[techjuice]

Hopefully the following helps, it is from research I have done comparing the public sector to the private sector pay and compensation over time, specifically comparing intelligence community pay to regular government agency pay and compensation for the independent agencies (FCC, SEC, CIA, CFTC, FTC, GSA, USPS, SSA, etc.) - https://en.wikipedia.org/wiki/Independent_agencies_of_the_Un...

If they are government employees they are normally paid on the regular government GS Pay scale (title 5) - https://www.opm.gov/policy-data-oversight/pay-leave/salaries... so the really good ones get paid up to $161,900 if they can make it past the GS-14 pay grade.

Though, that is considered generally OK pay for a regular government job that is not extremely high stress, quick turn around and high demand. Though to the private sector's top hackers as many far exceed this as a senior cyber security engineer or CISOs making up to $380,000/year + stock options + other perks. In those cases the government also has Title 10 which limits pay to under the president's salary (section 102 of title 3) $400,000 - https://www.law.cornell.edu/uscode/text/3/102. This allows the federal government secretaries or heads of agency to be able to pay individuals of extraordinary talent and ability the same rate as they may pay a physician or other medical professional if that individuals salary requirements fall outside of the regular GS pay scale and they really want that person on board and want to pay them a competitive salary.

There is also the Senior Executive Service and other equivalents for the many agencies that puts the individual into a senior level(SL), scientific or professional (ST) positions. These positions may come with cash rewards up to $25,000 with approval from OPM/White House, eligibility to be nominated for the Presidential Rank Awards (Distinguished Rank (35% of annual basic pay) or Meritorious rank (20% of annual basic pay) - https://www.opm.gov/policy-data-oversight/senior-executive-s....

Though these positions for hackers would normally be reserved for those with at least 10 to 20+ years in the game with extreme in depth knowledge of the multiple operating systems, hardware and software, SCADA, Satellite, and other embedded/private/public/military communications systems out there. This normally means they are not just specialized in a few things, but have deep knowledge of many systems through practical experience working with them hands on over the years and hacking them to pieces during security audits, product evaluations, quality assurance, security validation and testing through reverse engineering to insure the products do what they say they do, etc.

There are also some agencies that use a pay band system 1 to 5, etc. and normally cap out at around $157,000/year then bump up to around $120,000 to $167,000 for their senior level positions and $120,000 to around $180,000 for their senior executive service compensation.

So in general the best of the best in terms of government employees could be paid up to $400,000/year under title 10 which is more of a government contractor type position that has to be renewed regularly, highly unlikely unless those in top positions see someone they want working for them and really want them badly to work on the inside of government. Normally the title 10 pay is around $160,000-$300,000, so in general the bulk of hackers would fall under the GS pay scale ranging from GS-9 to GS-14 Step 6. Anything higher would have to be negotiated and justified during the hiring process or worked into a promotion for those already working for the government.

[sybercecurity]

Just to improve that answer: SES is usually reserved for management. It is designed to produce a general "gov't manager" able to be swapped into any agency and manage people. It is extremely rare for any SES to do research work directly. They usually manage a lab or similar larger organization.

The same goes for GS-14 and higher. Those ranks usually translate to management, or it is expected that they would have some management tasks (like team leader, etc.). Same with bands in that band 5 is usually reserved for managers or exceptional non-managers.

In non-DoD/Intel community, the normal model for IT is having one FTE (GS-13/14) managing a bunch of contractors, or a mix of FTEs doing specialized work (running key systems, networks, "DevOps") and contractors doing customer facing stuff like desktop support, etc. Can't speak for the intel community or DoD, who do their own thing.

[nataz]

to add a little bit of extra inside baseball (my experience only, YMMV) -

bands (short for pay bands) in FEDERAL (not contractor) competitive service vs. excepted service are slightly different.

Competitive service works as Band 1-4, followed by SES (senior executive service). With excepted service (which I expect most hacker type folks to be hired under) you don't have SES. You have Band 1-5, with Band 5 roughly = to an SES pay grade. Excepted services essentially means you are hired in for a special skill set, and you don't compete on the normal gov HR point system (which includes vet preference, disability, etc.). Excepted service tends to be used for hiring a specific person. Downside is that without competitive status, excepted service personnel can not move laterally in government.

in both cases, band 1-4 cover the same ground as GS 1-15, but with less stratification.

GS Grades go from 1-15, but each grade has 10 steps. GS 9 (average masters degree education starting point) will run 42K-56K base + whatever COLA (cost of living adjustment) you get for location. For Wash DC area COLA is +24.78%, bumping GS 9 to 53k (step 1)-69K (step 10). Each department/team is a little different, but most places I'm familiar with have a clear career path from GS7-GS13. GS14 and GS15 are more slot based, and generally are management positions.

Bands are tougher to move around in after your initial hire. It works out better for you if you just scrap into the next highest band, it works out worse if you land in the middle or the top of your band. Instead of step or grade based pay bumps, the band system is an "experiment" to incorporate pay for performance. Everyone gets their base pay (determined by band, and then further separated into high, medium, and low), and then there is an extra pool of money at the office level that is distributed by performance reviews. High performers get 1.5%-3% * (base pay + COLA), with low performers getting nothing. Without getting deeper into the weeds, most people can expect to get a ~1%-1.5% "bonus" annually. Theoretically, the bonus system is supposed to make up for the additional stratification of the Grade/Step system, but because of office politics the curve is pretty flat, and the high performers don't really see that much of a pay bump.

edited to add this is for FEDERAL employees. Contracting has a whole different set of issues and rules. In general, I'd recommend going Federal to get experience and a clearance, then transition to contractor status later in your career. Whereas most Fed salaries will top out at 160K-ish, contractor salaries w/ bonus can be much higher (2x-4x). Downside is stability and employment risk, and working for a client rather then being the client.

[tapatio]

COLA = Locality Pay: https://www.federalpay.org/gs/locality

[jjguy]

Assuming by "pretty good hackers" OP means the developers actually doing the work, they are typically GS-12 or GS-13 - so $80k to $120k. GS-14 slots and above are reserved for management and spend much less time doing the real work.

A lot of the teams employ contractors alongside the USG employees, with higher pay ranges.

[jotux]

> GS-14 slots and above are reserved for management and spend much less time doing the real work.

This is normally true but there are organizations that have technical roles up to GS-15.

[sofaofthedamned]

Superb and comprehensive response, thank you.

[seth17]

What is the educational path to becoming a CISO? Would you go into IT or CS?

[strictnein]

Either. Then get an MBA.