Few professionals relish the idea of asking for a raise. As much as they would prefer their employers simply recognize their value and adjust salaries and benefits accordingly, that's not generally how things work. This is especially true in the security field, in part because most employers don't have easy access to any resource that outlines what fair market compensation for security positions looks like.
In October 2022, the SEC invited security leaders to a webinar in which two of our subject matter experts on compensation shared their knowledge on how to positively influence compensation decisions and what resources exist to help. At the end of the webinar, Vickie Cudmore (former Global Compensation Director, Bose) and Steve Walker (Partner, Foushee Group) fielded a series of thoughtful participant questions.
We thought the following summary of responses would be helpful to all security leaders seeking fair pay and benefits for themselves or their teams.
How should we ask for raises? What is the proof or case needed to convince an organization you should receive higher compensation? What resources are there to help you?
As a starting point, it's important to know how your pay compares to the market. There are many resources on the internet to help you find pay data, but the best resource is a trusted industry survey (such as
The Security and Compliance Compensation Research Report) so you know the data is valid and reliable.
The range of data reported for a job represents the salaries paid to people in the job at various experience and performance levels. The 25th percentile generally is the salary you would expect for those with less job experience; the 50th percentile represents the pay for a fully experienced employee; and the 75th percentile of the data represents pay for highly experienced, superior performance. You should be prepared to discuss your experience, job performance, and contribution in relation to where you are paid in the range of market data.
Is it a good year to discuss salary increases if our company is laying off people?
It's probably not a good time to ask for a raise as the company cannot afford to give increases. However, your company will most likely need to do something to continue to pay competitively for key employees.
If your company is planning on continuing with annual salary increases, but at a reduced rate or lower participation level, be prepared to discuss your performance and how you have added value to the company. Schedule a performance discussion with your manager in advance of the pay increase decision time. Also consider other ways your company could reward you in lieu of a salary increase (such as a short-term bonus, retention bonus, or additional paid time off).
How can security leaders indicate their role value to the organization or business in relation to their compensation?
The first step is to
develop Key Performance Indicators (KPIs) for your job that are aligned with the business, and to establish what should be measured and how. These establish role value to the organization and can be used to determine how well a leader is performing on metrics that are important to the company.
The next step is to have good data on the market value for the job in your industry, geographic location, and company size, and to relate your performance and contribution level to the range of data.
What metrics should be captured to show ROI and investment in my expertise?
You should consider metrics that are aligned with the business goals. For example, the number and type of security incidents resolved, the amount of time to detect and resolve incidents, the change in the cost per incident, and (for managers) employee turnover and satisfaction. This will depend on your specific role, the industry, and your company.
What are some tips and recommendations when reviewing job descriptions that will help discussions with Compensation teams?
Focus on five to seven main responsibilities for your job that answer the question: What does the company pay this job to accomplish? These core responsibilities will be used to match your job to a survey job description and to evaluate your job. Your job may have additional duties that you should note, but not to the level of every detailed activity.
Keep your job description concise and avoid using cliches. If you are updating your job description because you have taken on significant new responsibilities, these should be highlighted in the job description and presented in your discussion. You should also include a section on skill and knowledge required, certifications and credentials, and any physical requirements.
The Compensation Team (or person responsible for Compensation in your company) needs to have a good understanding of your core responsibilities so they can match your job to survey descriptions. It is a good survey match if 80% of the job duties match the survey description.
What statistical data is available that compares security functions' roles based in other regions/countries outside the USA?
Pay differs widely from country to country based on country laws and regulations, labor supply and demand, culture, benefits, and other factors. Large, established U.S. compensation consulting companies (for example, Mercer, Salary.com) provide international surveys by country, and there may be local in-country salary survey sources as well.
International pay data should
not be compared with U.S. pay. For regions
within the U.S., most established surveys (including
The Security and Compliance Compensation Report), break out data by U.S. region as well as company industry and revenue size.
Do you recommend different salary ranges for security positions requiring high-level security clearances such as Top Secret Security Clearance or Sensitive Compartmented Information?
In general, TS and SCI requirements generate 10% to 20% salary premium. If the position typically requires security credentials, this may be already taken into consideration in the salary data (check the survey job description). Some companies may add a salary premium for individuals in addition to base salary. In any case, these credentials (if required for the job) take time, effort, and expense to obtain and have value to the organization.
I'm curious about how to negotiate compensation and benefits in addition to base salary or in lieu of salary?
To start a conversation on negotiating total compensation, you need to understand the components of your company's total compensation package. What are the elements of the company's reward package, what is the mix of those elements (base pay, bonus, profit sharing, benefits), and which of these elements are emphasized and what elements are negotiable?
Some benefits are not negotiable because they are controlled by regulations, such as qualified health benefit contributions, 401k company contributions and match, while some benefits may be negotiated, such as paid (or unpaid) time off, training opportunities, and bonus.
Before any discussion, you should think about what elements you want to negotiate and what your proposed position will be.
How does job scope influence security leaders' compensation?
Job scope is important and influences pay. In general, the following have an impact on pay to some degree: size of organization as measured by revenue, budget, or number of employees, global responsibility, and complexity of the industry.
The bigger and more complex the job, typically the higher level of experience and skill is required, the higher the pay. Many surveys provide data reported by revenue size, industry, and reporting relationships.
What does it cost to replace an experienced and capable employee?
This varies by type and level of job, but to generalize, it can cost six to nine months of salary, including recruitment, training, new salary, and potential legal costs.
The higher the organization level, the higher the cost to replace. In high-turnover, low-paying positions, the cost can be up to 16% of salary; mid-range positions up to 20% of salary, and executive-level positions up to 200% of salary.
We're losing our people to other companies. Do you think it's salary-related?
A salary review is a good place to start to look for answers. If you need to offer higher salaries to replace people who have left your company, you probably have an issue with pay. If your company conducts exit interviews or collects exit surveys, you should review these as well. There may be other reasons why people are leaving (job stress, working conditions, poor management), and you should be prepared to acknowledge these and address them promptly.
What if my company does not have a Compensation team?
There is certainly someone in your company who is involved in making decisions or providing input to management on pay. This may be an HR Generalist, HR Manager, or the head of HR.
Talk with someone in HR and ask who is responsible. If your company is small, and you have had interactions with HR on security issues, that would be a good place to start.
How to purchase the 2022 Security and Compliance Compensation Research Report.
You can download a PDF of this page below: