I'm just going to put this out there and see what happens!
I have been in IT for 30 years and have worked in many areas. I see how they keep saying there is such a shortage in security I figure my next position should be more security focused. It's seems to make sense because let's face it so many companies are being breached for the dumbest reasons. It would not be hard to implement best practices and cut a lot of this out right off. The problem that I am seeing is that is seems that security position are paying below many other things I could be doing. I mean I am seeing CISO positions only paying 100k! Is this a Covid thing where they cut salaries or is it just that it would pay a lot more, and have less stress to look in a different area? I have also been seeing management positions paying less than engineering positions. This all just seems crazy to me! And for the record, I am in Chicago...
I would love to hear what other people have been seeing and thoughts on this!
I feel I should go into a security focused position because it is needed, but when other positions pay so much better it's a hard choice.
Just trying to figure all this out.
So I am a lifer in Security as well (a lady never tells her age LOL......go ahead Rob, I dare you).
I have seen salaries all over the board for CISO but then when you peel back the covers the job descriptions are also all over the place.
Some folk are not sure what a CISO is actually and some folk feel that it is appropriate for CISO to report into the IT department under a manager or director.
I like this definition for CISO:
A chief information security officer is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected.
Now having said that, we need to also pull the organization in and look at them. Smaller organizations (not-for-profits/non-profits) may not have the funds for such a position
Like Rob, whilst at one company as a Security Specialist, I was asked to take folks from various disciplines and have them do firewalls, UNIX security, MS Security etc.......
I believe a true CISO deserves more than $100K a year, due to the "headaches, the sometimes loss sleep, the list goes on.....
I know what you mean, the more I look into things the more my head hurts. I like the ones where they just randomly toss in programing skills required! I think to myself, why don't you hire a programmer for that it you also need that... or when the role reports to wrong person.
With smaller organization, they shouldn't be using any title that states with a "C" in the first place. Everyone who starts anything seemed to think that made them a CEO all of a sudden. I haven't seen one, but I am sure they are out there, an org chart maturity model.
With the CISO position for 100k, I will not directly out them, but it is a large university in my area. Not too hard to figure out.
I have a friend where higher ups wanted a pen test done. I was a bit surprised at this and told him they really need to hire someone to do security first so there will be someone to act on and understand the finding. In reality, hire a security person and have them do a baseline and fix all the very obvious issues first, can you say updates!
I guess even with companies getting breached and then fined they still don't understand how security needs to fit in in order to help things or even what it's worth.
@rslade this is another problem I have, to me you should know XYZ if you would want to do a good job, but they take people who are not qualified in the least for many positions. There are those who know very little but think they know it all, sadly I am on the other end of things where I know a lot but never feel like it's enough.
I remember seeing a job posting (making less than I make now) and they were saying how they were only going to pay at the lower end of the band (although the band stretched to more than what I make now) and I wanted to apply and interview just so I could say to them: "So you really don't want the best or most experienced candidate, you just need an adequate candidate that you can pay poorly.......Good Luck with that."
I like to call what a hiring manager goes through as the "Hiring Paradox". In the Hiring Paradox you basically have two options: Do I #1 Hire a rock star who will desire a higher salary, have other job options because they are so skilled, and who may leave after a few years, or #2 Hire an adequate to poor performer who I know will never leave, but who I will have to handhold, reprimand, and coerce them during their whole career in order for them to be effective?
I always hire the rock star and let them make things so much better, knowing that I will have to replace them in the future, but their work will be excellent while they are there rather than the adequate person who will do the bare minimum and stay for twenty years at the same position.
I don't understand the companies that want to limit themselves by painting themselves into a corner by only desiring lower salaries. The phrase "Penny wise, pound foolish." comes to mind. Perhaps companies should state their desired range, but state that they may consider other salaries depending on circumstances and experience. Perhaps though they are hoping to catch the younger, ambitious, go-getter type of person and I can understand that, having been that person in the past (the younger part especially) but I also understand the wisdom of experience and how much that is really worth.
I have a personal example. I was working as a contract CISO at one agency replacing a very ineffective CISO. After a certain amount of time had passed they were allowed to hire the CISO position internally. I, along with others, assumed I was getting the position as I had performed very well and was very well liked amongst the IT folks. Well the management changed right before this position came open and the newly minted CIO (who was a good manager but not a good leader) decided that he wanted to go with a cheaper, younger, less experienced option and convinced the new director to chose someone else. Everyone was shocked. The CISO office now is in complete disarray. I'm sure the employees hate their new boss and the CISO hates them and doesn't fight for them. The new CISO didn't have much leadership experience (but was 35K cheaper) and is struggling. The CIO also demanded, as part of the hiring process, that the CISO position be moved back under him instead of the current situation where the CISO was a peer and reported directly to the director. Now the CISO has less bargaining power and serves at the mercy of the CIO. In a way, I am extremely glad that I was not hired as I knew when they made that person the CIO, that he would be a very ineffective leader. He rules as a tyrant in an organization whose organizational culture in IT, is one of fear. And he doesn't understand organizational culture. His selection only made the culture of fear worse. I warned management of this before his hire, but they ended up retiring and the new management wasn't made aware of this before they hired him.
I tell you all of this to show that how companies, by choosing to go the cheaper route, while it may be fiscally responsible, it is not a good long-term strategy. It may even end up costing the agency some EEO complaints and general ineffectiveness. Several key IT people have already left and several others have job applications out as well. I imagine the CISO will look to move on soon too (his previous longest stint was only a year and a half). So while they may have saved some money, they will end up costing themselves more money in talent loss, ineffectiveness, and employee morale. It can create a downward spiral that will continue until the management gets replaced.
So if you are ever in an interview and you are asking for the higher end of the salary range, make sure to show how your experience is worth the extra money. And you are not alone in running into the low salary buzzsaw.
@CISOScott You make some interesting points, a question if I may. What is your feeling about placement of the CISO position in the org chart? I have always felt the only way for the position to be affective is to have it as a peer to the CIO and any other location would just be problematic. I saw one job posting saying the CISO would be reporting to the COO, which didn't make any sense to me. In having a CISO report to a CIO it seems like this is say security is not a priority and any issues the CIO doesn't like or doesn't want to deal will could just get rejected instead of fixed, which would create frustration points for the CISO.