[whoknew1122]

How many of those job postings list a CISSP or 5 years for an entry-level job that pays $70k? This is stuff I see often.

I have extensive experience in cloud security environments, have done IR, DR/BCP planning, passed SOC II audits, and have security cert(s). But I'd have a hard time finding a security engineering job that pays similarly to what I get paid currently as a support engineer for AWS's security services. And that's largely because most security jobs I see are asking for unicorns willing to get paid substantially less than other IT disciplines.

[MattGaiser]

> But I'd have a hard time finding a security engineering job that pays similarly to what I get paid currently as a support engineer for AWS's security services.

I would assume that AWS would be near the top of compensation no matter what job when looking at American companies.

[whoknew1122]

Really depends on what Org you're working for. I've had a lot of colleagues in support get pulled away to SaaS vendors to get paid more. I actually talked with a friend the other day who essentially offered me a job with 50% the workload and $30k+ more per year.

While SDE/SDMs/etc. probably get paid the top of the compensation when looking across companies, support isn't the same. Also, most of that is likely tied up in RSUs.

But I know for a fact L4 people in AWS's SOC get paid more than L5s in support. But AWS's SOC isn't a remote position, and I'm not in a position to move to where the SOC teams are located.

[killingtime74]

What is SOC

[zentr1c]

Security Operations center.

Centralized logs,analyse and react on incidents.

[0xBDB]

My experience having gone from Principal Systems Engineer to cybersecurity analyst to eventually pen test and then red team is that cybersecurity pays substantially more than most other IT disciplines, except maybe SE and Dev(Sec)Ops.

The 70k thing... in Texas I think fresh college grads are getting that for risk analyst roles. Experienced security engineers seem to go for 120k-150k, more for appsec. I assume Silicon Valley is double that (for much more then double the cost of living).

The CISSP thing is definitely real but beginning to fade out, although asking for one for an entry level role is less ludicrous than it sounds. I legitimately had one before my first sec title. Practically everything counts as security experience... if you've ever worked on an Active Directory domain, that's IAM, for example. I don't actually think that much of the CISSP and I think it's a mistake for HR to value it so highly, but it's not insurmountable.

[secabeen]

Security is always going to be a cost side of the business, to be minimized.

[mavelikara]

If I am reading the trend correctly, we will soon see Trust/Security/Assurance move into more of a GTM function for B2B product companies.

[jonny_eh]

GTM = Go To Market?

[mavelikara]

Correct.

[inter_netuser]

how do you arrive at this conclusion?

[mavelikara]

With the recent attacks, particularly supply-chain attacks, B2B buyers would be asking more security questions to their vendors.

Vendors will soon be competing on the quality and reputation of their security features.

Finally, I think regulation night be coming down in the area soon. My read is that this will be welcomed by big enterprises, and they go to market touting their "enterprise-grade security features". Eventually, all B2B teams will have a Trust/Assurance portion to their GTM playbook.

[inter_netuser]

have you sold any security products?

infosec is basically QA with veto powers. It's mostly just checklists and passing the book. A cost center everyone wants to cut..until it's too late.

[anm89]

For every company that is not selling a security product, this is self evidently true.

[bfrit]

^^^ This