Sep 07 2014

Is pay rising with demand in security?

Published by at 10:23 pm under General,Simple Security,Social Networking

If you follow me on twitter, you know I like to throw out questions occasionally just to stir things up.  On Friday I asked the following question about jobs in the security realm:

We keep hearing about how desperate companies are to hire infosec professionals. So how come we still see so many low ball salary offers?

This hit a nerve with quite a few people, many of who mentioned that besides having low salaries for the apparent demand, we also see low stature in the company and that while there’s a demand, companies still don’t see how paying a security professional leads to profit.  The conversations on twitter led to an interesting side road about how newcomers to the field are expecting huge salaries without having any experience at all.  But the most comprehensive response came from John Wood, who wrote a whole blog post about it rather than responding 140 characters at a time.

John sees the reasons as being a) the company doesn’t really care about security, so they’re just trying to get the lowest paid person they can, or b) they have no idea what the actual job market for security professionals is like in the real world.  If it’s ‘a’, I’d agree with John and say far away from the company; let someone who’s willing to suffer through a thankless job take the role on.  His suggestion for the second part is that you should talk to the hiring team and explain to them what salaries are like in the real world, then walk away until they’re willing to pay what you feel reasonable.  I’ve worked at a lot of companies in my career and I’ve never had this strategy pay personally, but maybe it has worked for others.

I see the effect of companies who just want ‘check box security’ a lot.  Having been a Qualified Security Assessor (QSA) dealing with PCI in a former life, I’m all to familiar with the concept.  I understand that most companies out there still don’t see that security has to be part of core processes in order to be effective and still see it as an impediment to be overcome rather than a selling point for the company.  Besides being directly responsible for the low salary offers, it’s reflected in the low stature the security team is often given within a company.  Of course, there’s the whole argument that we still don’t know how to speak ‘business’, but that’s a drum to beat another day.

Security as a core competency, as  business process that leads to more sales and greater profit is a hard sell and one that’s always going to be difficult to draw a direct correlation to.  I’m lucky in that I work for a company where security is a part of the discussion any time a product is sold, but how do you bring security into the conversation when you sell widgets?  It’s not easy, there are no simple answers and it’s something that each organization has to discover for itself.  The more we can make business aware that a good, well trained security team is essential to the health of the company, the more likely we are to see a willingness to pay salaries commensurate with the market rate for those roles. On the other hand, I’ve been told at a number of places sometimes there is no way of creating that linkage and security will always remain a check box for that company.

What about the new security professionals who are asking for high salaries with just an education and little or no experience?  That’s a hard one for me, since when I started in the security profession the only way to get a job was through experience.  I’d guess that it’s a dark reflection of the demand for security professionals; while in school the student hears again and again about how much demand there is and has unrealistic expectations once they graduate.  Or maybe they’re not that unrealistic after all, since at least some of them seem to get the salary they demand, even if they have to grow into the role they take on.

As a closing thought, one of my coworkers, Brian Sniffen, states

Only contractors are paid spot price. Salary is an annuity.

His point being that if you want the flexibility that creates a high end salary, you have to take the risks that a contractor does, including changing jobs regularly and having an uncertain stream of income.  In security, that risk is probably lower than in many careers, but it’s still a risk that’s there.  I’ve been a contractor and I’ve hopped jobs a lot in my career, which is another way to deal with the pay issue.  I’m not ready to do much of either in the near future, thank you very much.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

3 Responses to “Is pay rising with demand in security?”

  1. James Davison 03 Oct 2014 at 7:50 am

    Thank you for the informative remarks. I had often wondered why I have 50 companies all call me and offer the same salary. I thought when there was an auction and many people wanted to buy the product (our skill) the bid price should go up, but in this case it does not. I simply have six phone calls a day all offering the same wage rate. I thought it very odd. Now I realize it’s a product of the check-box-security mentality. How many front page Wall Street Journal tales of woe does it take before the industry realizes security is a real need if you want to survive, and it is a need that will not diminish?

  2. Mr InfoSecJobHunteron 09 Nov 2014 at 11:39 pm

    I would like to comment, but saying that, first, I am someone who is actively pursuing roles in the job market. I have been interviewed a good bit. I have also seen, dozens to hundreds, or few hundreds of requirements over the last weeks to months in late night searches.

