Each year, we see subtle shifts in the data that reflect changes both in our industry and in the overall mood across the country. One of the most interesting questions in our survey simply asks: "What matters most to you about your job?" In both 2008 and 2009, base pay topped the list for managers, followed by the challenge of the job, and then benefits. In 2009, 60% cited base pay as the most important factor, as uncertainty about the recession and jobs gripped us all. This year, we see a much more nuanced view of what matters, with the top four options in a statistical dead heat: my opinions and knowledge are valued (45%); job challenge and responsibility (44%); base pay (44%); and job/company stability (43%).
My read on these statistics is that information security managers sense that the fortunes of their organizations are beginning to stabilize, and they want to be recognized for their contributions to making that happen. And, to put it bluntly, they're feeling burned out and want their lives back. This point is best illustrated by looking at options that swung at least 10 percentage points from last year to this one: my opinions are valued (up 10 points); base pay (down 16 points); vacation time (up 12); benefits (down 12); recognition of work well done (up 10); potential for promotion (up 10); ability to create new innovative IT solutions (down 14).
It seems that security pros get the reality of corporate finances. Our survey shows that, on average, no raises were given this year, and other data indicates that many workers were asked to kick in more for healthcare. Yet base pay and benefits don't matter as much to workers this year as they did last year. What IT security pros aren't getting is a sufficient sense that their work and expertise are valued.
In tough economic times, survival instincts drive C-level execs and boards of directors. They'll do anything they can to make the quarter's financials look good--including laying off employees critical to the operation of the company, and trading risk for income even when the risk is too high. The poor CISO has to either stand in opposition to this survivalist mentality, and risk being ignored or even fired, or go along with dangerous short-term decisions in hopes that an economic uptick will let the organization reverse course.