Infosec Salaries – the myth and the reality

April 21, 2022 in Cyber - Management, People Management

Update 3

If you want to know more about salaries at FAANG and all over the world look at the following resources:

Update 2

tl; dr;

If you work for FAANG & live in the richest part of US, or are uniquely positioned elsewhere you can make 450K/year and some make more than that. But this is an exception on a global scale. If you want to make this money make any effort possible to join these companies and relocate. Outside of these privileged areas optimize your salary negotiations for base salary, because it’s the only solid income you can rely on & the higher you bid the more it will help you negotiating better future higher salaries.

Update

The term total compensation is used here quite loosely. From experience, even recruiters are often not clear (or honest) what that means exactly and they often bundle different numbers and perks together in order to close the deal and w/o thinking of it in terms of ‘what you take home, annually’, as they should. As edx pointed out on twitter, the RSUs grants may be much higher to make that 450K total comp annually work. I am leaving the numbers below as they are, but bear in mind the calculations may need to be adjusted and the new values may shift your decision making process quite a bit. In any case, it really is a must to understand the numbers you are presented before you sign the deal. Note that as far as I know no companies would ever promise grant refreshers annually. It’s all under their discretion (which is fair as they can’t predict company’s performance & make promises that may cost them). So you may get a nice first grant, but no refreshers. Approach all promises with skepticism – unless it’s written and presented to you as a formal offer — it doesn’t exist.

Old post

Every once in a while someone drops a salary bomb discussion on social media and the speculations follow. The salary bomb value du jour it is the mythical 450K USD that some claim is pretty much ‘a standard’ pay in infosec. The other line I keep hearing being repeated is ‘200K is new 100K’.

Of course, these claims are both… only selectively true.

As the real estate agents like to repeat – the most important thing in real estate is…

Yes!

Location. Location. Location…

It works in cyber security too. If you work in Bay area, New York, tax-free, low tax, or high-personal-risk countries you may score that high, and higher, but most of the people in this industry simply do not earn that much.

For instance, London is a really expensive place, and 2022 Barclay Simpson Salary brochure offers us the following salary guidance for the Cyber Security leadership in UK:

These are salaries of Directors, VPs, SVPs, Partners. And these are already very high salaries in UK, yet far from that mythical 450K USD (345K GBP). I doubt any of the EU countries come any closer, to be honest. And if they do, this is probably because their taxation system is even harsher than in UK, so they have to give more, so… they can take more away. And Asia, South America, Africa, Australia are really FAR behind. Yes, Singapore and Hong Kong pay well, you can get a break in Riyadh, Abu Dhabi, Dubai, or warzones but hey.. we talk ‘global normal’ here.

The devil is in the details. Of course.

The mythical 450K is not a base salary, but a total comp aka total compensation. It’s extremely difficult to evaluate what that even means w/o a break down of its components. And these may vary. For instance:

  • The base salary could be 150K USD
  • The Restricted Stock Units (RSU) that are granted to the employee could form another 300K. (note: these are usually vested over a period of 4 years; you get that whole 300K only at the end of 4th year of working there; of course, grant refreshers are a thing too, so keep on reading). (as per Update at the top of this post: make sure that when presented with a total comp it covers RSU/year, not per 4 years and you understand its vesting scheme, plus ask about annual refreshers)

That is a simple scenario though. Many companies include various perks f.ex.:

  • (performance) Bonus – say.. 1-40% of the salary, annually; subject to grade, negotiations
  • Car Allowance – varies, subject to grade, negotiations
  • Sign-on bonus – subject to grade, negotiations
  • Early RSU vesting – subject to grade, negotiations
  • Annual RSU grant refreshers – depending on the company
  • Relocation support – aka relo package (if you move countries it tends to be very expensive so having f.ex. visa service, 1 month accommodation, and help with searching for a property you want to rent can be really a savior; higher grades get support with more exotic demands f.ex. I heard of employees moving their horses between countries and companies paid for it!!!)
  • Stock Options – usually available for everyone joining
  • OTE (On-Target/On-Track Earnings) bonus – typically in a sales-ish, consulting-ish function – depends on the company
  • Various Upsell bonuses – as above
  • Pension contribution matching schemes – typically for all employees
  • Medical / Dental – typically for all employees (especially important in US, but it’s a great perk)
  • Access to gym and similar facilities – typically for all employees
  • Many Discounts / Corporate Deals / Corporate shops – typically for all employees
  • and many others

Unless you have that broken down on a paper you can’t even properly compare two different 450K offers! Details really do matter.

