topic Re: Security Salaries? in Career Discussions

Security Salaries?

JKWiniger — Fri, 07 Aug 2020 18:07:18 GMT

I'm just going to put this out there and see what happens!

I have been in IT for 30 years and have worked in many areas. I see how they keep saying there is such a shortage in security I figure my next position should be more security focused. It's seems to make sense because let's face it so many companies are being breached for the dumbest reasons. It would not be hard to implement best practices and cut a lot of this out right off. The problem that I am seeing is that is seems that security position are paying below many other things I could be doing. I mean I am seeing CISO positions only paying 100k! Is this a Covid thing where they cut salaries or is it just that it would pay a lot more, and have less stress to look in a different area? I have also been seeing management positions paying less than engineering positions. This all just seems crazy to me! And for the record, I am in Chicago...

I would love to hear what other people have been seeing and thoughts on this!

I feel I should go into a security focused position because it is needed, but when other positions pay so much better it's a hard choice.

Just trying to figure all this out.

John-

Re: Security Salaries?

rslade — Fri, 07 Aug 2020 18:57:16 GMT

> JKWiniger (Contributor II) posted a new topic in Career on 08-07-2020 02:07 PM

> I have been in IT
> for 30 years and have worked in many areas. I see how they keep saying there is
> such a shortage in security I figure my next position should be more security
> focused.

Well, I've got a decade on you, and, basically, I've seen the same thing.

One story: after 9/11, everyone was saying how security was the field to be in
because so many new security positions were being created. I wasn't seeing any
increases in salaries, nor jobs opening up, and I was also doing the review seminars,
and none of the candidates were seeing new jobs or higher salaries.

It took me almost a year to figure out what was happening. Suppose you were a
network administrator. Your boss would come along and tell you that you were
now the network *security* administrator. No training, no increase in salary, no
extra manpower: just a change in title. But all kinds of new "security" positions ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
One man was so mad at me that he ended his letter: `Beware. You
will never get out of this world alive.' - John Steinbeck
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

Re: Security Salaries?

JKWiniger — Fri, 07 Aug 2020 19:22:13 GMT

@rslade And then they wonder why that person wasn't able to "properly" secure the network and they were breached!

John-

Re: Security Salaries?

dcontesti — Sat, 08 Aug 2020 15:18:20 GMT

So I am a lifer in Security as well (a lady never tells her age LOL......go ahead Rob, I dare you).

I have seen salaries all over the board for CISO but then when you peel back the covers the job descriptions are also all over the place.

Some folk are not sure what a CISO is actually and some folk feel that it is appropriate for CISO to report into the IT department under a manager or director.

I like this definition for CISO:

A chief information security officer is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected.

Now having said that, we need to also pull the organization in and look at them. Smaller organizations (not-for-profits/non-profits) may not have the funds for such a position

Like Rob, whilst at one company as a Security Specialist, I was asked to take folks from various disciplines and have them do firewalls, UNIX security, MS Security etc.......

I believe a true CISO deserves more than $100K a year, due to the "headaches, the sometimes loss sleep, the list goes on.....

MHOO

Re: Security Salaries?

rslade — Sat, 08 Aug 2020 18:32:16 GMT

> dcontesti (Community Champion) posted a new reply in Career on 08-08-2020 11:18

> (a lady never tells her age LOL......go
> ahead Rob, I dare you)

To do so would betray my *own* age ...

> I have seen salaries all over the board for CISO but
> then when you peel back the covers the job descriptions are also all over the
> place.

Indeed. When I first started out, Systems Analyst was a position that required a
fair amount of background knowledge. Recently I have met "Senior Systems
Analyst"s who are just salescritters ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Sometimes the questions are complicated and the answers are
simple. - Dr. Seuss
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

Re: Security Salaries?

JKWiniger — Sat, 08 Aug 2020 19:12:09 GMT

@dcontesti

I know what you mean, the more I look into things the more my head hurts. I like the ones where they just randomly toss in programing skills required! I think to myself, why don't you hire a programmer for that it you also need that... or when the role reports to wrong person.

With smaller organization, they shouldn't be using any title that states with a "C" in the first place. Everyone who starts anything seemed to think that made them a CEO all of a sudden. I haven't seen one, but I am sure they are out there, an org chart maturity model.

With the CISO position for 100k, I will not directly out them, but it is a large university in my area. Not too hard to figure out.

I have a friend where higher ups wanted a pen test done. I was a bit surprised at this and told him they really need to hire someone to do security first so there will be someone to act on and understand the finding. In reality, hire a security person and have them do a baseline and fix all the very obvious issues first, can you say updates!

I guess even with companies getting breached and then fined they still don't understand how security needs to fit in in order to help things or even what it's worth.

John-

Re: Security Salaries?

JKWiniger — Sat, 08 Aug 2020 19:14:45 GMT

@rslade this is another problem I have, to me you should know XYZ if you would want to do a good job, but they take people who are not qualified in the least for many positions. There are those who know very little but think they know it all, sadly I am on the other end of things where I know a lot but never feel like it's enough.

