How many of those job postings list a CISSP or 5 years for an entry-level job that pays $70k? This is stuff I see often.
I have extensive experience in cloud security environments, have done IR, DR/BCP planning, passed SOC II audits, and have security cert(s). But I'd have a hard time finding a security engineering job that pays similarly to what I get paid currently as a support engineer for AWS's security services. And that's largely because most security jobs I see are asking for unicorns willing to get paid substantially less than other IT disciplines.
> But I'd have a hard time finding a security engineering job that pays similarly to what I get paid currently as a support engineer for AWS's security services.
I would assume that AWS would be near the top of compensation no matter what job when looking at American companies.
Really depends on what Org you're working for. I've had a lot of colleagues in support get pulled away to SaaS vendors to get paid more. I actually talked with a friend the other day who essentially offered me a job with 50% the workload and $30k+ more per year.
While SDE/SDMs/etc. probably get paid the top of the compensation when looking across companies, support isn't the same. Also, most of that is likely tied up in RSUs.
But I know for a fact L4 people in AWS's SOC get paid more than L5s in support. But AWS's SOC isn't a remote position, and I'm not in a position to move to where the SOC teams are located.
My experience having gone from Principal Systems Engineer to cybersecurity analyst to eventually pen test and then red team is that cybersecurity pays substantially more than most other IT disciplines, except maybe SE and Dev(Sec)Ops.
The 70k thing... in Texas I think fresh college grads are getting that for risk analyst roles. Experienced security engineers seem to go for 120k-150k, more for appsec. I assume Silicon Valley is double that (for much more then double the cost of living).
The CISSP thing is definitely real but beginning to fade out, although asking for one for an entry level role is less ludicrous than it sounds. I legitimately had one before my first sec title. Practically everything counts as security experience... if you've ever worked on an Active Directory domain, that's IAM, for example. I don't actually think that much of the CISSP and I think it's a mistake for HR to value it so highly, but it's not insurmountable.
With the recent attacks, particularly supply-chain attacks, B2B buyers would be asking more security questions to their vendors.
Vendors will soon be competing on the quality and reputation of their security features.
Finally, I think regulation night be coming down in the area soon. My read is that this will be welcomed by big enterprises, and they go to market touting their "enterprise-grade security features". Eventually, all B2B teams will have a Trust/Assurance portion to their GTM playbook.
I've reading about this "security professionals shortage" for quite some years, yet the reality is that there is no such shortage.
And I think this is even expandable now to any IT field. People keep saying about shortage, but what I do see is exhausting hiring process most people just don't want to deal with.
Competing harder for the limited pool of competent security people might redistribute breaches away from your company onto others. From a local perspective this could be rational but as a society we want to be less vulnerable in aggregate.
(Although there I think the IT operations side is vastly overblown and not nearly enough attention is paid to quality control on the most popular software packages. Want to make every business substantially more secure at once? Take a hard look at Windows Server, Exchange, etc).
I'd say "costs more than the median income" is closer. Adjust for legitimate training costs that are incurred by the workers, and it might be a pretty good definition.
Paying more just means you fill your vacancy at the expense of another firm who has their employee poached. The net effect is that one company is still vulnerable.
They are all in this together? Paying more means you fill your vacancy.
Edit: The cheapskate can follow suit and maybe that convinces one person to undertake the 8-week cert. No more shortage. Or maybe they don't pay more and are DDoS'd out of business. Again, no more shortage.
There are at least one million people in the US who have more than enough experience for an entry-level cybersecurity position; all they need is a few weeks of training (to start) and an employer that isn't demanding twenty years of experience and a CISSP for $50k with crap healthcare and inadequate PTO.
Also, employees are not some company's property. At-will employment goes two ways, and if you want to treat them as if they were property you may as well just turn off the lights now because it will not end well.
The security industry is unique in how much and how quickly it changes. There are two kinds of companies that hire infosec professionals in my experience: Those that understand that change and the resulting need to plug their employees into the industry training pipeline, invest in their active learning and those that don't. Those that don't more often than not have laughable or terribly unbalanced job descriptions where they're willing to pay decently well but demand a golden platypus riding a unicorn, and those types of hires might have a shortage indeed.
The hiring process is definitely an issue. Cybersecurity is new enough that HR has no idea what they want, so they require useless certifications like CEH, and a college degree in CS. There's also a wide variation in what Cybersecurity even means. Some college cybersecurity programs are all about policy and compliance, while some focus on offensive security and vulnerability analysis.
Well, since ultimately this involves codewords dancing around the "don't want to pay proper wage", America's companies should instead hand their security over to outsourcing firms like they do with everything else that is IT related?