    I know that security is rough. I’ve spoken personally, on more of a familiar-ish level with job recruiters and some management. Filling their roles is not easy. However, the talent pool that I’m told is a bit sparse, and some seem subject to farming or harvest, recruiting the same or similar individuals time and time again for different placement opportunities across the country.

    For instance, as a “senior” level role that I may apply for and have had some success doing, in fact being pursued by a Fortune 1, and Fortune 25…I may not name names, but I feel honored. The roles that I see, are all at the 6-ish figure jobs. Role1 requires first, about 7 years +general IT experience with at least 2+ focused on security. You have to be at least proficient in SIEM (pick xyz technology) then, compliance, analysis, be able to speak conducively/adequately to IR and then Forensics, and have some Malware RE, not to mention know what research is…etc. Some positions are silo’d and too specialized for one to have such a broad range of experience, but that will be held against you. Don’t be shallow in your diversity of things.

    These are all tough disciplines to master. Even if you get sharp, you still know there’s even higher levels of acumen to ascribe, even if you had the time to pick one you could not get a job because all of the senior roles that I see and have applied for and been rejected for, for some, require too much of a specialization on a particular brand item (insert>>SIEM brand). I even had an opportunity whereas my company/recruiting firm would send me to training for SIEM (x) (it’s one of Gartner’s Top 3) but Client who begins with a W ends with “greens” wasn’t having a bit of it.

    Most of the that may come across my way are rather utterly weighted on a particular brand of in-house technology Y. That’s just one part of the challenge. Now, pick your brand of SIEM, IDS/IPS, Router/Firewall, IR scheme, forensics, and be an expert in “all of that” or else….”candidateship verified and declined”. Some of these roles are well paying for certainly you being a “boss” of sorts. Some companies do have leniency here and there…so don’t be shy, apply for something that you don’t think you’re a precise match for, it just may work. In my case, it may work out just fine.They are sometimes far willing to supplement years of tenure or specific acumen, when faced themselves with a slimness of candidate’s pools of experience.

    With the challenge of lesser paying roles in contrast to “that person’s blog entry referenced above” this caveated “just say no” attitude to lesser pay…you try not having a job or paying any of your bills for 2-7 months or so looking for that “just-sized perfectly role” and then beating out the competitors (you thought you were going to walk right in the door). Secondly…are you a sexy candidate?…are “YOU”? If the first thing you hear is “I don’t see it in your resume” or “maybe we’ll find you something else that’s a better fit” rather than “I’m sorry this is all that we have” or “The market doesn’t support your demands” or “You just can’t make that here”….then the context and the tonality may be necessarily guiding you toward steering your ship to a different market or just realization that you’ve hit a brick wall and the skills that you have don’t support the income that you desire…or…you need to move. Like…move out of Florida once you’ve hit the range of 85k-95k. Asking with 100k+ is just trouble. It’s rather slim pickings at that point. I’m looking follow my own words here. *wink* Call it greed…you probably won’t when it’s your dollars to either lose due to market structure/demand (business vs yours) or tenure. It’s your career growth potential, go after it. Some and many do offer relocation expense. The majority will not…so save up…or wait and pray for that one with a large relo budget.

    To that blogger’s note…(paraphrasing) “they’ll call you when they’ve decided to get real and adjust the rates”…yes okay puhleeze…once you’ve been vetted as the “optimal” probably superstar…second, the last 3 or so guys were either fired or quit all for various causes, then after they’ve decided to offer the position to someone going after that lower wage. It’s not real or practical to bet on a suppose-ed “I’ll show them” call back. Positions do require to be filled. Either by you, or some other just as sexy or less-than-sexy candidate.

    There are so many other candidates vying for your position, not to mention, that you need to communicate well and effectively, not just as per your “style” or flavor of word choice…but for the manager that is assessing you the gatekeeper/recruiter after you, and all the tiers of managers of whom may interview you or simply screen you before you actual “tech interviews” (yea…maybe more than a couple for 6-figure income). This is not “easy” at all. The tech recruiting firms do a much better job in the way of properly assessing prospects than internal HR. You may be looked over much if your resume does not read as a “word for word” script to their bill.

