Ms. Hylas -
Well written and to the point. I only take issue with your last
statement:
"Let's all realize that the dot.com craziness is over and come back
to reality."
We are not talking about OS engineering or Network Administration here.
There is no such thing as an "inflated" Security Engineering salary.
Why? Because Security Engineers, and ultimately Professional Security
Consultants, are the cream of the IT crop, or rather, are SUPPOSED to
be! This is not elitism or gross exageration of my own personal value,
it is simply fact. Security folks should be the BEST at and/or have
in-depth knowledge of all of the following: programming, network
engineering, administration, and finally, policy and documentation
development.
Thus, the industry as a whole must come to grips with the fact that
people with such expansive experience and knowledge are worth MUCH MORE
than any normal or day-to-day IT personel. Pipe dream?... Heck, I'm
happy at this point when they simply realize they need a security pro in
the first place. Now that they begin to see that need, we need to show
them how much that need is going to cost, and it shouldn't be cheap!
Also, folks who are just now breaking into security must realize that
they should not be doing so prematurely. Going from High School to
Ameritrain to MCSE testing to "Security Engineering" by title is
outrageous. It's simply not possible. The pre-req's are MANY years of
experience in each and every category listed above with a focus on the
Engineering of networks and developing policy for said networks. A
great "low-end" infosec position may be IDS or Firewall INSTALLATIONS.
Mid-level positions would be the monitoring of the same, and the
high-end would be the development of policies for said systems, response
to incidents, or the auditing of those systems. None of these positions
should be given to someone who does not have experience in network admin
and engineering. How can you define traffic on a network even in a
simple Checkpoint installation without knowing the effects and
ramifications of the configuration you choose?! Sure you can be taught
to install the software, but in order to do so "securely," you have to
have that extra experience. Thus, even that "low-end" security position
of "installer" should not be given to anyone who just got their
papers... And therefore, even THESE positions are worth MORE $ than your
average admin position.
Finally, recruiters must be aware that folks like myself, and anyone
else who HAS spent many years developing their security-centric resume,
is going to be worth the MAX of any salary range proposed, always.
I personally saw my only solution to the chaotic shuffle of
job-searching between contracts to be formation of my own entity. By
incorporating, I realize that being a sub of a sub is not glamorous and
is often times a pain in the arse logistically, but ultimately it
teaches you the final step in developing your personal business, which
is: How to become the PRIME contractor, and therefore how to ALWAYS make
the top dollar in a said project. Contractors who never glimpse the
politics or financial turmoil at the head of a project will never come
to grips with being the lowest paid member of the food chain. When they
finally discover that the GSA schedule permits billing at $130/hr on a
particular RFP, yet they are being asked to work for $41, they begin to
complain about the difference. My point? Consultants out there, GET TO
THE TOP of the food chain, and this entire argument becomes moot. If
you truly are a "Security Professional" and not just some kid with an
MCSE/A+ who has heard of firewalls, then this should be obvious to you.
If it is obvious, then let the recruiters know that THEY are wrong and
that you truly are worth the very best salary possible.
Oh well, enough rambling.. I hope there is a coherent thought somewhere
in my mess. Bottom line, recruiters, if you see someone who is NOT
READY to go into security engineering, it is your responsibility to tell
them this, and show them a correct path. My guess is that if you
explain it to someone, they may stick by you through the years until
they ARE ready to be a Security Pro... Then it's big bucks for both of
you!
-oliver g. petruzel
-president, k-oss security solutions, inc.
-be safe all...
