Careers

InfoSec salaries

  • Last Updated:
  • Jul 7th, 2017 8:24 am
Tags:
None
[OP]
Newbie
May 18, 2015
58 posts
17 upvotes
Georgetown, ON

InfoSec salaries

Can someone give me an idea of what would be an appropriate salary range for security analyst position? I see it all over the place as low as 40K and as high as >100K according to indeed. Very confusing. What would be a reasonable expectation for a seasoned IT pro transitioning to information security role?
18 replies
Newbie
Mar 28, 2017
44 posts
20 upvotes
I'm a security analyst. Make about 90k to 100k with overtime, more if you factor in pension benefits. I see some people trying to get into infosec without an IT background so maybe they are only worth 40k. Not sure how you could even do this job without IT experience though. If you have sysadmin or networking experience I suspect the range is higher, maybe starting around 60k to 70k. I have seen senior security analyst positions posted at 85k go unfilled because the pay is too low for an experienced infosec person.
Jr. Member
Jul 22, 2015
176 posts
32 upvotes
Toronto, ON
islandscott wrote:
May 19th, 2017 11:51 pm
I'm a security analyst. Make about 90k to 100k with overtime, more if you factor in pension benefits. I see some people trying to get into infosec without an IT background so maybe they are only worth 40k. Not sure how you could even do this job without IT experience though. If you have sysadmin or networking experience I suspect the range is higher, maybe starting around 60k to 70k. I have seen senior security analyst positions posted at 85k go unfilled because the pay is too low for an experienced infosec person.
Did you teach yourself or went through uni/college?
Newbie
Mar 28, 2017
44 posts
20 upvotes
TorontoTacos wrote:
May 20th, 2017 5:34 pm
Did you teach yourself or went through uni/college?
I did a 2.5 year community college diploma in network admin to get started about 13 years ago, but where I really learned was at a small software company I worked at for 5 years after college. I was able to start immediatly beyond tier 1 support and built out the server infrastructure and network over 5 years as the company grew to 10 times what it was when I started. It was really a lucky break. I actually took a hourly pay cut when I moved to my new company, but it was worth it for the pension, benefits, OT pay and overall work life balance. Much happier now.
I kind of fell into the security side of things. An audit recommended hiring a dedicated network security person, so the position was created and they offered me the job a couple years ago. So mostly self taught on the security side, but there's a ton of overlap between sysadmin and secadmin. Much easier to learn infosec with a good IT background.
[OP]
Newbie
May 18, 2015
58 posts
17 upvotes
Georgetown, ON
Did you get any security related certifications such as CISSP, CISA, C|EH or vendor certs such as JNCIS-Sec or CCNA/P:Security?
Deal Addict
User avatar
Mar 31, 2005
3281 posts
258 upvotes
Calgary
CISA is not a security designation but an audit one and would almost for sure have prerequisites that most analysts wouldn't have unless they have been working in audit or IT controls for several years prior.
Newbie
Mar 28, 2017
44 posts
20 upvotes
dimarzio wrote:
May 20th, 2017 7:34 pm
Did you get any security related certifications such as CISSP, CISA, C|EH or vendor certs such as JNCIS-Sec or CCNA/P:Security?
No security certs. Company sent me on a week long CEH course and it reminded me why I hate certs so much. Every time I pointed out course material that is outdated or not 'best practice' I got the canned answer that we need to study what's on the exam and not what's accurate. I work in the real world and want to spend my time efficiently, not memorizing crap just to get a cert. If I was looking for work I would likely spend my time chasing down certs to show I have the knowledge. At this point I feel I have enough projects and experience under my belt to show my value. I do want to do OSCP for the challenge though, but my pen testing skills are not there yet.
Deal Addict
User avatar
Oct 14, 2001
1462 posts
259 upvotes
GMA
islandscott wrote:
May 20th, 2017 5:49 pm
I kind of fell into the security side of things. An audit recommended hiring a dedicated network security person, so the position was created and they offered me the job a couple years ago. So mostly self taught on the security side, but there's a ton of overlap between sysadmin and secadmin. Much easier to learn infosec with a good IT background.
Very interesting background but be aware that you're introducing a secadmin bias. For such position, you're right that coming from IT (server, app and/or network) is the most logical path but that's not true for all security roles. Folks doing security governance might have a different career path. There's various paths leading to InfoSec and the "Technical IT" path is only one among many others.
[OP]
Newbie
May 18, 2015
58 posts
17 upvotes
Georgetown, ON
So what would be the best way for an experienced IT professional to transition from IT infrastructure administration to security? I would be interested to move into technical side of security, possibly as a blue team member or SOC analyst and eventually transition to GRC.
Deal Addict
Jul 29, 2002
1940 posts
72 upvotes
dimarzio wrote:
May 24th, 2017 2:07 pm
So what would be the best way for an experienced IT professional to transition from IT infrastructure administration to security? I would be interested to move into technical side of security, possibly as a blue team member or SOC analyst and eventually transition to GRC.
Best way? Internal transfer.
Networking with your security team if there's one. Another way is to take on security-related projects to build your infosec experience.
Very interesting background but be aware that you're introducing a secadmin bias. For such position, you're right that coming from IT (server, app and/or network) is the most logical path but that's not true for all security roles. Folks doing security governance might have a different career path. There's various paths leading to InfoSec and the "Technical IT" path is only one among many others.
Based on my own experience it's not a bias. Good security professionals generally come from networking, system admin, or software development.
[OP]
Newbie
May 18, 2015
58 posts
17 upvotes
Georgetown, ON
siriuskao wrote:
May 24th, 2017 11:28 pm
Best way? Internal transfer.
Networking with your security team if there's one. Another way is to take on security-related projects to build your infosec experience.
Unfortunately there's no dedicated security team, so the IT department carries out both IT administration and IT security tasks, even some non-IT security tasks such as controlling CCTV and alarms and physical access control systems for all the buildings.
So I'm looking to move to a new company and getting into a dedicated security position.
[OP]
Newbie
May 18, 2015
58 posts
17 upvotes
Georgetown, ON
Crichtonfan wrote:
May 25th, 2017 8:44 pm
Fire up some VMs and start hacking ?
Thanks for the suggestion, but I already have a home lab with esxi and kvm hosts and some vm's besides the online labs that I've got from the Linux Academy and Cisco Cybersecurity scholarship. But it doesn't answer my question on how to transition from IT infrastructure to IT security.
Deal Addict
Jul 29, 2002
1940 posts
72 upvotes
dimarzio wrote:
May 25th, 2017 11:52 am
...so the IT department carries out both IT administration and IT security tasks, even some non-IT security tasks ...
So are you part of this department? Take on some security tasks to beef up your resume.
Secondly, show some initiative and address some of the security gaps in your environment via projects. (there are always gaps ;) )

This was how I moved from sysadmin to infosec. PM me if you want ideas.

Lab is fine but nothing beats experience in a real environment.

Top