I suspect that there will be a lot more replies on this topic, after the
Thanksgiving weekend, but there were some excellent replies already and I
wanted to summarize them, and share some thoughts of my own. All of the
replies that I have received so far fall along similar lines.
----------------------------------------------------------------------------
---------------------------------------------------------------------
One of the main reasons for the CISSP, is the abysmal awareness of what we
do amongst not only HR folks, but even our counterparts in the IT/MIS
Industry. When we get together *we* KNOW who knows what they are talking
about, but how in the heck would HR Folks, or even most IT/MIS Managers? On
most of the contracts that I have held since forming UNIX & NT NETWORK
SECURITY, LLC in 1995 I was generally the only one who had the big picture
(not all mind you, at one of my latest contracts I was only one wheel in a
big security machine, they had
3 folks doing viruses alone!!!). So to repeat, it's used by folks that
don't understand what we do.
Another reason, of course, is standardization. Some of us may focus on one
area or another, it takes a long time to have "done it all" as they say.
Having a CISSP would give one the broad knowledge to head into a contract in
a new area without having to reinvent the wheel. For example if you had
been doing firewalls for 2 years, and were hired to write security policy on
a new gig you would already be aware of the terms we all use, and who the
players are in that area, so that we can build on a common knowledge base.
Another good point that was brought up was that for someone doing hands on
work, such as installing C2, a VPN, or a one time password system it was
less important. For managers, policy writers, team leads it would be more
in demand.
Lastly we come full circle back to rates, and employability. A number of
people (especially those with a CISSP :) ) it was felt that in a situation
where there were two candidates, who were equal in all other respects the
one with the CISSP would probably be hired. I was actually writing a long
quasi white paper on "Why I DON'T have a CISSP", to be used with employers,
when it dawned on me that I would be better serving our Industry as a whole
to join forces with those who hold one, rather than to "fight city hall".
If I can help out in any way please let me know.
Cheers, David
David Hawley --- Future CISSP :)
P.S. I have changed my preferences back to David Hawley, Rhino was my
nickname from long ago, when my dating techniques resembled the charging
Rhino, LOL. Bomd, was a typo, supposed to be Bond, as in James Bond. No
more need for stealth, with this account.
David Hawley
UNIX & NT Network Security, LLC.
drhat_private
www.123netsecurity.com
-----Original Message-----
From: Rhino Bomd [mailto:rhino007_usat_private]
Sent: Wednesday, November 21, 2001 2:21 PM
To: securityjobsat_private
Subject: RE: Rate's for contractors & employees
Folks,
I was *swamped* with responses. Thanks! So there seems to be enough
interest that I will try and summarize, for all rather
Than reply to 20 folks. I won't blow anyone's anonymity, as I promised.
Some folks are still making the big bucks we used to charge 18 months ago,
especially with clients they had worked for in the past.
But a lot have had to take 20% or more cuts. The standard range seems to be
pretty consistent at $60-$95, sometimes up to $125/hr,
those who were getting more than $90 mostly said that the work was sporadic.
While I have the floor, I have one more survey question. The deal is the
same I won't pass on anyone's name or answers, specifically, but will
summarize if the response is great. Here is the question:
1) How much difference does the CISSP make in getting hired?
Came up through the ranks, paying my dues at Sun Micro, supporting Sun
Federal when Sun was very small startup firm. Was there when the first
Internet virus hit (the Internet WORM), supported C2 & B1, have worked with
all kinds of firewalls, routers, written policy, PKI, network management,
VPN, C2 audits, handled intrusion detection, post mortem, SSL, encryption,
etc., etc. just don't want to spend thousands of dollars for some training
that is fully redundant to my experience... unless it makes it much easier
to get hired.
David Hawley
UNIX & NT Network Security, LLC.
drhat_private
www.123netsecurity.com
-----Original Message-----
From: Rhino Bomd [mailto:rhino007_usat_private]
Sent: Wednesday, November 21, 2001 8:18 AM
To: securityjobsat_private
Subject: Rate's for contractors & employees
I have been out of touch with the rates question for a while. When I look
at the DICE Salary Survey it indicates that the mean rate is
Something like $75/hr for all contract work. Of course we in the Security
field should be doing better... but the recruiters I talk to
Tell me that people are going out for half what they did 18 months ago. I
tend to discount what they say, because their job it to
Talk us down in price, and their Clients up in price, at all times. So I'm
taking my own informal survey. I can promise that anyone
Who responds directly to me will remain anonymous. I have no intentions of
using this info for more than my own contract search
& negotiations. Specifically what are the rates for someone who has had
over 20 years of Industry experience, 25 years of security
experience, 6 years of computer and network security consulting, and 15
years of UNIX experience. This kind of background used
to bring in between $110/hr - $200/hr, depending on length of contract.
David Hawley
UNIX & NT Network Security, LLC.
drhat_private
www.123netsecurity.com
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
This archive was generated by hypermail 2b30 : Fri Nov 23 2001 - 13:42:59 PST