Black Hat: Sixty percent of information security professionals believe they’re underpaid

The advice was based on the concept of creating a business plan of your career – with the information security professional as the CEO of their own career. “Just like starting a business, you need to begin with a plan. You need to know where you’re going and what your goals are”, said Kushner. Other essential starting points, he advised, included:

  • Know the business you want to be in
  • Understand the market opportunities
  • Understand the barriers and the competition
  • Have an exit strategy
  • Understand your talent and your skills, and acknowledge those that you don’t have that you need
  • Know your weaknesses and work out which are important and will impede you, and which won’t

Murray revealed that despite only 16.6% of information security professionals having a written career plan, it is financially beneficial to have one. “In our survey, 35.7% of security professionals with a written business plan earn over $120K annual salary, compared to just 24.4% of those without.”

It’s essential, argued the presenters, that you allow for any changes to your plan. “Use your plan as a focus, but acknowledge than plans do change”.

“Like any business structure, you need to consider all of the components – marketing, sales, finance, human resources, product development and R&D, and relate them to your own career”, said Kushner. “For example, where HR would exist within a business, you need to consider your ethics. Where sales and marketing would exist, you need to know how to brand and sell yourself, and create a network. Instead of R&D, consider what you need to invest in your training and education”.


Working out your priorities and ensuring that your ethics, values and career plan align is absolutely essential, the speakers advised. “Determine what trade-offs are worth making, and what sacrifices you are willing to make”.

Interestingly, survey results show that 47% of information security professionals would accept a lower salary if given access to more training and education. Only an extra two percent, 49%, said they’d be willing to take a lower salary to avoid redundancy.

Selling yourself, Murray continued, “is essential. If you can’t do that, your career will stall and eventually die. Use your CV as a sales tool, but avoid over-selling and under-delivering.”

To sell yourself most effectively, the presenters suggested “going beyond your job description. Market yourself, build your brand through visibility, talent and behaviour, and figure out who you need to know”.

Another day, another dollar

Achieving your monetary goals, according to Murray, is a matter of negotiation. “You don’t get what you deserve, but what you negotiate”, he said. While 60% of information security professionals believe they’re underpaid, only 3% believe they are overpaid.

“Keeping your skills up-to-date and current will help keep your salary competitive”, he continued. “In the early stages of your career, however, never take a job for the money. Take it for the experience”, he advised.

The presenters concluded their presentation with three main tips for managing your security career:

  1. Any investment in your career is money well-spent
  2. You will always get exactly what you pay for. There are no short cuts
  3. If you don’t invest in yourself, don’t expect anyone else to

Finally, Murray and Kushner concluded by offering one last piece of advice: Find a ‘board of directors’ to act as a source of advice. “Consider peers, superiors, industry thought-leaders and experts as your board of directors. They’ll be an invaluable source of advice for you”.

What’s Hot on Infosecurity Magazine?