Salary Recommendations

bubble2005 · December 2015

Hi there,

I need some advice to give my colleague for a new security position, Information Security Professional, at another company.

Basically he has a Masters in MIS (focus in InfoSec Mgmt), 5 years of IT experience, CISSP, and CISM. I told him that he should be aiming for no lower than 95k ANYWHERE within the US.

What do you guy's think? Should he aim higher or what?

I mean generally speaking, given those specifics, what salary suggestion / range would be fitting and realistic for that experience? Yes, he has also been working in information security for all of his years.

Appreciate your response.

OctalDump · December 2015

Only 5 years in IT and has CISSP and CISM? Should ask for more, clearly some kind of rainman thing going on.

Danielm7 · December 2015

It really depends, does he have 4 years of helpdesk and one as a jr sysadmin while he went to school?

OctalDump · December 2015

Danielm7 wrote: »

It really depends, does he have 4 years of helpdesk and one as a jr sysadmin while he went to school?

CISM requires 5 years IT experience in their domains, with 3 years in IT Security Management role. CISSP requires 5 years (4 years if you get credit for MS or Security certification) experience in specified domains. These are forms sent off to the respective certifying bodies with details and references etc for them to confirm this experience. This is why these certs are worth it.

So, with 5 years experience, it means this candidate has made it into a management role within 2 years, and has been in Info Sec for the whole of their IT career.

Some might say that this means the candidate doesn't have enough experience, I say that if they have progressed this rapidly, then they are probably very good at their job.

dustervoice · December 2015

Security management for Isaca doesn't really mean a security manager. It can be management of a security process.

bubble2005 · December 2015

Danielm7 wrote: »

It really depends, does he have 4 years of helpdesk and one as a jr sysadmin while he went to school?

As stated in my request, "Yes, he has also been working in information security for all of his years." He was simply focused right out of school, that's all, nothing really special about it. He doesn't have kids.

Clm · December 2015

95 is a fair price but it's a hard decision. It all depends things to consider

Company applied to
Position applied for how much work and what type of work it is .
Can he live off a lessor wage for instance 80k
Is there room for him to grow into a higher position

bubble2005 · December 2015

Clm wrote: »

95 is a fair price but it's a hard decision. It all depends things to consider

Company applied to
Position applied for how much work and what type of work it is .
Can he live off a lessor wage for instance 80k
Is there room for him to grow into a higher position

Yes granted, but remember not to get caught up in the specifics (even though they are important factors). Take it from the angle as a CISSP exam taker. If that question was presented, what would simply be your answer in a range or number figure? Don't try to analyze other factors just yet.

Observe the question from a high level.

OctalDump · December 2015

bubble2005 wrote: »

Yes granted, but remember not to get caught up in the specifics (even though they are important factors). Take it from the angle as a CISSP exam taker. If that question was presented, what would simply be your answer in a range or number figure? Don't try to analyze other factors just yet. Observe the question from a high level.

It's not a good question, then. Because of the anchor effect. You've given a number, so estimations will tend to be close to this number.

Based on the limited data I have just glanced at, the floor might be closer to $80k for CISSP/CISM. But that might include a jobs where CISSP/CISM isn't a realistic expectation, just wishful thinking on the part of the person hiring.

bubble2005 · December 2015

OctalDump wrote: »

It's not a good question, then. Because of the anchor effect. You've given a number, so estimations will tend to be close to this number.

Based on the limited data I have just glanced at, the floor might be closer to $80k for CISSP/CISM. But that might include a jobs where CISSP/CISM isn't a realistic expectation, just wishful thinking on the part of the person hiring.

That is true, some other determinants that can be good for clarification are missing, but hey whether the recommended figure starts lower or higher, it is still good feedback from you all.

636-555-3226 · December 2015

More details are key. Big cities mean more money, vice versa. Big companies mean more money, vice versa. Specific tasks required by the role? An experienced Splunk admin will make a lot more than an analyst looking at TrendMicro AV logs all day. Big company in a big city for a security analyst with 5-10 years of experience i'd go with 100-120. As a hiring manager, I'd scoff at someone with only 5 years of IT experience (and exactly how many years of security experience), and I'd be really hesitant to put any weight whatsoever into CISSP and CISM certs but only 5 years of general IT experience. To be honest I may actually disqualify someone with CISM and CISSP but was only in IT for 5 years, just too much shadiness for me.

Give me more details and I'll give you a good ballpark number

bubble2005 wrote: »

Hi there,

I need some advice to give my colleague for a new security position, Information Security Professional, at another company.

