I know engineers without a degree who pull $250k a year.
Here's an example: you can become a principal consultant at the best and most well-known infosec firms in the world without a degree. By and large, they don't care. Even the ones that say CS degree on the job post - email a decisionmaker, tweet them, whatever - it's not true (some care, most don't).
The salary band for a principal consultant would be around $200-$250k, sometimes before bonuses and incentives to develop tools or do research. Fully realizable goal.
Now, that's my experience in that industry. But someone will also come along and tell you about software engineers who work at AmaGooBookSoft with no degree too. And if you're a top performer there - $250k is a fully realizable goal.
I mean, you're in NYC. Are you referring to someone outside that area?
I'm deeply interested in how someone outside of a hotspot like SF/NYC could achieve a $250k salary. I was under the impression that $120k was pretty good for someone joining an infosec firm.
How would you go from an entry-level infosec position (an entry-level security consultant) to $250k/yr without switching companies? Also, what would be a reasonable salary for an experienced dev with no prior infosec experience who is joining an infosec firm? (Essentially someone who is switching fields to infosec, but who is still a very good programmer, and who rapidly picked up on the fundamentals of infosec and applies them in a valuable way.)
I agree with you. Outside of NY/SF, I highly doubt anyone is starting any software engineer/big data individual more than ~100kish. I've had friends work up to that level but certainly not starting as Software Engineer I or II.
(That reminds me, I should check into working in NY or SF.)
Sorry about just getting back to this, I didn't think there'd be such an interest. I'll go in order.
1. >> I mean, you're in NYC. Are you referring to someone outside that area?
Yes I'm in NY (Westchester, actually). I'm thinking of people in NYC and San Francisco, so no, I suppose it doesn't answer your criteria of being outside those two areas. That said, I also know someone who makes this much and works remotely for a company in San Francisco, so he gets the best of both worlds.
2. >> How would you go from an entry-level infosec position to $250/yr?
For someone who decided to make a career of infosec and make that sort of salary (or the associated industry prestige/research you generally end up with at that level), it would take 6-10 years of exceptional work, original research and tool development. If you don't want to do all three, pick two, but you better make those two amazing.
Let me break down rough salary bands for you (keep in mind these will change based on a specific firm):
a. Associate - This is a bottom rung appsec engineer. If you join Matasano or a similar firm with promising intuitions about security and a background in development, you'll end up here. Great! $70-90k salary (there are outliers above this, and you'll see salaries for 50k - 60k, but if you know what you're doing with job searches and it's a good firm, that's the range). You usually stay here for a few years, training under the wing of mentors, until you competent in at least 3 different disciplines of information security (crypto, mobile, web app, network, incident response, reversing, malware analysis etc. etc. etc. and there are overlaps). You'll also stay here until you are ready to supervise someone else running a penetration test and can handle clients on your own.
70k - 90k
b. Consultant - You should be competent in 3 to 5 different disciplines of information security (or ridiculously stellar and potentially famous-in-the-future in 1-2). At this point, you probably haven't presented at a conference yet (and many go their entire careers without doing this), or done original technical research, but you're probably developing security tools or thinking about it. Any good firm is going to give a performance bonus for this. It's most likely taken you 1 - 2 years to reach this level, depending on innate talent, motivation and practice.
90k - 130k
c. Senior - Similar growth progression, now you have 5-7 disciplines under your belt, expert in 1-2. You're either doing original technical research or considering it, and you develop new tools are part of your research. You might present your research at conferences, you might not (most people who do meaningful research tend to submit). You now lead teams and projects for large engagements with "important clients" in the consultancy. Probably took you another 1 - 2 years to reach this, maybe 3.
130k - 180k
d. Principal - You're probably known in circles that know your consultancy, because you're one of the most important consultants at your firm now. You might even be industry-famous, if you have done particularly good research or released a tool that made pen testing easier for everyone. You're expert in 3-4 areas and it's no longer worthwhile counting how many disciplines you could technically operate in because the overlap is superfluous. It's likely taken you 1 - 2 years to reach this from Senior, if you are motivated and keep working.
180k - 250k
A few notes:
1. None of the definitions here are "hard" - don't take how many disciplines and similar such criteria as hard rules, it's just a rule of thumb.
2. These salaries are before bonuses such as for extra travel in a quarter, extra work in a quarter, tool development, research or conference presentation (you bonus for all those).
3. You'll notice salary ranges increase as you go up, because the higher you go the more nuanced the skill levels become.
4. There is a level or two above principal, generally "partner", "distinguished consultant/engineer" or something similar. You're basically at the top of your career as a consultant here and can found and manage consultancy firms. The salary here is $250k+.
5. You can skip, and the years are basic averages at best.
Thanks so much for the stellar comment. It's truly great, and I really appreciate it.
Are you absolutely sure about those salary bands? In particular, less than $100k minimum for a developer with ~ten years of experience seems extremely low. They could go get that much in a starting position at a trading firm, so why go infosec? If you can do anything, why do that?
