Information Security - Entry level pay?

MSP-IT · April 2013

I'm currently working in IT for a company that deals with physical security (emphasis on the ISC2 domain) and am planning on staying roughly two years. It will be my only IT experience, but it deals with some fairly high-level IT understanding, especially for a first IT job. By then, I hope to have my B.S. in IT Security from WGU, as well as the trifecta, MCITP, CCNA, CCNA:Sec, GSEC, SSCP, and CEH.

I'm assuming that with two years in IT, a degree in infosec as well as the certifications listed prior, I should have enough groundwork to land a entry-level pentest or security analyst job. Although I do not deal with infosec in my current position, I am actively pursuing it on my own, apart from my employment opportunities. I hope to have enough understanding and know-how to bring enough to the table to land a job.

tl;dr
What can someone with a decent amount of experience expect to earn in an entry-level pentest or infosec analyst position?

sigsoldier · April 2013

There are so many variables when it comes to salary, but I've seen ~$60,000 for entry-level infosec analyst positions.

dbrink · April 2013

What kind of experience are you getting in your current position?

MSP-IT · April 2013

dbrink wrote: »

What kind of experience are you getting in your current position?

I'm currently working as a support engineer. I travel nationally to client locations and work with their IT departments to help configure their networks to work with our server software.

YuckTheFankees · April 2013

Entry level security jobs in Colorado are roughly 40-60k, which includes security analyst, security consultant (pentester/PCI/auditor), etc..

And with the certifications you mention, I would shoot for a network security analyst position or security analyst.

*Remember "entry level" security jobs are not your typical entry level gig.

JoJoCal19 · April 2013

I would recommend keeping a log of any security related tasks, functions, etc that you do over the next two years so you can create an InfoSec geared resume and list those items. It's important to do that because if your day to day duties aren't security related then in two years when you go to create your resume and aim for an InfoSec job it will be hard to remember every thing you did that pertained to security.

YFZblu · April 2013

55k where I work in Phoenix. My understanding is other SOCs in AZ pay slightly more than mine starting out, but 50-60 sounds about right

dmoore44 · April 2013

Because so much of INFOSEC is based around having a good amount of prior knowledge/experience, entry level security usually corresponds to an experienced server admin or network engineer type position. So, depending on market, 40-60k or so...

Sponx · April 2013

Entry level into IS (Information Security) is about 50-60k depending on company, salary, benefits, etc...

thegoodbye · April 2013

I started as a SOC analyst in a relatively low cost of living city. I had an associates degree in Security/Forensics with a 4.0 GPA and various other non IT related experience, but no certifications. The salary was 35k starting.

Master Of Puppets · April 2013

I agree with all the guys, it's around 50. Same number here in Europe. Since there is no point in starting a new thread for this, I'm going to ask the opposite question - what's the deal with the senior ones, with all the experience and stuff?Although I'm at the first steps, I can't help but think about the future

sigsoldier · April 2013

Master Of Puppets wrote: »

Since there is no point in starting a new thread for this, I'm going to ask the opposite question - what's the deal with the senior ones, with all the experience and stuff?Although I'm at the first steps, I can't help but think about the future

The sky's the limit!

paul78 · April 2013

Master Of Puppets wrote: »

Since there is no point in starting a new thread for this, I'm going to ask the opposite question - what's the deal with the senior ones, with all the experience and stuff?

As sigsoldier mentioned, sky is the limit. But in more practical terms, if you are referring to a senior level Infosec manager, in the US, a CISO or head of information security for a decent-sized business (USD$100MM to USD$500MM in revs) could expect to have a base salary of anywhere from $150k to $250k and with bonus, options, stock, the total annual compensation could be in the range of USD$250k to USD$500k. I assume that will vary with industry and size of corporation. I recall seeing base salary for*CSO's and CRO's for enterprise roles for businesses greater than USD$2-5B in revenues in the USD$300k to USD$500k.

if anyone has references, I would be interested in seeing them as well.

mrvl13 · April 2013

that is about right 50-60,though here is maryland. i was offered my first Info Analyst position at 81k. it does depend on the company, but i will say that yous hould never sell yourself short. ak for 70k

tpatt100 · April 2013

I got my first security position after 6 years or so in IT? I don't really see a lot of "entry" level Security Analyst positions, usually you get into security due to your current role in a company and sort of just falling into the security role. Maybe companies are willing to grow security engineers but I kind of figured companies would just hire security engineers and help implement security changes and the IT department starts thinking from a security mindset.