Basically he has a Masters in MIS (focus in InfoSec Mgmt), 5 years of IT experience, CISSP, and CISM. I told him that he should be aiming for no lower than 95k ANYWHERE within the US.

What do you guy's think? Should he aim higher or what?

I mean generally speaking, given those specifics, what salary suggestion / range would be fitting and realistic for that experience? Yes, he has also been working in information security for all of his years.

Appreciate your response.

bubble2005 · December 2015

636-555-3226 wrote: »

More details are key. Big cities mean more money, vice versa. Big companies mean more money, vice versa. Specific tasks required by the role? An experienced Splunk admin will make a lot more than an analyst looking at TrendMicro AV logs all day. Big company in a big city for a security analyst with 5-10 years of experience i'd go with 100-120. As a hiring manager, I'd scoff at someone with only 5 years of IT experience (and exactly how many years of security experience), and I'd be really hesitant to put any weight whatsoever into CISSP and CISM certs but only 5 years of general IT experience. To be honest I may actually disqualify someone with CISM and CISSP but was only in IT for 5 years, just too much shadiness for me.

Give me more details and I'll give you a good ballpark number

For the last time, I will repeat, "Yes, he has also been working in information security for all of his years."

Are you reading all of the information in context or are selectively pulling information. Yes, he graduated into a security analyst position, in two years became a manager. What is it that seems to be so shady? I think you are deliberately beginning to interpret this thread for what it is not. I specifically outlined the "general" experience and in that "general" experience ALL of it was security related. So when you are saying "general" IT experience, I have to ask which part did I mention "general IT experience"? However, I did mention "generally speaking". Obviously it seems like, you are getting a bit caught up into his background rather than what is presented. He has already proved himself and yes he is also in his upper twenties as well. No need to discriminate or be skeptical about his successful path. Does having your master's within five years appear shady? This is strange to me how you all are kind of thinking?

I figured this would have been along the lines of impressive rather than skeptical. Clearly if he is in the hiring process and about to reach the salary negotiation stage, some form of evidence must have been provided in education and experience. So I have to ask what is your focus? Are you focusing on proving him wrong or are you focusing on answering the question and assisting in a positive light?

But thanks again for your input, it is still appreciated.

The position is that of an Information Security Professional of Managerial nature. I am not aware of the specific duties. I have not sat down and delve into HIS job description. I am simply giving him a suggestion. Geeeezzzzzzzzz

636-555-3226 · December 2015

Everything is in USD and related to US salaries for someone with 5 years of experience. I can't speak to the European market.

FWIW, 5 years of infosec experience is pretty limited and I'd expect an infosec manager with only 5 years of experience to be working at a small- to mid-size company. They'll be fairly well challenged at a big company and would not get my hiring vote unless they were solid rockstars with a lot of stellar recommendations under their belt.

An infosec manager at a small company in a small city I'd say 60k-80k.
An infosec manager at a medium company in a medium city I'd say 80k
An infosec manager at a large company in a large city I'd say 120k+

Sorry if it's generic, but those are the numbers. Hope they help.

gespenstern · December 2015

Totally okay for non-senior positions.

Cyberscum · December 2015

bubble2005 wrote: »

For the last time, I will repeat, "Yes, he has also been working in information security for all of his years."

Are you reading all of the information in context or are selectively pulling information. Yes, he graduated into a security analyst position, in two years became a manager. What is it that seems to be so shady? I think you are deliberately beginning to interpret this thread for what it is not. I specifically outlined the "general" experience and in that "general" experience ALL of it was security related. So when you are saying "general" IT experience, I have to ask which part did I mention "general IT experience"? However, I did mention "generally speaking". Obviously it seems like, you are getting a bit caught up into his background rather than what is presented. He has already proved himself and yes he is also in his upper twenties as well. No need to discriminate or be skeptical about his successful path. Does having your master's within five years appear shady? This is strange to me how you all are kind of thinking? I figured this would have been along the lines of impressive rather than skeptical. Clearly if he is in the hiring process and about to reach the salary negotiation stage, some form of evidence must have been provided in education and experience. So I have to ask what is your focus? Are you focusing on proving him wrong or are you focusing on answering the question and assisting in a positive light?

But thanks again for your input, it is still appreciated.

The position is that of an Information Security Professional of Managerial nature. I am not aware of the specific duties. I have not sat down and delve into HIS job description. I am simply giving him a suggestion. Geeeezzzzzzzzz

So he has been in security for all of his years???

Hahah I have as well and I would not take less than 90k on the civilian side in low cost of living areas and no less than 130k in high.

Danielm7 · December 2015

Since we only have number of years in "security" which could mean a lot of different things. Why not just take the title of what that person should be and plug it into a number of salary sites for a few cities around the US? I'll probably give you a lot more accurate assessment of whether someone is worth whatever you want to pay vs just quoting years.

And yes, I'm aware titles aren't the best way to determine it either. But, he could be 5 years in security, with almost all of them as a T1 SOC member where he's just forwarding alerts to someone else. Someone else could have 8 years in systems/network engineering, then 5 years in security, then I'd expect them to be more of a Sr engineer+ sort of level.

Clm · December 2015

I am taking it from a CISSP view qualitive analysis. Also you cant judge or make a decision on a specific number with out using specific metrics.
Like if I was that candidate and I was in Bozeman, Montana with a population of 38,000 people 90K would be awesome but if I lived in Washington DC I would want more than that.
I couldn't expect a small bank to pay me as much as Facebook or Google.
If I was policy guy now they want me to do DLP or firewalls they might pay me lower cause they have to train me
if I have 5 kids and a wife 90k might not cut it but if its me and my dog 90 k could be more than enough

or I could be just over thinking it lol I haven't had my coffee so I hope he gets what he deserves.

bubble2005 · December 2015

Clm wrote: »

I am taking it from a CISSP view qualitive analysis. Also you cant judge or make a decision on a specific number with out using specific metrics.
Like if I was that candidate and I was in Bozeman, Montana with a population of 38,000 people 90K would be awesome but if I lived in Washington DC I would want more than that.
I couldn't expect a small bank to pay me as much as Facebook or Google.
If I was policy guy now they want me to do DLP or firewalls they might pay me lower cause they have to train me
if I have 5 kids and a wife 90k might not cut it but if its me and my dog 90 k could be more than enough

or I could be just over thinking it lol I haven't had my coffee so I hope he gets what he deserves.

Haha, good outlook.

Hey thanks everyone for feedback btw.

RonChalant · December 2015

Can't speak on the European market but here is my 2 cents in general.
Take into consideration that I have only lived in medium to large cities...Washington DC area and Charlotte, NC to be exact.

CISSP regardless of actual work experience (5 years is assumed due to cert limitations) would AUTOMATICALLY equate to $120k USD minimum in Washington, DC...point blank period. I now live in Charlotte, NC with no degree (finishing up my BS), and only a Sec+ certification and work at a medium sized company (6000+/- employees) and I make $80k by choice. Recently turned down a job offering $120k because it would have placed me back into a SOC environment which I HATE and again this is with no CISSP, no degree, and honestly 1 year of DIRECT security experience, otherwise I have about 4 years of gen. IT experience BUT I know how to "play the game" for a lack of better words.

$120k to me in a large city is a minimum ask if you have a CISSP and are anything other than a low level analyst. When it comes to salary it is more a game of high/low than anything else. I have always lived in a "high dollar" market though and cannot speak on areas outside of this. One thing I have learned is that you should gen. ask for what you want and stick to your guns...you are worth as much as you advertise yourself for...within reason.

bubble2005 · December 2015

RonChalant wrote: »

Can't speak on the European market but here is my 2 cents in general.
Take into consideration that I have only lived in medium to large cities...Washington DC area and Charlotte, NC to be exact.

CISSP regardless of actual work experience (5 years is assumed due to cert limitations) would AUTOMATICALLY equate to $120k USD minimum in Washington, DC...point blank period. I now live in Charlotte, NC with no degree (finishing up my BS), and only a Sec+ certification and work at a medium sized company (6000+/- employees) and I make $80k by choice. Recently turned down a job offering $120k because it would have placed me back into a SOC environment which I HATE and again this is with no CISSP, no degree, and honestly 1 year of DIRECT security experience, otherwise I have about 4 years of gen. IT experience BUT I know how to "play the game" for a lack of better words.

$120k to me in a large city is a minimum ask if you have a CISSP and are anything other than a low level analyst. When it comes to salary it is more a game of high/low than anything else. I have always lived in a "high dollar" market though and cannot speak on areas outside of this. One thing I have learned is that you should gen. ask for what you want and stick to your guns...you are worth as much as you advertise yourself for...within reason.

Very constructive response, I'm taking notes.

Salary Recommendations

Comments