.

Consider whether to hire a full-time professional or outsource the services. Some factors to consider include the density of your information technology infrastructure (e.g., the level of intranet, Internet, and extranet integration), the importance of e-commerce to your company, your cyber-threat exposure, and management perspectives on dealing with employees versus contractors.

If you're in a large e-commerce company you'll probably want your own security staff on the payroll. Such organizations usually aim to hire security positions high on the salary scale. They expect that candidates will have degrees in related fields, will be trained in the latest security technologies, and will be able to immediately apply their expertise. Even the outsourcing option requires internal security staff.

Managed security services (MSS) are the choice if you are considering outsourcing. But these types of companies are still in their infancy, which means that you still need in-house staff to manage remaining security obligations and oversee service providers. You'll need fewer internal professionals if you outsource, and while they won't need to know about all the various products and threats, they will need enough knowledge in order to coordinate the protection effort and assure MSS vigilance.

When hiring a security professional, be sure to:

• Have a job description prepared prior to advertising the position. This helps to identify your firm's needs and the skills candidates must offer.
• Determine the salary range your firm is willing to pay. Candidates with in-depth experience that is supported by formal training and a college degree command top salaries. Those with only on-the-job training may not be as costly.
• In addition to IT and functional departments, let their future colleagues interview candidates. Security isn't just technology; it's a process requiring effective communication.
• Insist on a background check as a condition of employment. In this specialty professional, qualifications should include a problem-free personal background.

What's it worth to you?

Whether you're a manager or an employee, you should have a sense of salaries in today's security market. SANS Institute's recently released 2000 security salary survey offers insights into the current market for those working in cyber-security. The non-scientific survey polled more than 7,000 administrators whose average salary was $65,528. Not surprisingly, average salaries were highest for security consultants ($79,000+), followed by security auditors, security administrators, and then network administrators ($58,000+).

The study also found that years of experience, education, and operating system environment also affected salaries. For instance, those with experience in Solaris-related operating environments garnered the highest salaries, while those working in Novell NetWare environments were paid 23 percent less.

These are heady times for cyber-security specialists. They're in high demand, salaries continue to climb, and corporations are finding ways to absorb the cost. But that will change. Credentials are becoming more important, which will force security professionals to earn their stripes before the big salaries in the near future. Plan on seeing graduate programs in cyber-security, skill-based (versus product-based) training courses, certification, and other knowledge valuators blossom in 2001.

Dr. Goslar is principal security analyst and founder of E-PHD, LLC - a security research, analysis, and consulting firm. A cyber-investigator and former law enforcement software engineering officer, he can be reached at comments@e-phd.com.