I would say that the biggest thing that helped me lately has been my past experiences with different technology and work environments. Just this past year I would say that being able to give real world examples from past jobs as to the importance of implementing or changing a current practice is what gives me credibility in the eyes of management.

I agree with dmoore44 that sysadmin experience is a must. I spend so much of my time acting as a consultant pretty much talking to different departments, research and writing up risk assessments. Then I spend time figuring out legal issues and state laws before I talk to the legal department, then I have to tell management why something they want to change/implement is a good idea or not a good idea to help reduce the chance of being sued.

THEN I have to dig into different tech manuals and meet with sysadmins to see if a technical change can be implemented in order to find a technical security control that addresses a recommended security control based on a standard and be able to explain why.

So really a wide and varied experience level is a must. Which is why I pretty much only see senior or just security positions with a grocery list of wishes a company thinks they can find.

There are strictly technical security positions but I see a lot of "jack of all trades" job openings.

paul78 · April 2013

tpatt100 wrote: »

There are strictly technical security positions but I see a lot of "jack of all trades" job openings.

Great points.

@OP - I would also add that there are different types of pentesters. Good application pentesters have software development backgrounds, so may have higher starting salaries.

tpatt100 · April 2013

paul78 wrote: »

Great points.

@OP - I would also add that there are different types of pentesters. Good application pentesters have software development backgrounds, so may have higher starting salaries.

Yeah a buddy of mine is moving into that field. He was a developer for over a decade. I really don't see how somebody can secure what they can barely do themselves. We had a lot of "by the book auditors" at my old job who couldn't explain half of what they were auditing.

f0rgiv3n · April 2013

tpatt100 wrote: »

I really don't see how somebody can secure what they can barely do themselves. W

I agree and IMHO this goes for anything InfoSec related, not just pentesting.

dmoore44 · April 2013

tpatt100 wrote: »

We had a lot of "by the book auditors" at my old job who couldn't explain half of what they were auditing.

And that's a huge weakness - could even be termed a risk. I have a love/hate relationship with the current trend towards automation. It's great because it helps make my job easier. It's awful because it makes the job so easy that anyone can kick off an audit and provide canned results. The real differentiator is that a skilled individual can provide analysis of the results while the button masher is going walk away immediately after the results are submitted.

MSP-IT · April 2013

paul78 wrote: »

Great points.

@OP - I would also add that there are different types of pentesters. Good application pentesters have software development backgrounds, so may have higher starting salaries.

What would you say would be the most valuable programming skills for a pentester to have? I'm currently hopping between MIT's OpenCourseWare programs and Digilent's YouTube videos to learn Python. After that I want to pursue Java and C/C#/C++.

paul78 · April 2013

From an app pentest perspective, I would imagine that the bigger demand is with web app pentesting. I would say understanding the basics of how input validation, and how browsers handle javascript, like AJAX and JSON would be important. Also understanding how the SQL variants would help too.

For client or server apps, understanding why a buffer overflow works is invaluable.

For mobile apps - I'm don't know enough to comment.

I don't necessarily believe that to succeed in infosec, you need deep expertise but having a varied experience can be most helpful.

YuckTheFankees · April 2013

@paul78,

Are you an app pentester?

paul78 · April 2013

No. I'm not. I'm in management. But I'm responsible for app pent testing among other things.

My job description could be summarized as "other duties as required by the organization"

Information Security - Entry level pay?

Comments