John-

Re: Security Salaries?

rslade — Sat, 08 Aug 2020 19:42:16 GMT

> JKWiniger (Contributor II) mentioned you in a post! Join the conversation below:

> There are those who know very little but think they know it
> all

Oh, yeah ...

> I am on the other end of things where I know a lot but never feel
> like it's enough.

In the field of information security that is, or should be, fairly common. My
mantra, for those considering entering the field, is that security is the most
interesting area to work in because regardless of what you learn it has an
application and value.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Never look back unless you are planning to go that way.
- Henry David Thoreau
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

Re: Security Salaries?

CISOScott — Tue, 11 Aug 2020 13:44:42 GMT

I remember seeing a job posting (making less than I make now) and they were saying how they were only going to pay at the lower end of the band (although the band stretched to more than what I make now) and I wanted to apply and interview just so I could say to them: "So you really don't want the best or most experienced candidate, you just need an adequate candidate that you can pay poorly.......Good Luck with that."

I like to call what a hiring manager goes through as the "Hiring Paradox". In the Hiring Paradox you basically have two options: Do I #1 Hire a rock star who will desire a higher salary, have other job options because they are so skilled, and who may leave after a few years, or #2 Hire an adequate to poor performer who I know will never leave, but who I will have to handhold, reprimand, and coerce them during their whole career in order for them to be effective?

I always hire the rock star and let them make things so much better, knowing that I will have to replace them in the future, but their work will be excellent while they are there rather than the adequate person who will do the bare minimum and stay for twenty years at the same position.

I don't understand the companies that want to limit themselves by painting themselves into a corner by only desiring lower salaries. The phrase "Penny wise, pound foolish." comes to mind. Perhaps companies should state their desired range, but state that they may consider other salaries depending on circumstances and experience. Perhaps though they are hoping to catch the younger, ambitious, go-getter type of person and I can understand that, having been that person in the past (the younger part especially) but I also understand the wisdom of experience and how much that is really worth.

I have a personal example. I was working as a contract CISO at one agency replacing a very ineffective CISO. After a certain amount of time had passed they were allowed to hire the CISO position internally. I, along with others, assumed I was getting the position as I had performed very well and was very well liked amongst the IT folks. Well the management changed right before this position came open and the newly minted CIO (who was a good manager but not a good leader) decided that he wanted to go with a cheaper, younger, less experienced option and convinced the new director to chose someone else. Everyone was shocked. The CISO office now is in complete disarray. I'm sure the employees hate their new boss and the CISO hates them and doesn't fight for them. The new CISO didn't have much leadership experience (but was 35K cheaper) and is struggling. The CIO also demanded, as part of the hiring process, that the CISO position be moved back under him instead of the current situation where the CISO was a peer and reported directly to the director. Now the CISO has less bargaining power and serves at the mercy of the CIO. In a way, I am extremely glad that I was not hired as I knew when they made that person the CIO, that he would be a very ineffective leader. He rules as a tyrant in an organization whose organizational culture in IT, is one of fear. And he doesn't understand organizational culture. His selection only made the culture of fear worse. I warned management of this before his hire, but they ended up retiring and the new management wasn't made aware of this before they hired him.

I tell you all of this to show that how companies, by choosing to go the cheaper route, while it may be fiscally responsible, it is not a good long-term strategy. It may even end up costing the agency some EEO complaints and general ineffectiveness. Several key IT people have already left and several others have job applications out as well. I imagine the CISO will look to move on soon too (his previous longest stint was only a year and a half). So while they may have saved some money, they will end up costing themselves more money in talent loss, ineffectiveness, and employee morale. It can create a downward spiral that will continue until the management gets replaced.

So if you are ever in an interview and you are asking for the higher end of the salary range, make sure to show how your experience is worth the extra money. And you are not alone in running into the low salary buzzsaw.

Re: Security Salaries?

JKWiniger — Tue, 11 Aug 2020 14:44:26 GMT

@CISOScott You make some interesting points, a question if I may. What is your feeling about placement of the CISO position in the org chart? I have always felt the only way for the position to be affective is to have it as a peer to the CIO and any other location would just be problematic. I saw one job posting saying the CISO would be reporting to the COO, which didn't make any sense to me. In having a CISO report to a CIO it seems like this is say security is not a priority and any issues the CIO doesn't like or doesn't want to deal will could just get rejected instead of fixed, which would create frustration points for the CISO.

Thoughts?

John-

Re: Security Salaries?

CISOScott — Tue, 11 Aug 2020 15:17:12 GMT

@JKWiniger , yes my thoughts exactly. I usually have no problem with a CISO reporting to another C-level executive AS LONG AS it is NOT the CIO. Having the CISO position under the CIO means that the CIO can filter out what doesn't benefit them when reporting up the chain. Then they can also deflect blame claiming the CISO never briefed them (or inadequately briefed them) if a breach or other security incident occurs. It also causes the CIO to prioritize security differently as they are just another one of their people asking for money allocation.

