Conventional wisdom dictates that the high demand for IT security practitioners would cause salaries to rise, perhaps significantly - a simple example of supply and demand. But the recovery from the Great Recession - which lasted from December 2007 to June 2009 - didn't substantially fatten paychecks for a large number of IT security personnel.

That's one takeaway from research published by SANS, the education and research institute, which conducted a similar survey in 2008.

 Even though salaries may not have increased as much as we perceived, the workforce in this sector was stable. 

In 2008, before the economy felt the full impact of the Great Recession, SANS researchers said they expected a big bump in salaries among the largest group of IT security practitioners, those who then earned between $80,000 and $100,000. But the new study didn't show much movement in pay among that group.

It's difficult to conduct an apples-to-apples comparison of the two surveys because SANS used different ranges of years of experience for each study. Still, one can extrapolate from the two sets of data the relatively paltry pay growth between 2008 and 2014.

Take, for instance, the largest occupation among security practitioners: systems administrators. In 2008, systems administrators with five to nine years of experience averaged an annual salary of $75,253. In 2014, systems administrators with seven to 10 years of experienced averaged an annual salary of $85,469. That's an increase of just over 2 percent a year. Not great, but better than many other professions that saw pay stagnate, or, in some instances, decline as demand for employment outweighed supply of positions.

CISOs didn't fare better. A chief information security officer with 10-plus years of experience averaged an annual salary of $141,750 in 2008. This year, that job pays on average $138,529 a year for those on the job between 11 and 15 years, a decline of $3,221. Even the more experienced CISO, with 16 to 20 years of experience, saw a paltry increase in average salary to $148,000 in 2014; that's not even a 1 percent annual increase.

The paltry pay raises come at a time when the unemployment rate was virtually nil among IT security practitioners, says Scott Cassity, managing director for Global Information Assurance Certification, which worked with SANS on analyzing the data. "There has not been a drastic pickup in pay," Cassity says."

According to Information Security Media Group's analysis of U.S. Bureau of Labor Statistics employment data, the unemployment rate for computer systems administrators stood at 2.9 percent for the first three months of 2014 (see A Seller's Market for IT Security Jobs for qualifications on how those rates are determined). For information security analysts, the ISMG analysis shows an employment rate of 3.2 percent for the first quarter of 2014.

Many economists consider an unemployment rate of about 3 percent or less to be full employment because of the normal churn of jobs.

$100,000 Salaries on the Rise

Still, a larger proportion of IT security practitioners - 49 percent in 2014 vs. 28 percent in 2008, earn on average more than $100,000 a year, suggesting better pay for IT security managers.

And that's a positive harbinger for the coming years. "Even though salaries may not have increased as much as we perceived, the workforce in this sector was stable," says Barbara Filkins, the SANS senior analyst who managed the survey.

Even with small pay increases, salary isn't the reason most IT security practitioners remain in IT security. Seventy percent of the 4,000 respondents in 2014 cite job satisfaction as the top reason for staying in the profession.

The survey emphasizes the importance of certification for advancement in the IT security field. SANS says certifications are more frequently required in IT security than in other, more general, IT roles.

The survey has a pro-certification bias. Cassity and Filkins acknowledge that many of those recruited to take the survey come from those who have studied for certifications.