If you follow me on twitter, you know I like to throw out questions occasionally just to stir things up. On Friday I asked the following question about jobs in the security realm:
We keep hearing about how desperate companies are to hire infosec professionals. So how come we still see so many low ball salary offers?
This hit a nerve with quite a few people, many of who mentioned that besides having low salaries for the apparent demand, we also see low stature in the company and that while there’s a demand, companies still don’t see how paying a security professional leads to profit. The conversations on twitter led to an interesting side road about how newcomers to the field are expecting huge salaries without having any experience at all. But the most comprehensive response came from John Wood, who wrote a whole blog post about it rather than responding 140 characters at a time.
John sees the reasons as being a) the company doesn’t really care about security, so they’re just trying to get the lowest paid person they can, or b) they have no idea what the actual job market for security professionals is like in the real world. If it’s ‘a’, I’d agree with John and say far away from the company; let someone who’s willing to suffer through a thankless job take the role on. His suggestion for the second part is that you should talk to the hiring team and explain to them what salaries are like in the real world, then walk away until they’re willing to pay what you feel reasonable. I’ve worked at a lot of companies in my career and I’ve never had this strategy pay personally, but maybe it has worked for others.
I see the effect of companies who just want ‘check box security’ a lot. Having been a Qualified Security Assessor (QSA) dealing with PCI in a former life, I’m all to familiar with the concept. I understand that most companies out there still don’t see that security has to be part of core processes in order to be effective and still see it as an impediment to be overcome rather than a selling point for the company. Besides being directly responsible for the low salary offers, it’s reflected in the low stature the security team is often given within a company. Of course, there’s the whole argument that we still don’t know how to speak ‘business’, but that’s a drum to beat another day.
Security as a core competency, as business process that leads to more sales and greater profit is a hard sell and one that’s always going to be difficult to draw a direct correlation to. I’m lucky in that I work for a company where security is a part of the discussion any time a product is sold, but how do you bring security into the conversation when you sell widgets? It’s not easy, there are no simple answers and it’s something that each organization has to discover for itself. The more we can make business aware that a good, well trained security team is essential to the health of the company, the more likely we are to see a willingness to pay salaries commensurate with the market rate for those roles. On the other hand, I’ve been told at a number of places sometimes there is no way of creating that linkage and security will always remain a check box for that company.
What about the new security professionals who are asking for high salaries with just an education and little or no experience? That’s a hard one for me, since when I started in the security profession the only way to get a job was through experience. I’d guess that it’s a dark reflection of the demand for security professionals; while in school the student hears again and again about how much demand there is and has unrealistic expectations once they graduate. Or maybe they’re not that unrealistic after all, since at least some of them seem to get the salary they demand, even if they have to grow into the role they take on.
As a closing thought, one of my coworkers, Brian Sniffen, states
Only contractors are paid spot price. Salary is an annuity.
His point being that if you want the flexibility that creates a high end salary, you have to take the risks that a contractor does, including changing jobs regularly and having an uncertain stream of income. In security, that risk is probably lower than in many careers, but it’s still a risk that’s there. I’ve been a contractor and I’ve hopped jobs a lot in my career, which is another way to deal with the pay issue. I’m not ready to do much of either in the near future, thank you very much.