I have extensive experience in cloud security environments, have done IR, DR/BCP planning, passed SOC II audits, and have security cert(s). But I'd have a hard time finding a security engineering job that pays similarly to what I get paid currently as a support engineer for AWS's security services. And that's largely because most security jobs I see are asking for unicorns willing to get paid substantially less than other IT disciplines.
I would assume that AWS would be near the top of compensation no matter what job when looking at American companies.
While SDE/SDMs/etc. probably get paid the top of the compensation when looking across companies, support isn't the same. Also, most of that is likely tied up in RSUs.
But I know for a fact L4 people in AWS's SOC get paid more than L5s in support. But AWS's SOC isn't a remote position, and I'm not in a position to move to where the SOC teams are located.
The 70k thing... in Texas I think fresh college grads are getting that for risk analyst roles. Experienced security engineers seem to go for 120k-150k, more for appsec. I assume Silicon Valley is double that (for much more then double the cost of living).
The CISSP thing is definitely real but beginning to fade out, although asking for one for an entry level role is less ludicrous than it sounds. I legitimately had one before my first sec title. Practically everything counts as security experience... if you've ever worked on an Active Directory domain, that's IAM, for example. I don't actually think that much of the CISSP and I think it's a mistake for HR to value it so highly, but it's not insurmountable.
And I think this is even expandable now to any IT field. People keep saying about shortage, but what I do see is exhausting hiring process most people just don't want to deal with.
(Although there I think the IT operations side is vastly overblown and not nearly enough attention is paid to quality control on the most popular software packages. Want to make every business substantially more secure at once? Take a hard look at Windows Server, Exchange, etc).
What could go wrong? Make sure to diversify to China, Russia, Eastern Europe, Malaysia, Israel etc.
Oh does that sound like a bad idea? The fact is as soon as the main systems development is outsourced, you might as well have outsourced the security too.
Probably why most enterprise security is a bunch of people buying Cisco appliances and formulating checklists and policies and don't even know specific vulnerabilities or the safety degree of various algorithms.
And of course, their main job, making powerpoints for upper management and occupying seats/budget such that when leaks or failures occur upper management has plausible deniability.
Job position descriptions are wish lists, if they don't find a candidate they will hire somebody that doesn't fit the bill 100%. Which is usually the people that dared to apply anyway.
No idea why they hired someone brand for senior.
I guess for a while I explained it as “senior” and “junior” not necessarily being descriptive.
Now I think it’s that I had related experience (I had been a teacher, and training/mentoring is a big part of the job.)
https://news.ycombinator.com/item?id=27219156 (88 points/94 comments)
Certification? I don't think so, why would you even...
> Tim Herbert, executive vice president for research at CompTIA.
Ahhh... it's an advertisement for a bad certification program.
There can be _both_ a worker shortage and unreasonable salary expectations. A labor market will always have slack on both sides, but even at the extreme, there could be 10 cybersecurity experts, and you'd have people saying "Oh, you can find workers, you just have to be willing to pay $100mm/yr."
How many of the 465,000 jobs do companies actually care get filled? Or do they just have them open just in case someone cheap walks through the door?
There's still a ton of society loss / deadweight because of the consequences of not having those services; the question is, how can we restructure the supply side of the argument to make it possible? For doctors+nurses, it's via government subsidies (income-based repayment, federal grants).
ie, the cost of security breaches isn't to the companies being breached -- it's to the consumers who lose their PII/PHI to hackers. Or who lose access to a service they love using, because they can't keep running without a security expert.
This is true, but unreasonable salary expectations exacerbates a worker shortage.
I can either try to find security work with reasonable expectations and salary, or I can take the skills I learned in security to learn IaaC, CI/CD, and Docker (which takes maybe a couple months?) and go do DevOps to make a lot more money. Sure I'm not passionate about DevOps, nor do I feel I'll be making more of a societal impact in DevOps. But I'll be materially better off and won't have to sift through hundreds of job postings to find a posting with reasonable expectations.
The end result? Another qualified, passionate person outside of the job pool.
Or, goodness, so many people became unemployed during the pandemic, they could train them for the job they "need".
Walgreens isn't responsible for providing their own police force. Sure, they put locks on the doors, but the burden of protecting businesses is on the police, which they (and we) pay for via taxes.
You could say "Oh, a business which can't defend itself against looting doesn't deserve to be in business", and maybe you end up with like 5 mega-Walmarts who can afford heavily armed guards, but this isn't actually a better society in the end than one with robust small businesses.
It's the same with cybersecurity -- you can take everyone except Google, Amazon, and Facebook off the internet, because only those three can hire top-of-the-line security professionals, but that's not actually a better internet than the one we have now.
Get through ‘A Web Application Hacker’s Handbook’ and ‘Securing DevOps’ and his company would probably give you six figures and a brand new macbook.
For an extra bonus you could work through their crypto challenges.
https://www.manning.com/books/securing-devops
https://archive.org/details/TheWebApplicationHackersHandbook...
Compare this to DevOps where the sale has been done well and the business is convinced that these highly paid automation engineers will help the business to improve and speed up software delivery providing more income to the company.
Until security is able to properly articulate how they are helping and improving the business, not just getting in everybody’s way. The field is going to struggle to raise salaries to comparable levels as these other disciplines.
