People--Not Product--PowerPeople--Not Product--Power

The term "piling on" comes to mind when we speak with IT pros responding to our survey, and in our practice we see security groups spend hours managing the same controls they were wrestling with five years ago. New threats, new laws coming on the books, but we can't stop working the technologies we put in place to thwart nuisance attackers.

So how are those 14-hour days working out for you?

Our 2010 Salary Survey cut of 850 full-time security professionals showed salary increases for staff will be next to nil in 2010, down from the token 1.9% boost infosec employees received in 2009. Only 38% say they feel "very secure" in their positions. Forty-two percent say they're working more because of hiring freezes or layoffs in the last 12 months.

"I know my company should put more time and effort into security, but I'm too short on staff and other resources to add further responsibilities," says John Knutson, an IS manager for a midsize healthcare provider.

Many security vendors have announced healthy profits for the first part of 2010, and our respondents are optimistic that budgets will increase--36% say they see security spending going up in 2010, compared with 27% in 2009. Our advice: Advocate for hiring an additional person with any increased budget instead of buying a new tool. The problems our survey participants are most concerned about (malware, phishing, Web exploitation) can't reliably be resolved by technology. Psychological warfare requires a human response.