Now… imagine you are on a $170,000 base salary job today. And you may be just after the end of your first year of employment and the first 1/4 of your grant being already vested.. say $100,000 in RSUs, vested over 4 years (your total comp could be seen as $270,000). Over a year you got like $170,000+$25,000=$195,000. What if someone came over now and said to you: I will hire you for $450,000 total comp (update as per the intro: make sure total comp calculation includes ‘annual’ RSU intake, not per 4 years). What would you say?

Yes, you would ask for details first!

The number is high, so it’s most likely that a big part of this number will be RSUs. What about… $100,000 base salary and $350,000 in RSUs grant (with a standard setup that you need to work for a year before vesting starts, so you get 1/4 after a year, and then grant’s 1/16 will be released every quarter)?

A knee jerk reaction is to accept it. You can’t go wrong with this, right? It’s nearly 2x more than what your total comp is today!

The devil is in details again…

You are currently taking $170,000 in paychecks home, plus you just got your first 4 batches of 1/16 grant RSUs vested at the end of first year, plus are promised to get a quarterly bump up from the RSUs that are being vested, plus there are grant refreshers.

In a new job, you will only take home $100,000 and have to wait for a year before you can get your first 1/4th of the grant vested. That first year will be a hell of a financial and emotional roller-coaster. Let’s name it: lower monthly salary, stress of being made redundant (trust me, many people experienced it and this means you won’t see any of the RSUs monetized!), plus a lost income of $70,0000 coming from a reduced base salary, and finally a loss of the grant(s) from your old employer that would surely vest every quarter as it did so far!

That’s a very high risk right there! Are you ready to take it?

There are other variables in this puzzle.

Many companies offer RSU refreshers. They usually happen every year and while they tend to be lower than the original ‘hiring’ grant, they still offer certain comfort of stability. As long as you continue working for the same employer, the annual refresher acts as a nice carrot and is a great preventative control from people abandoning the ship. It is, in fact, a very successful preventative control against employee attrition. I literally know people who talked to me over 10 years ago about leaving the company we both worked for, and today they still work there. Too scared to make a move. Actually, not scared, but too comfy! RSU refreshers alone, if you are lucky, can make you a millionaire.

So… be very careful. Unless you can go to a new employer and negotiate a good deal where they take over your current vesting scheme, give you a solid sign on bonus, and perhaps can add a clause to your contract that in any circumstances you won’t be the loser in the ‘unlikely’ event of things going South within next year…

How many people can do it though ? Even if the market is good for employees, only a few can go and dictate the terms of their employment contracts. There is a very high chance we are not them. So… we may want to choose options that are a bit more predictable and controllable.

In my view, it’s always better to optimize for a better base salary. It keeps you safe, makes you less paranoid about your company’s stock price (believe me, it is VERY destructive to your soul when you end up checking the stock price every single day, multiple times), and in any case.. and this is really crucial… gives you a MUCH better negotiating position when you change the job again in the future.

Why?

Not all your future employers will be living in a RSU-driven ‘total compensation’ sphere! You may move up, or laterally and if RSUs are not there, then what is your leverage? Yup. The base salary! It is your goal to improve it every time you change the job. It’s a rule of thumb I follow like a religion: I do not accept job offers where my base salary drops. I tried once, suffered, and I know it does cost you dearly…

Make it a habit to look for new opportunities. Talk to recruiters, peers, discuss on social media. The biggest secret of cybersecurity employment is … there is none. We are VERY privileged to live and work in conditions that support our growth unconditionally. Recognize it, make yourself visible and useful, thrive in it, until market correction comes… and it will.

Comments are closed.