Salaries within the Information Security Sector: What, Why, How?

Salaries all across the technology sector are said to be one of the highest in the world – and that's for a good reason. Technology has a profound impact on our daily lives – and whether we notice that or not, the security of our data is getting more and more important as well.

Securing our most valuable asset – data – against the growing threat of data breaches is the job of information security professionals. Such people often work in technology-focused organizations – the product being sold by those organizations may not necessarily be security-related, but as security is getting more and more important, hiring security experts is often the only option left for the company to explore. In this blog, we explore the range of salaries of information security engineers.

Salaries in Tech

For the purposes of this article, we're going to focus on the salaries of US-based security experts, but before we do that, we should walk you through the salaries in the tech sector in general. In the US, salaries in this field range greatly and can often range from as low as $30,000 for entry-level (junior) applicants to as high as $150,000 a year for senior or principal engineers. Of course, salaries are heavily dependent on the field engineers find themselves working in as well.

Salaries in Cyber Security

According to PayScale, the average base salary for a cyber security expert is around $92,000 per year (the figure is based on 9,166 independent reports.) Cyber security analysts allegedly make from $55K to $115K a year, penetration testers usually expect to cash in $60K to $130K, security engineers usually make from $65K to $140K, cyber security engineers usually rake in anywhere from $70K to $140K, and managers make anywhere in between $80K to $160K. The disparity in salaries in the cyber security sector depends on a couple of key factors:

1. What line of work is the person in? Roles in information security, contrary to popular belief, are very varied and the role we find ourselves in will have a direct impact on the money we see in our bank account. Cybersecurity analysts will usually make less than managers, for example.
2. Does the work of the person have an impact on other people? If yes, the salary will obviously be higher. Securing healthcare systems is work that puts the lives of other people at risk, and without great pay, we won't achieve great security.
3. Does the person manage other people? If yes, the salary will be higher than usual.
4. Does the person perform penetration testing? If yes, what kind of services are provided? What kind of architecture (physical, virtual, etc.) is being tested? Are vital services involved in the penetration test? In this case, the salary heavily depends on the skills of the person and his so-called "portfolio" in this space (i.e. did the person perform penetration testing work with well-known companies? Did the flaws found by this person in the past impact the work or future of other people? etc.)
5. What kind of a company does a person work in? If the company is considered to be "elite" (i.e. only respected cyber security engineers who know a lot of things work there), the salary is likely to be much higher than in companies of another caliber as well.

The answers to these questions are vital – the line of work determines the pay grade, the impact of the work performed by the engineer also raises the salary significantly, if the person manages other people the management function raises the pay grade no matter what kind of engineers are being managed, penetration testing is a sphere where excellent individual performance means heavily enhanced security for the company and as a consequence, heavily enhanced rates of money in the penetration tester's bank account.

Penetration testing is a sphere that requires heavy knowledge of the things that are being tested. Look at it this way – a person performing penetration testing on a web application needs to be well-versed in at least the wide majority of the following types of cyberattacks:

• Various types of SQL injection (classic, blind, union-based, etc.) – such attacks are dangerous because in many cases, the result of them would be the company database getting into the attacker's hands. Attackers usually sell the database off to other nefarious parties which are interested in the data because it helps them pursue credential stuffing attacks.
• Privilege escalation – such attacks aren't very frequent, but if mounted successfully, their results can be devastating too. When such an attack is successfully completed, an attacker is able to escalate privileges of an unsuspecting user from low or moderate to high meaning that the attacker is able to access stuff that is not meant to be accessed by a specific account.
• Reflected and stored types of Cross-site Scripting (XSS) – such types of attacks are increasingly frequent and popular and the aim of them is to execute malicious scripts in the browser of another user. Since XSS is based on javascript, these scripts can do everything XSS can do: that should give you an idea of just how powerful such attacks can be when employed properly.
• Open redirect – such attacks aim to redirect a user to a website of an attacker's choice. The consequences of such an attack can be mild or very severe depending on the skills of the attacker – some attackers use such attacks for phishing, others find different use cases.
• Improper access control – when we fail to control who has access and to what resource, many different problems begin to occur: some attackers use this security vulnerability to access administrator accounts with relative ease, some access parts of websites where sensitive data is stored, etc.
• Sensitive information disclosure – such an attack type refers to the application disclosing sensitive personal information to those who don't have the right to access it. It's simple – disclose sensitive information to someone without a right to view it, and you have a massive problem on your hands.

At the end of the day, different people perform different necessary tasks to combat cybercrime – some manage the data flow that goes in and out of the infrastructure belonging to a company, some manage the security engineers themselves and give them direction, some perform penetration testing to keep company infrastructure safe. What do you think? Follow us on Twitter, LinkedIn, and Facebook, and tell us your opinion!

What does your company do to ensure the safety of the data within your databases? Many companies employ the BreachDirectory API to secure their personnel and most precious data by scanning through hundreds of data breaches within milliseconds – the BreachDirectory data breach API is also used to assist in OSINT investigations for law enforcement, personal projects, and so on, so make sure to give it a try today and until next time.