sans salary survey [url]http://www.sans.org/salary2005/[/url]

darkuser

http://www.sans.org/salary2005/

Find more posts tagged with

Comments

JDMurray

Looks like I'd be taking a sizable pay cut if I moved from software engineering to information security. I'd better find a career that folds InfoSec into SoftEng and not visa versa.

And for all the people who keep asking "What's the best paying security certs?", your answer is in this survey.

qsub

Canada.

keatron

I have a few issues with this survey as I do many I've seen published by SANS. They don't say how it was conducted, what the sampling population was or whether or not it was it a very small group of people who happen to be SANS certified people or was it really a selection at large.

SANS likes to tout that the CISSP, CISM, and CISA doesn't prove hands-on expertise. Of course they dont, because they are not hands on technical certifications, they are infosec management and auditing certifications. Furthermore,other than myself, I know 10 CISSP's personally, and I know for a fact they all make no less than 120k per year. Although 3 of them are self employed or consultants, my point is still valid. I'm always very careful with surveys conducted by companies who have an obvious conflict of interest as far as being non-bias.

Don't get me wrong, I have no problem with the SANS Institue and have much respect with what they have to offer. I've spent a lot of money over the last year sending people there, and will be doing much of the same this year. SANS has probably the best programs in the world for specialists in Infosec, but I wouldn't send a firewall specialists in to a client to do a total infosec consultation project. This is where the CISSP and CISM people come in. I met a person at a conference back in November who basically did large scale Cisco Pix configurations and roll outs. Basically he's done nothing but that for the last 3 or 4 years. He complained to me that he got his CISSP but his company failed to give him a raise (he went out on his own and got the CISSP). The flaw in his thinking was that the CISSP automatically meant more money for him; not so, and here's why. He hasn't any Cisco certifications other than CCNA. A smarter move would have been to be working towards his CCSP and CCIE Security. I always hear these things, and continue to preach this; get certifications that reflect your job and/or skill set first. An emerging and disturbing trend I've watched develop amongst new comers is reading surveys like this, then attending a ton of boot camps, spending a ton of money, then getting pissed because they don't walk into a company making 90k per year. Put these people in front of a firewall, a router, or in severe cases a server, and they have no clue where to start. It is my opinion that a large portion of the BS that us business owners and IT professionals have to deal with are direct results of mis-guided/slighted surveys and lazy HR people.

Keatron

keatron

jdmurray wrote:

Looks like I'd be taking a sizable pay cut if I moved from software engineering to information security. I'd better find a career that folds InfoSec into SoftEng and not visa versa.

And for all the people who keep asking "What's the best paying security certs?", your answer is in this survey.

Every one I know in Infosec who came from a Software Engineering or Developing background demands top dollar. This is one portion of my projects and contracts I still sub-contract to others often.

JDMurray

keatron wrote:

I have a few issues with this survey as I do many I've seen published by SANS.

Keep in mind that SANS has its own set of security certs that compete with other security certs in this survey. While I will not even begin to imply that SANS may have purposely influenced the results of this survey for it's own benefit, it is common sense to regard any such survey by a security cert organization to not be completely free of bias.

keatron wrote:

I always hear these things, and continue to preach this; get certifications that reflect your job and/or skill set first.

Hear, hear. I've given exactly this advice a few times myself with regards to people asking about wireless certs. Acquiring certs outside of your skill set is not a bad thing. In fact, it's a very good way to learn new skills, but don't do it first.

keatron wrote:

then attending a ton of boot camps, spending a ton of money, then getting pissed because they don't walk into a company making 90k per year. [...] It is my opinion that a large portion of the BS that us business owners and IT professionals have to deal with are direct results of mis-guided/slighted surveys and lazy HR people.

I've noticed the same thing for some of the software people we've interviewed. They, however, seemed to be more influenced by the bootcamp marketing literature that enticed them to take the bootcamp in the first place. But I must say, regardless of their influence, it is the headhunter that has the final say in setting their asking price.

darkuser

It's a rather small sampling "more then 4250 people responded".
so i guess it's accurate as to the "sans friendly" people whom responded.
myself one of them. I 've taken one sans course "firewall and perimeter security" taught by chris bretton.
the one thing i realized is that I don't have the time to learn everything and become an expert in everything so I should focus myself.
I didn't take the giac (you have to write a pretty intense paper).
but I am continuing on the cisco track. r&s and security
I'm an engineer at heart. from the days of taking apart all of my electronic toys.

JDMurray

darkuser wrote:

I didn't take the giac (you have to write a pretty intense paper).

I've used quite a few of the SANS GIAC practical assignments as research material for papers I've written for college classes. Most of the practicals aren't even graduate-level quality. Some are outstanding, not only in their writing but also in their contribution to the common body of knowledge. Most, however, are first or second-year undergraduate level in their composition.

In short, if someone is willing to pay for your GIAC, don't be afraid to get it just because you have to write a short paper on a common InfoSec topic. Look through the SANS library of accepted practical assignments to get an idea of what you'd have to write.

SANS' Information Security Reading Room
http://www.sans.org/rr/

GIAC Honors Papers
http://www.sans.org/rr/whitepapers/honors/