What could go wrong? Make sure to diversify to China, Russia, Eastern Europe, Malaysia, Israel etc.
Oh does that sound like a bad idea? The fact is as soon as the main systems development is outsourced, you might as well have outsourced the security too.
Probably why most enterprise security is a bunch of people buying Cisco appliances and formulating checklists and policies and don't even know specific vulnerabilities or the safety degree of various algorithms.
And of course, their main job, making powerpoints for upper management and occupying seats/budget such that when leaks or failures occur upper management has plausible deniability.
I am a Sr. devops engineer and have been looking to transition to a devsecops or even some sort of security ops role for a YEAR. I am willing to take a pay cut and move to a more junior role but I can never pass the HR filter of “prior security experience needed.”
Yeah, so.. I was in the same boat. Just fake your cv, it sounds really unethical but really if you’re a sr devops you’ll be able to handle all the work easily. You’ll only get in trouble if you can’t actually do it. Maybe do the oscp too.
They're fake / fraudulent requirements, it's questionable which side is being more unethical.
Entry level with min 3-5 years of experience in cyber security, yeah, that's bullshit. Either they're outright lying, dramatically exaggerating about what they need, or dangerously incompetent.
When someone sets up fraudulent requirements for a job listing, they're priming the ground for dishonesty all around (they're being dishonest with the job listing to begin with), and they become partially responsible for the context.
If I put out a job listing for $250,000 / year and demand people have 3-5 years of experience at telepathy, I'm going to get a lot of candidates willing to lie on their application. The same principle comes into effect when you put out any manner of fraudulent requirements for jobs; to the extent your listing is fraudulent, is the extent to which it's going to cause problems one way or another.
If I copied and pasted some boilerplate requirements to save time, I would look for the candidate whose attitude is, "I'm so strong in other areas you haven't considered that you're going to overlook your requirements and make an exception for me" rather than the candidate who thinks, "I take bullet points so seriously that I'm going to focus on deceiving you into thinking I meet them when I actually don't". You will eventually find an employer who doesn't bother fact checking but is that the kind of employer you want?
I wish these supposed jobs existed when I finished my degree for going into cybersecurity, unfortunately EVERY "entry level" job required 3-5 years experience. It's probably exactly the same today. Now I work in electrical engineering, because the position requested (not required) a background in IT and my hobbyist experience was enough to satisfy the rest of the requirements.
If 3-5 years is the baseline, you deduct 3-5 years from the experience numbers and apply to those job postings. I.e. 3-5 years entry level? Apply after college. 5-8 years senior position? Apply after 2-3 years.
Job position descriptions are wish lists, if they don't find a candidate they will hire somebody that doesn't fit the bill 100%. Which is usually the people that dared to apply anyway.
Meta on the comments: While it's true that the salaries are unreasonably low, it doesn't mean that there are 500k Americans capable of doing cybersecurity work just waiting for the right paycheck.
There can be _both_ a worker shortage and unreasonable salary expectations. A labor market will always have slack on both sides, but even at the extreme, there could be 10 cybersecurity experts, and you'd have people saying "Oh, you can find workers, you just have to be willing to pay $100mm/yr."
The rural doctor shortage is probably a really good parallel, because as a society we in the abstract agree that it's Very Bad to let people die without reasonable access to healthcare, but poor rural communities simply can't support paying doctor or even nurses to be available.
There's still a ton of society loss / deadweight because of the consequences of not having those services; the question is, how can we restructure the supply side of the argument to make it possible? For doctors+nurses, it's via government subsidies (income-based repayment, federal grants).
ie, the cost of security breaches isn't to the companies being breached -- it's to the consumers who lose their PII/PHI to hackers. Or who lose access to a service they love using, because they can't keep running without a security expert.
The rural doctor shortage is caused by the American Medical Association cartel deliberately restricting the supply of doctors to keep prices high. When there isn't even enough supply to meet the needs of desirable urban areas, what chances does the middle of nowhere in the Midwest or Alaska have?
I once dated an Indian-born MD who immigrated to the US. A Senator from Missouri went to bat personally (not one of his staff) to get her a green card under the proviso she would settle in rural Missouri, because he understood that's what it takes (she moved to Maryland after a few years).
Rural areas are understaffed in every skilled field, whether it be nursing, EMTs, firefighters, cops, engineers, etc. It is because the people there don't want to pay any taxes so they would rather do without.
> There can be _both_ a worker shortage and unreasonable salary expectations.
This is true, but unreasonable salary expectations exacerbates a worker shortage.