Those salaries seem reasonable for ~2006, but not 2015. They say to reinvent yourself every ten years or so, but starting out at those salaries would be prohibitive.
The salary bands are the sort of thing you'd see listed on a page devoid of context. They're minimums and flexible.
If you have 10 years of dev experience and you're a strong enough case to get a yes from an infosec firm, they're going to work with you on salary to get to your level. As 'tptacek has explained quite a bit on here, a good firm is receptive to negotiation and starts at their floor, not yours :)
But your title will still be Associate because you need to learn the ropes. They could also fast track you too so you're a consultant within a year if you're ready.
This is a one size fits all chart. For mid career switchers and new grads alike.
If you have any more questions, feel free to email me. I didn't anticipate this comment would be so popular!
First: that was a really impressive comment. I ran hiring at Matasano for several years until I left. I would definitely quibble with the numbers (both on the low and the high side) but they may themselves be dead-on for other firms.
We hired basically two kinds of "software developer" (ie. people who could code but didn't have experience with software security):
* Developers with minimal professional experience in software --- a year or two out of college, say, or someone who had graduated from devops to software.
* Senior developers with impactful specializations and/or a well-cultivated side interest in software security. Impactful specializations would have included kernel-level systems programming, compiler theory, maths, maybe some kinds of networking or finance. Really: it's kernel stuff that got our attention most of all.
The former kind of developer fits into the ladder the way you're writing here.
The latter kind is for all intents and purposes in the door as a senior consultant.
We weren't in the business of asking people to take pay cuts.
Yeah, everything you're saying here is obviously true.
I tried to make the salary bands encompass most of the consultancies that operate in NY and SF (Matasano, iSec, Accuvant, Cigital, Neohapsis, Include, and lots more). As such, it doesn't square exactly with what Matasano offers.
I also want to underscore what you said about pay cuts - good firms and good managers are going to be receptive to your needs. Once you get to 'Yes', they want you, and the value you will deliver as a consultant at one of these shops will eclipse your fully loaded cost.
Finally, I want to share another piece of advice for anyone looking to go into infosec - like anything else, there are good firms and not so good firms. I won't speak ill of any specific company, but firms like Accuvant, Matasano and iSec should usually be your first attempt to break in. They are receptive to developers with no security experience.
Pick up The Web Application Hacker's Handbook (showing its age a little now, but still the only book you need to start in web app security) and read through it.
Other firms sometimes have you do ridiculous amounts of travel (75%+) without informing you of this upfront, or they are firms without good hiring standards (or firing standards) and operate mostly as point and click vulnerability scanners where you won't learn much and you'll be underpaid.
It really, really helps to reach out to people directly and ask them how they like where they work and try to get a referral to interview through them.
Pro-tip: If you call Matasano interested in a job, they'll send you the WAHH book and a couple others. You shouldn't even need to ask; at the end of the call, they should just ask you for your shipping address.
^^ Exhibit A: One of the firms you'd want to try your hand at working for first :)
They might also send / you'd want to read:
- Gray Hat Python (debugging and fuzzing with Python)
- The Tangled Web (web browser security and insecurity)
- The Art of Software Security Assessment - the bible, which you really want to read as it's a foundational text. Very dense, but you'll come out of it knowing how to attack memory very well.
I interviewed at Matasano a few years back. I figured doing pen testing might be a good way to climb the value chain beyond my maxed-out career in webdev.
We didn't get to salary negotiations but if I had seen the starting salaries posted above I would have coughed up my spleen. My assumption was that a junior security researcher is a senior developer and therefore the salary would have been at least (senior dev salary + σ).
Again: I'm only vouching for the ladder, not the numbers. We (a) didn't lose a lot of people to salary negotiation (I think, in the last 2 years I was there, we lost 2) and (b) as a rule didn't want people to take pay cuts.
Matasano didn't have an "associate" rung on its ladder. We talked for 10 years about having a "junior consultant" role, but never did. So you can discard those numbers entirely.
I could obviously be much more specific about how the numbers in the rest of the ladder don't square with that comment, but I'm not going to.
That's consulting though, which is a typically pays quite well whatever you specialize in.
You could get a PhD in a hard science, work for McKinsey and if you make it to partner be pulling in $1M+. Even if you don't make it to partner it's not hard to make >$250K after 2-3 years.
Technical consulting is nothing like McKinsey consulting. McKinsey is an up-or-out market environment where associates "sell" their services to partners and partners make bank by themselves owning a book of business. It's far more entrepreneurial than software consulting.
If you want to do technical work that has the compensation dynamics of McKinsey, you need to (a) hyper-specialize in something valuable and (b) own your own practice.
> An engineer is defined as a practitioner of engineering, not a person with an engineering degree.
It goes further than that actually. The term 'engineer' is often legally-protected, and often a degree is a pre-requisite, but isn't the only one. This becomes important when e.g. you're building bridges.
Engineering is a profession for which you need appropriate credentials, just like in any other profession (e.g. scientist). Without credentials, you are not an engineer.
Unless you are talking about 'engineer' in the same way some people talk about 'architect' as in software architect.
