I’ve noticed that Cyber Security at a lot of companies are still stuck in the sys admin days of yore. They continue to hold on the antiquated tooling that doesn’t scale or actually detect most issues. And the idea of learning or expanding into security automation beyond their toolset is frowned upon by a not significant number of member of the community doing the day to day work. This creates an atmosphere where they SecOps teams can’t articulate the positives they are bringing to the organization. And thus the market doesn’t pay them their worth.
Compare this to DevOps where the sale has been done well and the business is convinced that these highly paid automation engineers will help the business to improve and speed up software delivery providing more income to the company.
Until security is able to properly articulate how they are helping and improving the business, not just getting in everybody’s way. The field is going to struggle to raise salaries to comparable levels as these other disciplines.
I imagine lot of these would be highly laborious analytical-type roles (staring at a dashboard all day) which don't lead to the high paying and glamorized hacker/pentester roles.
Most places where I've worked only had 1-2 security people that weren't entry level. The majority of people doing cybersecurity work are just going to be looking at automated alerts and automated scan reports, then they pass things up to the senior person to make sure it gets investigated and fixed.
Compare this to DevOps where the sale has been done well and the business is convinced that these highly paid automation engineers will help the business to improve and speed up software delivery providing more income to the company.
Until security is able to properly articulate how they are helping and improving the business, not just getting in everybody’s way. The field is going to struggle to raise salaries to comparable levels as these other disciplines.