We keep hearing about how desparate companies are to hire infosec professionals. So how come we still see so many low ball salary offers?
— Martin McKeay (@mckeay) September 5, 2014
I wanted to respond but it will take more words than Twitter allows, so here is my answer. Let's see how bad @hackerHuntress thinks I screwed this up.There are two main reasons. Reason one, the company doesn't care about security, the role is for a compliance check box and to have someone to fire when they get breached. Reason two, some senior person in the company is out of touch and refuses to believe a security person makes more than a Windows Admin and/or the companies salary ranges are fixed and the culture is so messed up they can't change them easily.
My overall advice is to avoid companies that post InfoSec jobs and very low salary ranges. My more complicated advice is as follows:
If you really, really want a job you see posted but the salary is crazy low. Say you can walk to the office or something. Apply anyway and see if you can talk to someone and help them understand the market, what you currently make, what the job is worth, etc. If the company is stuck with reason two above the recruiter and hiring manager may know this and are collecting evidence to sell it to HR or the CIO or whoever to get the salary range adjusted. If that is the case and it works out for them and you helped them make their case you will likely get a call in for an interview once they get the salary range adjusted. But if that turns out not to be the case, don't take the job! I don't care how close to your house the company is. If it turns out to be reason one, you will hate the job and get nothing done. Then at some point something bad will happen because they refused to let you do your job or take your advice and you will be fired and replaced by someone else willing to work for a low salary. Not a good career move. Either way, if you try this route don't have your hopes up, this will rarely work out because of timing. It may take them 6 months or even a year before they get their act together and call you because they got the salary ranged increased.
There is one group of people who can take advantage of the reason one companies, and let's face it someone should. People who are looking to get into the InfoSec field and are making less money than the job is offering anyway. This is not the ideal way to break into InfoSec, far from it. My typical advice is get a job in IT if you haven't already and become the security focused person on your team. Become buddies with the security team, and then when a junior role opens up you will get it. But if that isn't working out for you and you are say stuck on the help desk team, taking a security manager role that pays half what is should for a year or so is an option. Spend that year teaching yourself about security since they don't care what you do anyway, and then get a real security engineer job someplace else by highlighting what you taught yourself and make your title on your resume manager/engineer or something like that. But be warned, if you stick around too long they will fire you when a breach happens. Any company that will hire a help desk person on the cheap to be their security manager has one goal with the role. To fire the person when something bad happens. So get out before that happens, and know you are risking that happening before you are ready.