Will retraining as a pentester earn you a pay rise? With three years on the job as a security engineer, is your present boss short changing you?
If you want to benchmark your current salary, or you just want some evidence of what infosec pros earn in real life, we’ve found a really nice survey you should check out.
Kudos to Andrew Luke, who has compiled the Infosec Income Questionnaire.
This is the author’s second edition of the survey. The idea is to provide a snapshot of infosec pay. This should be useful for both job hunters and hiring managers as evidence of fair market value. It’s also good general information for anyone considering moving into information security from other specialisms.
As well as salary details and job role, the anonymous survey invites participants to share some useful ancillary information, such as years of experience, level of education and mode of working (onsite/remote). It therefore gives us some good current intel on infosec working trends in general.
Here’s a closer look at a few of those trends…
Infosec professional earning
If we look at the USD declared earnings we see that the results show.
- The average salary is $158,213
- The lowest salary is $9,500
- The highest salary is $800,000
The lowest salary comes from Argentina.
The highest earner declared themselves as having a title of "Red Team, Bug Bounty Hunting, Security Engineer" and works in Richmond, VA, USA.
The most frequent job title was penetration tester.
Organizations like to keep security in-house
When a company needs to bring on board infosec capabilities, it has two options: either hire salaried employees, or else rely on drafted-in contract workers or outsourced security providers (i.e. consultants).
More than three quarters of survey respondents seem to be employees rather than consultants. From an employer’s perspective, this makes sense. Unlike other tech tasks (e.g. systems architecture or software implementation), security is an ongoing requirement rather than a one-off project. It makes sense to invest in your own in-house team.
If you want to train for a tech career and also want the stability of a salaried position, cybersecurity is an area definitely worth focusing on. That said, if you prefer to operate as a lone wolf, there are opportunities out there, too. For instance, we’ve seen that a lot of the survey respondents who are consultants give their job role as ‘penetration tester’. If you like the idea of going into lots of different organizations with a fresh pair of eyes and checking for weaknesses, this might be the role for you.
Time for a gender rebalance
So far, more than 90% of survey respondents are male. The gender gap is even wider than we saw recently in the ISC Cybersecurity Workforce Study, 2020. This suggested that women only make up only around 25% of the global cybersecurity workforce.
It all goes to show that there’s a massive underutilized pool of talent available. The big question is how do we redress the balance?
A lot of it is linked to both perception and training. At StationX, we’re doing our bit in giving people a solid grounding and making the profession as accessible as possible, regardless of background. Cybersecurity most definitely shouldn’t be a ‘boys club’!
Career transitioning is very common
What did respondents do before they moved into cybersecurity? The results point to a popular path. Many people seem to have spent a few years doing something else IT or development-related before making the switch to infosec.
So let’s say you are currently in a systems admin role and are feeling a bit stuck in a rut. Chances are, you’re already well grounded in IT fundamentals. When you think about it, you’re probably also pretty versed not just in day-to-day tech operations, but also in wider business procedures and processes.
So far, so good. But how do you actually make the switch to cybersecurity?
It’s all about filling in those knowledge gaps. The beauty of on-demand online learning is that you can do it in your own time, and without piling up the student debt. There’s no excuse not to fill those gaps. And as this survey shows, plenty of others have found their own way to make the leap.
Flexible working: here to stay?
Some tasks (red teaming attack simulations, for instance), can theoretically be done from anywhere. In other roles (e.g. all-purpose security engineer), you’d generally expect employers to want their people onsite all day.
But of course, the pandemic has changed a lot; and right now, just 16% of respondents operate exclusively onsite. The flexible/mixed operating model is the most popular one at present, with the majority of workers dividing their time between home and workplace.
As workforces return to the office in greater numbers, will cybersecurity staff be expected/forced to follow suit? This will be an interesting stat to revisit in a year’s time.
Do the salary figures in this survey tally with your own experience? Are you still expected to travel into work - or does your boss let you work remotely? Consultant or employee: which is best? Let us know your thoughts below…
You can contribute to the live survey and view the results here.
Great summary of data points on CyberSec. Also be interesting to see what education (formal/informal/certs) folks have pursued to get jobs.
Check out the spreadsheet of the data.
Thank you Nathan, this article has been very insightful.
Thank you for reading it!
another good job well done by our Man Nathan.
on one chart i read 99999999999999’s (Salary) and S/He was directly from the Milky Way, the person was a pentester, so, i focused on others 250,000 Euros salary was one of the highest in 2020.
i too am from the milky way & almost over the hill as well, but i will tug on.
Thanks Nathan……
:)
Worked two years as a Soft Dev. and now I’m trying to break into InfoSec !
My pleasure. Thank you for your comment.
Thank you Nathan, after your two courses which I finished this year, I will start studying in September in Toronto School of Management for Diploma in Cyber Security Specialist. Thank you again
That’s brilliant.
Thank you Nathan for everything, from teaching, opening our eyes to encouraging us I salute you. I really must up my learning game
Thank you for being my student. Without you, I would have no one to help.
Great work !! Motivates me a lot.
Glad I can help.
Awesome information. Very helpful. Thanks
Thank you.
All I can say is Damn !! I have to get started. I ordered the CompTIA bundle a while back and haven’t used it much.
I’m a lawyer in the USA. I make much less than most of these salaries and I hate my job.
A lawyer with a specialisation in cyber would work in many roles.
Thankyou for a valuable insights of the current job trends.
Thank you for sharing such a useful content on cyber security.
Wow, The description with the statistics is really Awesome . Thank You very much Nathan Sir.
This is such an important contribution
Nice, The Stuff with the statistics is really Awesome .
Thank You very much for share.
Great blog! it is really helpful and knowledgeable.
Just finished Cybersecurity Volume 1. A great addition to the Cybersecurity: Technology & Policy Executive Course, I completed over the Summer via Harvard Kennedy School of Government.
Hello, nice post! You have covered all the beneficial details. Keep sharing such helpful content with us!
nice motivated
Hi Nathan
Your blog and resources are great . Keep sending it . you are doing an excellent job . If you could share something from OT cybersecurity would be helpful
Thanks