    You may be pushed to go over a myriad of “basics” in the interview process, or have your candidacy profile be cut short at level….no go to save the princess. Obviously these would be covered in your basic networking course but due to the nature of life and incident analysis intrusion response of things… you may forget about how to explain technically proficiently accurately albeit concisely, the differences of TTL or TraceRT or PING but they, the “hiring guru/manager” make adequately hard to impress when you are being goaded into proferring regurgitation on the most rudimentary of ideals for your 95k-130k job and you’re thinking “I just watched 8 con talks today, and I could legitimately make my own presentation and I explain subtle nuances in beaconing behavior, all while conducting flow analysis, and playing around with malware in my own personal sandbox and………”explain “what” that I haven’t thought about since….2007? For some of you 1998 or earlier.

    Some times you have to have a “gut check” and assess “is this doable” can I work for “x dollars / salary” and still be viable and/or market worthy next year without it appearing as though I’m wanting a hand out? Do I really want or need to have a split between projects and full time hirings to make it? That type of advice isn’t practical, not when bills are do and especially not when much of the hiring frenzies are in fact, seasonally applicable not on your “new job demands”. How do I gather experience with product X platform if we haven’t installed it, aren’t going to, or something else has already been configured wherever I’ve gone? I’m a master on ArcSight, but they want IBM’s SIEM. If you’ve utilized a full-network packet capture device/platform i.e. NETWITNESS…be prepared for EVERYONE to blantantly not understand your skillset, except a handful of marketing companies/corporations. I still can’t market that skill….geez…killin me.

    An astute observation is that most companies even in fact IT management, including InfoSec Senior staff, don’t understand security in the realm of “day to day” what’s important. A better observation is to say that more corporations are carrying the torch on security now more than ever, my phone has literally been blown up for the past weeks with unique opportunities. More people are getting the hires for the right salaries. It’s coming…now, does it apply to junior level positions…I can’t say, not my market. But nonetheless getting hired or “the journey to Day one” is eventful and trying and tiring. It’s not easy and it’s frustrating. You don’t want to be passed over and you don’t want to be finally beat out at the last step by someone else. There are recruitment external to the company that’s vetting and betting on you. And you’re probably not their only choice. It’s sometimes not feasible to merely say “no thanks, it’s 10k to 20k lower than what I typically see or desire.” You weigh your options not for now…but in two years when you’re either looking for more growth or more pay. Hell I’m looking for “more growth” in 6 months…I’ll find it. There’s something to do with hadoop and machine learning that I need to be involved with.

    There positions are opening up and more dollars (I see) are flowing, but it’s still a slow yet steep learning curve. It’s us to us to educate them, and before you can cross that hurdle you have to get your foot in the door and keep it propped open. Simply saying “no to lower salary” and “here allow me to espouse upon your folly regarding this meager pittance” is not a sound decision because it offers you practically no leverage. Haven’t we seen Shark Tank? Leverage folks. Build a relationship. You’re closing the door…bye bye negotiation. But there’s a “not to be breached” bottom line. Sometimes there is a “wiggle”. They may not say it. In fact you may not even know what the truly would like to pay until you receive an offer.

    Be smooth. Be active. Be loyal to your desires for now but for next year and afterward. It may be simply best for you to move on because there plenty of positions that will pay, but can you make it beyond the recruiter, get the the tech interview, meet F2F/Skype and close the deal? Are you a sexy candidate? Does your profile read well to them? Are you searchable for high and higher-paying gigs?

    To say that one should accept low-balled salaries is not my position nor has it ever, but if it comes down to you having income and perhaps….waiting on the shelf for a while…it depends on your market. It may work…it may not be time, but that’s for you to decide. The actual “world of things” does not make sense in the way that Mr. So and So’s blog aforementioned above, mentions.

  3. Citrix Desktopon 24 Nov 2014 at 3:33 am

    Information security professionals are among the most stable of tech workers. They are paid well, the majority got raises last year — 20% of them of more than 5%. Plus the demand for security specialists will grow 11% annually for the next five years.

%d bloggers like this: