Going clear?

Author

Brad Rager
December 15, 2022

Hi friends!

Well, it was an action packed week, filled with buzz all over the internet on nuclear fusion and the AI chatbot that is taking the world by storm.

We are going to talk about something a little more normal, but nevertheless extremely important. And that's compensation. We'll survey the implications of the recent trend toward mandated transparency, look at how that's going for cyber, and share some very practical advice for how you can use this data to help further your own advancement.

As usual, we'll also include a rundown of key news, tools, and upcoming events below our feature story. 👇

Going clear? Compensation transparency in cybersecurity

No, we’re not talking today about a certain religion espoused by celebrities and revealed to the masses by South Park.

Today, we want to review the implications of a rising trend around mandated compensation transparency, break down the effects, and share resources and advice for how you can use this information to further your own career.

Last month, New York City implemented a law requiring employers to post ‘good faith’ salary ranges for any job advertised for residents of the city, including remote workers. This comes on the heels of a similar law in Colorado, which went into effect last year, and prior to that, laws in several states that prohibited asking for candidates for historical compensation information.

Why the push? And what does it mean for cybersecurity pay visibility and trends?

The new laws are intended to address persistent income gaps in gender and race. The idea is that by making pay more transparent, it should hold employers accountable to offering consistent compensation based on the role, not the person.

We’ll unpack the early results, the trends we are seeing, and share some resources that you can utilize for compensation information (even if you aren’t in CO or NYC).

The Debate

The topic of compensation transparency is hotly debated.

On the pro side, the argument is that people currently at the company, who may not be making the prevailing market wage, can see what somebody new coming in would make, and then negotiate salary from there. I’m sure we’ve all seen many instances where people who haven’t moved jobs as much can end up earning less than their full potential because those ‘leap moments’ from a compensation perspective haven’t happened, and their employers are perfectly fine underpaying relative to market if they feel flight risk is low.

On the ‘con’ side of the debate, many employers will argue that they will be much more cautious with setting new wage rates because a change in that number now potentially means a retroactive change across the workforce. They may also be less willing to pay up for extraordinary talent. So this can have an effect of depressing wages overall.

There have now been a number of academic studies on this topic, and most are finding that this does meaningfully contribute to reducing the gender gap, but that it also comes with the cost of fewer job opportunities (companies avoid posting to avoid for that area to avoid having to be transparent), and at a cost in wage growth overall (~2% impact on average).

Regardless of your stance on the topic, you should understand what this can mean for you.

While I haven’t seen any studies that specifically look at the impact of these laws on cybersecurity jobs, we have done some research and can share a few insights that are representative of what we expect to see as this practice becomes more prevalent.

What's actually happening

We dug specifically into mid-level cybersecurity jobs posted for NYC, and here’s what we found:

  • 37% of jobs listed no compensation range (in violation of the law)

  • The average salary was $151K

  • The average posted salary range was +/- 20%

  • Only 40% of companies posted a comp range that was +/- 15%, which we view as a sign of good faith. You can imagine that one way of getting out of accountability here is posting a large range, and most companies appear to be doing exactly that. The most egregious example was a range between $136K-$350K, posted by a large bank.

Here’s a chart of salaries by years of experience- the bounds of the plots represent the ranges, and the box the 25-75% percentile. This should be a relatively good representation of salaries overall, less a ~10-15% cost of living premium for NYC.

Resources and negotiation tactics

So if you don’t live in New York or Colorado, but you want resources to negotiate your salary, here are a few places you can turn:

  • This report from Cynet gives detailed breakdowns and distributions by job type and region (be sure to look at North America only, the general results are skewed downward by including APAC)

  • Indeed and Linkedin predict compensation rates. So find some jobs similar to yours and record what you see. This is unlikely to be your strongest tool from a negotiation standpoint, but can give you a sense if you are far out of range.

  • Even if you aren’t necessarily wanting to move companies, take a handful of recruiter calls and see what the compensation range looks like. Recruiters will typically reveal this when asked, upfront.

  • CyberSN has typical pay ranges for 45 common roles

Quick tips for re-negotiating your salary:

  • The most leverage you will have is if you have another job offer. But be careful, going to your current employer with another offer is a high risk tactic. You really have to be willing to take the other job. Relatively few employers will have budget to make large wage hikes on the spot, so set your sights appropriately.

  • The best time to negotiate a comp increase is in the fall, as budgets for the next year are getting set.

  • Do your work and bring data to the conversation. Finding comparable roles with posted salary ranges for a very similar job is a good tactic.

  • Make it clear to your boss that this is important to you. If you are otherwise happy with the job, frame it up as a means to prevent you from taking recruiter calls and exploring what else is out there.

  • Know your leverage. The more specialized your skills are and the better your reviews are, the more leverage you have.

  • Have a specific ask. t will get you further than leaving it up to them (as uncomfortable as that may be).

  • If you are anxious about the conversation, practice with a friend.

Overall, we strongly encourage employers to move toward a more transparent disposition. Cybersecurity is a hot market, and it's a better investment over the long term to consistently pay the prevailing market rate, build a good culture, and a team that enjoys what they do and will want to stick around. If you do this, there is no risk, only upside, to being open about compensation.

Tools, resources, and useful things from the internet

🎁Last minute hacker gifts for kids. Here is Darkreading’s top 10 list of cyber-educational toys for kids (Amazon can probably still get these to you!)

💻Courses from Heath Adams, aka the 'Cyber Mentor'. Heath publishes some excellent free educational courses on youtube. Topics of focus include ethical hacking, python, and OSINT.

🧑‍💼Cybersecurity interview prep playlist. Great compilation of common interview questions and strategies for answering them.

News

🏢Security is an exception to the hiring freeze and layoffs at Amazon. CISO at Amazon shares his tactics for bringing people in (internal hires from other departments), as well as retaining (offering internal transfer opportunities). Hiring priorities are identity, pen testing, appsec. (WSJ)

🩹This was big week for patches (and critical vulnerabilities). Apple released nine patches and Microsoft patch Tuesday addressed a number of critical vulnerabilities. Fortinet patched critical zero day VPN vulnerability

📱Apple released several new security features, including identity verification before you send sensitive information (Secureworld)

🔑Not to be outdone by Apple, Google is rolling out support for passkeys (authentication via mobile phone biometrics) into Chrome (Hacker News)

🔓The FBI's forum for threat sharing and networking among critical infrastructure security professionals, InfraGuard, was breached, with member information being posted for sale.

💾EU set to allow European PII to be stored in US. Reduces the risk for US companies that are probably technically mishandling the data anyway. (WSJ)

⚛️The post-quantum encryption bill is going to become law, requiring that federal agencies update encryption practices (Fedscoop)

Upcoming events

💼FlowCon 2023. January 9-12. Santa Fe, NM. Carnegie Mellon conference focus on the flow of data for network defense.

💼National cybersecurity alliance- Convene. Jan 10-11. Clearwater, FL. Generalist industry event.

💼SANS east. Feb 13-18. Virtual. Training extravaganza.

If you have other events coming up that you'd like me to call attention to, please send them my way at [email protected]

Crux is building the talent platform for cybersecurity. Check us out.

Thinking about your next move? Join our network.

Want help with your hiring needs? Reply to this email to drop me a line