Ms. Hylas - Well written and to the point. I only take issue with your last statement: "Let's all realize that the dot.com craziness is over and come back to reality." We are not talking about OS engineering or Network Administration here. There is no such thing as an "inflated" Security Engineering salary. Why? Because Security Engineers, and ultimately Professional Security Consultants, are the cream of the IT crop, or rather, are SUPPOSED to be! This is not elitism or gross exageration of my own personal value, it is simply fact. Security folks should be the BEST at and/or have in-depth knowledge of all of the following: programming, network engineering, administration, and finally, policy and documentation development. Thus, the industry as a whole must come to grips with the fact that people with such expansive experience and knowledge are worth MUCH MORE than any normal or day-to-day IT personel. Pipe dream?... Heck, I'm happy at this point when they simply realize they need a security pro in the first place. Now that they begin to see that need, we need to show them how much that need is going to cost, and it shouldn't be cheap! Also, folks who are just now breaking into security must realize that they should not be doing so prematurely. Going from High School to Ameritrain to MCSE testing to "Security Engineering" by title is outrageous. It's simply not possible. The pre-req's are MANY years of experience in each and every category listed above with a focus on the Engineering of networks and developing policy for said networks. A great "low-end" infosec position may be IDS or Firewall INSTALLATIONS. Mid-level positions would be the monitoring of the same, and the high-end would be the development of policies for said systems, response to incidents, or the auditing of those systems. None of these positions should be given to someone who does not have experience in network admin and engineering. How can you define traffic on a network even in a simple Checkpoint installation without knowing the effects and ramifications of the configuration you choose?! Sure you can be taught to install the software, but in order to do so "securely," you have to have that extra experience. Thus, even that "low-end" security position of "installer" should not be given to anyone who just got their papers... And therefore, even THESE positions are worth MORE $ than your average admin position. Finally, recruiters must be aware that folks like myself, and anyone else who HAS spent many years developing their security-centric resume, is going to be worth the MAX of any salary range proposed, always. I personally saw my only solution to the chaotic shuffle of job-searching between contracts to be formation of my own entity. By incorporating, I realize that being a sub of a sub is not glamorous and is often times a pain in the arse logistically, but ultimately it teaches you the final step in developing your personal business, which is: How to become the PRIME contractor, and therefore how to ALWAYS make the top dollar in a said project. Contractors who never glimpse the politics or financial turmoil at the head of a project will never come to grips with being the lowest paid member of the food chain. When they finally discover that the GSA schedule permits billing at $130/hr on a particular RFP, yet they are being asked to work for $41, they begin to complain about the difference. My point? Consultants out there, GET TO THE TOP of the food chain, and this entire argument becomes moot. If you truly are a "Security Professional" and not just some kid with an MCSE/A+ who has heard of firewalls, then this should be obvious to you. If it is obvious, then let the recruiters know that THEY are wrong and that you truly are worth the very best salary possible. Oh well, enough rambling.. I hope there is a coherent thought somewhere in my mess. Bottom line, recruiters, if you see someone who is NOT READY to go into security engineering, it is your responsibility to tell them this, and show them a correct path. My guess is that if you explain it to someone, they may stick by you through the years until they ARE ready to be a Security Pro... Then it's big bucks for both of you! -oliver g. petruzel -president, k-oss security solutions, inc. -be safe all...
This archive was generated by hypermail 2b30 : Thu Sep 26 2002 - 18:30:13 PDT