I can either try to find security work with reasonable expectations and salary, or I can take the skills I learned in security to learn IaaC, CI/CD, and Docker (which takes maybe a couple months?) and go do DevOps to make a lot more money. Sure I'm not passionate about DevOps, nor do I feel I'll be making more of a societal impact in DevOps. But I'll be materially better off and won't have to sift through hundreds of job postings to find a posting with reasonable expectations.
The end result? Another qualified, passionate person outside of the job pool.
We don't put this financial burden-of-self-defense on any other industry though. Why is cybersecurity different than physical retailers?
Walgreens isn't responsible for providing their own police force. Sure, they put locks on the doors, but the burden of protecting businesses is on the police, which they (and we) pay for via taxes.
You could say "Oh, a business which can't defend itself against looting doesn't deserve to be in business", and maybe you end up with like 5 mega-Walmarts who can afford heavily armed guards, but this isn't actually a better society in the end than one with robust small businesses.
It's the same with cybersecurity -- you can take everyone except Google, Amazon, and Facebook off the internet, because only those three can hire top-of-the-line security professionals, but that's not actually a better internet than the one we have now.
In San Francisco, Walgreens is responsible for providing their own security force, so they decided to stop operating there.
Companies that can't secure their operations can hire others, like Shopify, Paypal, etc to conduct online operations for them. We've all heard the many stories of professionals making security recommendations and being overruled. If you don't want to invest in security, then don't have valuable data in computers connected to the Internet. Experian exposed our data and faced basically zero consequences, so I don't have any sympathy.
San Francisco neighborhoods did not want mall-like corporate chains at all, a few decades ago. The companies paid for the privelege and prevailed over time. Meanwhile economics changed and left a lot of people out of the benefits, wages for working people stayed even, and the pain-killer drugs and organized crime grew strong. Toxic cocktail to be sure, but SF has always been a cocktail town, from the early days. In some ways The City has reaped what it sowed, socially.
Cybersecurity drastically varies depending on the actions of a business in a way which physical security doesn't, short of the business failing to lock its doors at night. And if the business does fail to lock its doors, the business is directly hurt, giving businesses incentives to treat security properly, while security breaches often hurt the customers, but not the company.
Also, you don't generally see the police demanding that retailers have windows that are easy to break because the police might want to rob them themselves someday, but the equivalent is routine with the government and cybersecurity.
Walgreens - great example! That's a pharmacy. Pharmacies have to follow strict safety regulations and are constantly worried about both those and the threat of lawsuits for endangering customers. And there are also both internal and external threats to the business (drugs are a valuable, easily portable asset).
Oversimplifying a lot, Walgreens has these well-paid, trained workers they call "pharmacists" to deal with it.
You are trying to whatabout this, ignoring the actual point. Let's not do that.
The Pharmacists make only effort to prevent someone from breaking into the Pharmacy with a crowbar and stealing all the drugs + prescriptions. In fact, I would be shocked if Walgreens even _allowed_ staff to physically detain shoplifters -- that's a huge legal liability.
You pretty much have no clue what your talking about when it comes with the duty of the police. The police have no charge to protect you or your business, at all, whatsoever. This has been decided in the high courts in the US. Pretty much everything you stated is completely incorrect.
I don't know any security professionals. Is this something that a mostly-self-taught software engineer could get a job in? What are interviews typically like?
I’ve noticed that Cyber Security at a lot of companies are still stuck in the sys admin days of yore. They continue to hold on the antiquated tooling that doesn’t scale or actually detect most issues. And the idea of learning or expanding into security automation beyond their toolset is frowned upon by a not significant number of member of the community doing the day to day work. This creates an atmosphere where they SecOps teams can’t articulate the positives they are bringing to the organization. And thus the market doesn’t pay them their worth.
Compare this to DevOps where the sale has been done well and the business is convinced that these highly paid automation engineers will help the business to improve and speed up software delivery providing more income to the company.
Until security is able to properly articulate how they are helping and improving the business, not just getting in everybody’s way. The field is going to struggle to raise salaries to comparable levels as these other disciplines.
I imagine lot of these would be highly laborious analytical-type roles (staring at a dashboard all day) which don't lead to the high paying and glamorized hacker/pentester roles.
Most places where I've worked only had 1-2 security people that weren't entry level. The majority of people doing cybersecurity work are just going to be looking at automated alerts and automated scan reports, then they pass things up to the senior person to make sure it gets investigated and fixed.
I have extensive experience in cloud security environments, have done IR, DR/BCP planning, passed SOC II audits, and have security cert(s). But I'd have a hard time finding a security engineering job that pays similarly to what I get paid currently as a support engineer for AWS's security services. And that's largely because most security jobs I see are asking for unicorns willing to get paid substantially less than other IT disciplines.