The CISO needs to be seen as a C-Level executive for not only the peer level consideration but how the organization responds to them. Having them as a subordinate of the CIO diminishes their credibility of their voice.

The problem with the IT industry as I see it is this: IT used to do everything under their umbrella. As security evolved it grew under the IT umbrella. It has risen to a point where it needs to be separated (for many years now). Many organizations did not know when or how to start the separation. Plus separating security out from under IT brought another headache to management. Now they have another voice to listen to and from a budget perspective, another mouth to feed. They also have to fund another C-level position. Some executives just don't want to be bothered and want an additional buffer between them and responsibility of an incident. Having the CIO in that buffer position now gives them two fingers to point at if something goes wrong. However this leads them to being blindsided. I have seen incidents where a breach happened and then the CIO split, leaving the organization holding the bag. Some CIO's see themselves losing personnel if security has to be it's own entity. They also do not like losing control and having security people being separate, means they have do be told to do some things by people they don't control. BUT if the CISO position was under them, then they don't suffer this loss of control.

I think that was another reason I didn't get the position I mentioned. I mentioned not placing the CISO under the CIO to the new director and his chief of staff (who did a boneheaded thing and shared my email with the CIO without redacting my name). I laid out clear reasons why the CISO should not be under the CIO. I think when the CIO saw it he was pissed off and decided not to hire me, which again reflects his inability to understand leadership principles. He also lost another ally when going for resources to the budget group. It helps to have two C-level executives advocating for resources rather than just one. Also during the application/interview process he got to see my resume and saw that I had more CIO experience than he did (yes I have both CIO and CISO experience!). He knew I would be able to spot his Baloney (lies) and felt threatened by my experience. Not only is he a tyrant but he is also insecure.

So yes, The CISO should not be under the CIO.

Re: Security Salaries?

JKWiniger — Tue, 11 Aug 2020 15:53:51 GMT

@CISOScott would it be unreasonable to make a condition of taking a position to require it to be taken out from under a CIO?

As for the rest, well IT has always been interesting over the years. Many companies have seen IT just as a budget black hole, until IT departments started charging departments back for the IT services they consumed and then just like that, overnight it become a profit center. I think this shift is happening for a lot of companies whether the like it or not with the increased use of cloud technologies, since you can have different subscription for almost everything making it easier than every to direct the expenditure to the department requiring it.

Splitting security and IT has always seemed tough to me. Take something as simple as patching systems. I guess it would be broken up to where someone on the security team might monitor compliance of patch installation, but if patches are missing they would need to inform the IT side that they need to be installed, and then probably report back. In the old days having the same team monitor and install was a bit easier, but more eyes probably ensures a higher likelihood that things are actually being done right.

I think I am starting to see a failing of mine. With smaller companies I controlled things and decided how and what was done, simply by the fact that I knew what needed to be done and they didn't. Now shifting to larger companies I got the impression that they have established roles and departments and know what they are doing, but in fact they might simply need the same guidance but just on a larger scale and with a bit more assertiveness because there are more players that can keep things from getting done.

I have always done well in larger companies, even when I have pissed people off, because I always kept one thing in mind and let it guide me, what is best for the company...

John-

Re: Security Salaries? CISO position

Zeeman — Tue, 11 Aug 2020 23:41:14 GMT

I strongly believe unless you have a capable CIO the CIO will become a bottleneck; I have seen it happen in the last 10 years. For CISO to be effective they need to have the organization's backing (business) otherwise they are seen as the bottleneck to business growth - until something happens. Security should never be a compromising position but an enabler. Imagine Credit Card companies or Banks have lower level of security because the users and/or employees can be more efficient? Would that work when millions are lost?

Not directly related but pertinent point: Look at Boeing now, they went after cheap programming resources and got just that only to have a big mess on their hands with 737 grounded. They compromised and the outcome was negative. What risk can you afford to take is the main question? That applies to your own carrier as CISO as well.

Zeeman

Re: Security Salaries?

CISOScott — Wed, 12 Aug 2020 13:57:01 GMT

@JKWiniger I don't know about demanding it (or requesting it) for a contingent job offer. I would bring it up in the interview and ask if they had thought about moving it out from under the CIO. The problem is that they usually have the CIO in the interview panel.

One way to bring it up is to state that many organizations have started to bring the CISO out from under the CIO in order to ensure that security is seen as being a separate entity and not a subordinate of IT. It also makes sense to have the person who effectively audits and watches IT to not be under IT's influence or control. It forces collaboration between security and IT as they now have to work together instead of being forced to do whatever IT directs. Another great move is to ensure the CISO has a direct communication line to the head of the agency. If a breach happens it is effectively the top management official who will either directly or indirectly be held responsible. Giving the CISO a direct line of communication to them allows them to be better informed of problems. Having the CIO as a buffer can hinder true communication to upper management.