It’s easy to say ‘we follow the Sun’ or ‘we deliver that 24/7/365 service’. The story doesn’t end there though – the delivery part of this promise has a different story to tell. The one that is rarely talked about, and that’s because it’s rarely even acknowledged…
We all know that many of us who work in cybersecurity work long hours. it is a norm, it probably won’t change much anytime soon, and we simply take it for granted that this is a part of our job to be always online… to be always checking emails, messages, news on social media, and our whole life is structured around ‘being in the know’, and ideally, ‘being the first to know’.
But there is more depth to this promise, because people who deliver the 24/7/365 service from APAC region have it often far worse…
The moment someone starts to work in San Francisco, someone in London stops working (give or take one/two hours). What about people in New Delhi, Manila, Singapore, Sydney?
When you work from APAC region your work day is a mess. You start with your regular 9 to 5/6, but then comes the ‘night shift’. You never signed up for it, but this ‘night shift’ is enforced on you, because this is the one where you talk to your peers in EMEA and NA, attend calls, and respond to urgent queries.
How many people working from NA, EMEA regions take into account that these cross-regional calls, queries often happen during that ‘night shift’ in APAC?
In fairness, some do. I know people in NA that make sacrifices the other way around and get up as early as they can f.ex. 5-6am to make these cross-regional calls as early as possible for the people in APAC, but even that feels like a wrong approach.
How can we change it?
Having a proper, mature handover process is probably the best answer. If the process is well defined, it doesn’t matter who handles what. And if there is a need for 1:1s, or skip ones, that can be a monthly or quarterly sacrifice, not a daily occurrence. And let’s agree that the worst is to maintain the existing status quo where APAC teams work from their early mornings on Monday till their very late evenings on Friday. This is simply not fair and as such, not acceptable.
Again, how can we change it?
Empower your employees in APAC to disable their notifications when they finish their day work, make them comfortable to be assertive and say ‘I will follow-up on this tomorrow’. Schedule less cross-regional calls. Schedule more 2-region calls instead of 3-region calls. Work with the empathy, wear APAC employees’ shoes more often. Visit the region and see how people work there. Shadow them, talk to them, see their struggles. And again, define better handover processes that include at least one SME in each region that can take over. The mature process is the key to smooth transition between regions. And don’t book any calls on Friday. And last, but not least – respect that APAC team. They are often the most hardworking part of your global team…
If you think this is biased, let me say that I worked from APAC region for 5 years. I fought as much as I could to reduce all these night calls, but in the end they were an integral part of my role… It really sucks to hop on calls at 10 or 11pm. Trust me. Think of it for a moment, how often do you take calls at 10pm in NA, EMEA. And in APAC it is very often a daily norm…
So that you know… that ‘norm’ is your security program doing it wrong.
If you work for FAANG & live in the richest part of US, or are uniquely positioned elsewhere you can make 450K/year and some make more than that. But this is an exception on a global scale. If you want to make this money make any effort possible to join these companies and relocate. Outside of these privileged areas optimize your salary negotiations for base salary, because it’s the only solid income you can rely on & the higher you bid the more it will help you negotiating better future higher salaries.
The term total compensation is used here quite loosely. From experience, even recruiters are often not clear (or honest) what that means exactly and they often bundle different numbers and perks together in order to close the deal and w/o thinking of it in terms of ‘what you take home, annually’, as they should. As edx pointed out on twitter, the RSUs grants may be much higher to make that 450K total comp annually work. I am leaving the numbers below as they are, but bear in mind the calculations may need to be adjusted and the new values may shift your decision making process quite a bit. In any case, it really is a must to understand the numbers you are presented before you sign the deal. Note that as far as I know no companies would ever promise grant refreshers annually. It’s all under their discretion (which is fair as they can’t predict company’s performance & make promises that may cost them). So you may get a nice first grant, but no refreshers. Approach all promises with skepticism – unless it’s written and presented to you as a formal offer — it doesn’t exist.
Every once in a while someone drops a salary bomb discussion on social media and the speculations follow. The salary bomb value du jour it is the mythical 450K USD that some claim is pretty much ‘a standard’ pay in infosec. The other line I keep hearing being repeated is ‘200K is new 100K’.
Of course, these claims are both… only selectively true.
As the real estate agents like to repeat – the most important thing in real estate is…
Location. Location. Location…
It works in cyber security too. If you work in Bay area, New York, tax-free, low tax, or high-personal-risk countries you may score that high, and higher, but most of the people in this industry simply do not earn that much.
For instance, London is a really expensive place, and 2022 Barclay Simpson Salary brochure offers us the following salary guidance for the Cyber Security leadership in UK:
These are salaries of Directors, VPs, SVPs, Partners. And these are already very high salaries in UK, yet far from that mythical 450K USD (345K GBP). I doubt any of the EU countries come any closer, to be honest. And if they do, this is probably because their taxation system is even harsher than in UK, so they have to give more, so… they can take more away. And Asia, South America, Africa, Australia are really FAR behind. Yes, Singapore and Hong Kong pay well, you can get a break in Riyadh, Abu Dhabi, Dubai, or warzones but hey.. we talk ‘global normal’ here.
The devil is in the details. Of course.
The mythical 450K is not a base salary, but a total comp aka total compensation. It’s extremely difficult to evaluate what that even means w/o a break down of its components. And these may vary. For instance:
The base salary could be 150K USD
The Restricted Stock Units (RSU) that are granted to the employee could form another 300K. (note: these are usually vested over a period of 4 years; you get that whole 300K only at the end of 4th year of working there; of course, grant refreshers are a thing too, so keep on reading). (as per Update at the top of this post: make sure that when presented with a total comp it covers RSU/year, not per 4 years and you understand its vesting scheme, plus ask about annual refreshers)
That is a simple scenario though. Many companies include various perks f.ex.:
(performance) Bonus – say.. 1-40% of the salary, annually; subject to grade, negotiations
Car Allowance – varies, subject to grade, negotiations
Sign-on bonus – subject to grade, negotiations
Early RSU vesting – subject to grade, negotiations
Annual RSU grant refreshers – depending on the company
Relocation support – aka relo package (if you move countries it tends to be very expensive so having f.ex. visa service, 1 month accommodation, and help with searching for a property you want to rent can be really a savior; higher grades get support with more exotic demands f.ex. I heard of employees moving their horses between countries and companies paid for it!!!)
Stock Options – usually available for everyone joining
OTE (On-Target/On-Track Earnings) bonus – typically in a sales-ish, consulting-ish function – depends on the company
Various Upsell bonuses – as above
Pension contribution matching schemes – typically for all employees
Medical / Dental – typically for all employees (especially important in US, but it’s a great perk)
Access to gym and similar facilities – typically for all employees
Many Discounts / Corporate Deals / Corporate shops – typically for all employees
and many others
Unless you have that broken down on a paper you can’t even properly compare two different 450K offers! Details really do matter.
Now… imagine you are on a $170,000 base salary job today. And you may be just after the end of your first year of employment and the first 1/4 of your grant being already vested.. say $100,000 in RSUs, vested over 4 years (your total comp could be seen as $270,000). Over a year you got like $170,000+$25,000=$195,000. What if someone came over now and said to you: I will hire you for $450,000 total comp (update as per the intro: make sure total comp calculation includes ‘annual’ RSU intake, not per 4 years). What would you say?
Yes, you would ask for details first!
The number is high, so it’s most likely that a big part of this number will be RSUs. What about… $100,000 base salary and $350,000 in RSUs grant (with a standard setup that you need to work for a year before vesting starts, so you get 1/4 after a year, and then grant’s 1/16 will be released every quarter)?
A knee jerk reaction is to accept it. You can’t go wrong with this, right? It’s nearly 2x more than what your total comp is today!
The devil is in details again…
You are currently taking $170,000 in paychecks home, plus you just got your first 4 batches of 1/16 grant RSUs vested at the end of first year, plus are promised to get a quarterly bump up from the RSUs that are being vested, plus there are grant refreshers.
In a new job, you will only take home $100,000 and have to wait for a year before you can get your first 1/4th of the grant vested. That first year will be a hell of a financial and emotional roller-coaster. Let’s name it: lower monthly salary, stress of being made redundant (trust me, many people experienced it and this means you won’t see any of the RSUs monetized!), plus a lost income of $70,0000 coming from a reduced base salary, and finally a loss of the grant(s) from your old employer that would surely vest every quarter as it did so far!
That’s a very high risk right there! Are you ready to take it?
There are other variables in this puzzle.
Many companies offer RSU refreshers. They usually happen every year and while they tend to be lower than the original ‘hiring’ grant, they still offer certain comfort of stability. As long as you continue working for the same employer, the annual refresher acts as a nice carrot and is a great preventative control from people abandoning the ship. It is, in fact, a very successful preventative control against employee attrition. I literally know people who talked to me over 10 years ago about leaving the company we both worked for, and today they still work there. Too scared to make a move. Actually, not scared, but too comfy! RSU refreshers alone, if you are lucky, can make you a millionaire.
So… be very careful. Unless you can go to a new employer and negotiate a good deal where they take over your current vesting scheme, give you a solid sign on bonus, and perhaps can add a clause to your contract that in any circumstances you won’t be the loser in the ‘unlikely’ event of things going South within next year…
How many people can do it though ? Even if the market is good for employees, only a few can go and dictate the terms of their employment contracts. There is a very high chance we are not them. So… we may want to choose options that are a bit more predictable and controllable.
In my view, it’s always better to optimize for a better base salary. It keeps you safe, makes you less paranoid about your company’s stock price (believe me, it is VERY destructive to your soul when you end up checking the stock price every single day, multiple times), and in any case.. and this is really crucial… gives you a MUCH better negotiating position when you change the job again in the future.
Not all your future employers will be living in a RSU-driven ‘total compensation’ sphere! You may move up, or laterally and if RSUs are not there, then what is your leverage? Yup. The base salary! It is your goal to improve it every time you change the job. It’s a rule of thumb I follow like a religion: I do not accept job offers where my base salary drops. I tried once, suffered, and I know it does cost you dearly…
Make it a habit to look for new opportunities. Talk to recruiters, peers, discuss on social media. The biggest secret of cybersecurity employment is … there is none. We are VERY privileged to live and work in conditions that support our growth unconditionally. Recognize it, make yourself visible and useful, thrive in it, until market correction comes… and it will.