Will retraining as a pentester earn you a pay rise? With three years on the job as a security engineer, is your present boss short changing you?
If you want to benchmark your current salary, or you just want some evidence of what infosec pros earn in real life, we’ve found a really nice survey you should check out.
Kudos to Andrew Luke, who has compiled the Infosec Income Questionnaire.
This is the author’s second edition of the survey. The idea is to provide a snapshot of infosec pay. This should be useful for both job hunters and hiring managers as evidence of fair market value. It’s also good general information for anyone considering moving into information security from other specialisms.
As well as salary details and job role, the anonymous survey invites participants to share some useful ancillary information, such as years of experience, level of education and mode of working (onsite/remote). It therefore gives us some good current intel on infosec working trends in general.
Here’s a closer look at a few of those trends…
Infosec professional earning
If we look at the USD declared earnings we see that the results show.
- The average salary is $158,213
- The lowest salary is $9,500
- The highest salary is $800,000
The lowest salary comes from Argentina.
The highest earner declared themselves as having a title of "Red Team, Bug Bounty Hunting, Security Engineer" and works in Richmond, VA, USA.
The most frequent job title was penetration tester.
Organizations like to keep security in-house
When a company needs to bring on board infosec capabilities, it has two options: either hire salaried employees, or else rely on drafted-in contract workers or outsourced security providers (i.e. consultants).
More than three quarters of survey respondents seem to be employees rather than consultants. From an employer’s perspective, this makes sense. Unlike other tech tasks (e.g. systems architecture or software implementation), security is an ongoing requirement rather than a one-off project. It makes sense to invest in your own in-house team.
If you want to train for a tech career and also want the stability of a salaried position, cybersecurity is an area definitely worth focusing on. That said, if you prefer to operate as a lone wolf, there are opportunities out there, too. For instance, we’ve seen that a lot of the survey respondents who are consultants give their job role as ‘penetration tester’. If you like the idea of going into lots of different organizations with a fresh pair of eyes and checking for weaknesses, this might be the role for you.
Time for a gender rebalance
So far, more than 90% of survey respondents are male. The gender gap is even wider than we saw recently in the ISC Cybersecurity Workforce Study, 2020. This suggested that women only make up only around 25% of the global cybersecurity workforce.
It all goes to show that there’s a massive underutilized pool of talent available. The big question is how do we redress the balance?
A lot of it is linked to both perception and training. At StationX, we’re doing our bit in giving people a solid grounding and making the profession as accessible as possible, regardless of background. Cybersecurity most definitely shouldn’t be a ‘boys club’!
Career transitioning is very common
What did respondents do before they moved into cybersecurity? The results point to a popular path. Many people seem to have spent a few years doing something else IT or development-related before making the switch to infosec.
So let’s say you are currently in a systems admin role and are feeling a bit stuck in a rut. Chances are, you’re already well grounded in IT fundamentals. When you think about it, you’re probably also pretty versed not just in day-to-day tech operations, but also in wider business procedures and processes.
So far, so good. But how do you actually make the switch to cybersecurity?
It’s all about filling in those knowledge gaps. The beauty of on-demand online learning is that you can do it in your own time, and without piling up the student debt. There’s no excuse not to fill those gaps. And as this survey shows, plenty of others have found their own way to make the leap.
Flexible working: here to stay?
Some tasks (red teaming attack simulations, for instance), can theoretically be done from anywhere. In other roles (e.g. all-purpose security engineer), you’d generally expect employers to want their people onsite all day.
But of course, the pandemic has changed a lot; and right now, just 16% of respondents operate exclusively onsite. The flexible/mixed operating model is the most popular one at present, with the majority of workers dividing their time between home and workplace.
As workforces return to the office in greater numbers, will cybersecurity staff be expected/forced to follow suit? This will be an interesting stat to revisit in a year’s time.
Do the salary figures in this survey tally with your own experience? Are you still expected to travel into work - or does your boss let you work remotely? Consultant or employee: which is best? Let us know your thoughts below…
You can contribute to the live survey and view the results here.