Salary Survey 2016: Is this what I signed up for?

The extent of change in a job role or function is dependent on a variety of factors. Some of that change comes about naturally as promotions are attained and job roles expand. In other cases, security professionals may find themselves taking on additional responsibilities that fall outside their job description or even outside their security skillset or the work itself may have changed drastically in response to technology advancements. According to Canadian Security’s annual salary survey, almost one in five respondents say they are now doing jobs that are completely different from the ones they were hired to do. This is a concept that will be more fully explored and explained as we examine the survey results in greater detail and ask experts to help us interpret those findings.

In 2016, the salary survey, sponsored by Commissionaires, was completed by 208 respondents in September and October. Of those respondents, the most common titles reported were: Security director (13.46%), security manager (24.04%), security guard (13.46%) and site supervisor (10.58%). Others included: senior vice-president, president, IT security professional and consultant. The majority of respondents said they work in Ontario (57.84%) followed by Alberta (12.75%) and British Columbia (9.31%).

More than a dozen vertical markets were reported as major employment sectors. The most common were: Commercial (7.34%), Education (9.04%), Health Care (10.73%), Public Sector (16.38%), Retail (10.73%), Finance/Banking (7.91%), and Manufacturing (8.47%).

When asked, “How has your job/employment changed in recent years?” 41.62% of respondents said “New skills required due to increased job scope/responsibilities,” and 19.65% said “My job is completely different than the one I was first hired to do.” In response to the same question, 22.54% said they have expanded their professional scope in the hopes of achieving career advancement, but otherwise their job roles remained the same. Just over 16% said they saw “no appreciable change” in their jobs.

Written responses to the question indicated a variety of reasons for these shifts in roles and responsibilities. “[My] employer keeps adding tasks to my plate and it is overflowing already. I need two more plates to accommodate the multiple tasks,” responded one survey taker. Others said they started in entry-level positions (guarding, for example) and were able to advance in their careers, taking on more and more responsibilities through promotions and new job opportunities. Additional work load, broader scope of responsibility and knowledge and the increasing role of technology (such as learning new software) were also cited as contributing to major job changes over time. “The burgeoning of electronics/cyber has changed the package completely,” wrote one respondent.

“I think there’s two drivers there: one is the change in both the technical and professional aspects of the profession,” explains Greg Hurd, president of the ASIS International certification board and a senior security director in the energy sector. “Second, it’s the organization change that the organizations are undergoing.”

At some of the most senior levels, security managers have seen non-core duties being added to their workload, adds Hurd, noting that parking and travel planning are quite common today. “Typically those functions have a little bit of touch on security,” he says. “It’s somewhat dependent on the industry sector, segment or channel, but we do see some of that for sure.”

Regarding some of the technical changes and challenges in security, survey respondents were also asked, “How has technology changed your job function?”

In total, 44.51% of respondents said that a “greater number of IT/computer skills are required.” More than a quarter (27.75%) said, “IT knowledge/skillset is now an essential part of my job function.” Of those that indicated little to no change, 19.08% said they had experienced “some changes but no more than most jobs,” like an increasing use of smartphones, and only 8.67% indicated no change at all.

For security guards and supervisors, technology has become an integral part of work, says Bruce Belliveau, CEO, Commissionaires Nova Scotia. Rather than simply checking ID cards as employees walk through the door, today’s security staff may have considerable responsibility in terms of running and managing more complex access control software. More than that, they may be required to handle surveillance systems or even pilot drones ­— a technology that Commissionaires is exploring for some of its patrols. “There’s a significant technical aspect to security guarding that’s coming to the fore,” says Belliveau, as well as more stringent training requirements. Without that training, “the chances of [career] progression are slim to nil.”

The degree to which IT and cyber security has changed more traditional physical roles varies greatly. According to one survey respondent, “Having a basic understanding of IT security functions is necessary as more and more technology is intertwined with physical and IT aspects.”

For Ed Dubrovsky, head of security for OnX Enterprise Solutions, physical and logical security operate on the same continuum.  “It’s really been there all along. I just think we haven’t been paying too much attention to it. Folks who are coming into the industry really need to understand both aspects,” says Dubrovsky.

A recent example of that, he says, is the major DDoS attack reported on Oct. 21 in which numerous popular websites such as Twitter and Spotify were affected with downtime, as well as entertainment services like Netflix. In some cases, IoT devices, webcams and security cameras were identified as possible network weak points that were exploited by hackers.

“If you use the connected camera example, in this latest attack, a lot of these cameras installed around the world have been installed with default passwords. That enabled the malicious actors to gain control over these cameras, exploit a particular vulnerability within them and make them attack other websites and behave in a manner that wasn’t by design.”

In those cases, says Dubrovsky, the onus may be on the manufacturers, developers and integrators to ensure that they are manufacturing and installing technology that meets much more stringent criteria in terms of network integrity. However, he says, security professionals from almost all walks of life should at least attain a proficient level of technical knowledge.

“From a skills perspective, I feel that security folks today need to understand the physical, they need to understand the digital, but they also need to understand that they’re almost like a soldier within an army — they need to understand some of the bigger strategic issues affecting the industry overall. It’s a very interesting combination of skills,” says Dubrovsky, who recently helped York University implement the CISSP designation for its cyber security program.

Hurd adds that while there is definitely a strong correlation between IT and physical security skills, there can often be some “ebb and flow” in terms how that convergence model is realized within organizations. There are few people who are equally adept at both, but may need to confer regularly with their counterpart in order to maintain the appropriate security posture. In many cases, he explains, it may be “the security guy and IT getting together for coffee and saying, ‘Here’s the direction we’re going in. Are there any impacts either of us needs to know about?’”

In terms of how survey respondents view their profession overall, many still point out some of its seemingly perennial deficiencies, particularly at entry-level guard positions: low pay, dull or repetitive work and poor public image. That said, overall 81% of respondents said they would recommend security as a career to a friend, a slight increase over previous years when that same question was posed. And despite some of the industry’s shortcomings, many respondents were generally upbeat in their responses to the question, “what are the advantages of a career in security and what are the drawbacks?”

“It is a very interesting career with many different challenges, but this job does change your personal outlook on people,” wrote one respondent. Another said there is “diversity in the job. You learn and gain further insight into the operation of your company quicker than most employees.”

One respondent said that security professionals “touch everything in the organization” which is “an advantage and disadvantage. We grow our sphere of control but the resources required to perform this added diligence are not necessarily keeping pace.” 

So you want to be successful in security?
Greg Hurd, a security professional with more than two decades of experience (and a policing background before that) shares his advice on how to get started in security and what it takes to succeed.

• Identify early on what motivates you towards the security space and look at opportunities to capitalize on that, either through exposure to the industry or academic programs or training opportunities.
• Look at your education and experience like a toolbox. Try to figure out how many tools you have in that box right now and figure out what else you need to put in to be successful.
• Assess the security landscape when looking at career options: It depends on an organization’s appetite for risk and the threats they may face as to how much time and effort they may be willing to put into security. Cyber-security skills, including the prevention and detection of social engineering, will likely be attractive to a wide variety of organizations.

For more Salary Survey results, read the Nov/Dec 2016 issue of Canadian Security.