Top 10 Highest-Paying Security Jobs?!

I always look askance at articles like “10 high-est paying IT security jobs” as posted at CSO Online especially when it comes to the numbers? Where is the data from? What was the sample size? And all those other statistical-type questions.

So while we can’t necessarily trust the numbers, maybe we can trust the positions. I’ve broken them out by management and by technical positions based on my own biased heuristics. 🙂 The numbers reflect the salary level of the original article


2. Chief security officer
3. Global information security director
4. Security Consultant  (judgement call on my part)
5. Chief information security officer
6. Director of security
9. Application Security Manager


1. Lead software security engineer  — average salary: $233,333!
7. Cyber security lead
8. Lead security engineer
10. Cybersecurity Engineer

Call me cynical, but at least some of current security issues are reflected in the fact that 60% of the top paid job descriptions are management. And 3 of the 4 technical positions are at the bottom of the pay scale. Proof again that the further you get from the actual hands-on work, the less you actually know about the dirty details. And the devil is in the details.

If Cats are outlawed, only Outlaws will have cats

Well, yet again, another member of law enforcement has decided to step into the privacy/encryption wars. Today, Suffolk D.A. Dan Conley dragged out same old argument that providing encryption to the masses will only server the interests of criminals

In America, we often say that none of us is above the law,’  But when unaccountable corporate interests place crucial evidence beyond the legitimate reach of our courts, they are in fact granting those who rape, defraud, assault and even kill a profound legal advantage over victims and society.’’

Which translates, I think, that those of us who use encryption to maintain a shred of privacy in the face of unlimited data collection of all kinds of communication without benefit of a search warrant are somehow playing into the hands of these criminals who will now be able to carry on their nefarious activities behind the shield of encrypted communications.

Notice that Mr Conley, like so many of his ilk, never provide any statistics that demonstrate how law enforcement was not able to proceed because of encryption. Instead, we hear about horrific cases that wouldn’t have been solved if the perpetrator had access to encryption technology.  And we never hear about cases where the perpetrator did use encryption which law enforcement was able to circumvent.

Funny thing about this is that the same arguments were made when Phil Zimmerman published the code for Pretty Good Privacy (PGP). As far as I know, the sky hasn’t fallen yet, although it may have and knocked me unconscious. No, wait, I pinched myself … I’m awake.


Derek Brink, in a blog post on an RSA blog entitled Watch Your Language: How Security Professionals Miscommunicate about Risk, addresses the issue of risk thusly.

Shon Harris, author of the popular CISSP All-in-One Exam Guide, defines risk as “the likelihood of a threat agent exploiting a vulnerability, and the corresponding business impact.” Douglas Hubbard, author of The Failure of Risk Management: Why It’s Broken, and How to Fix It, defines risk as “the probability and magnitude of a loss, disaster, or other undesirable event.” (And in an even simpler version: “something bad could happen.”)

All well and good. But. The devil is in the details of “likelihood.:” One favorite measure of the metric minded among us is the Annual Loss Expectancy, which is the product of the SLE (Single Loss Expectancy) multiplied by the ARO (Annual Rate of Occurrence).

The problem in measuring risk thusly arises when the likelihood (ARO) is very very low and the consequences (SLE) is very very high. The old expressions “1 in a million” works out to an ARO of “.0000001” and and SLE of $1,000,000. Is the ALE then $1.00? No. The ALE is $1,000,000. If it happens, it happens. If it doesn’t, it doesn’t. The event won’t happen 0.25 times per year. Or 0.33 times a year.

This makes it damnable difficult for an organization to budget for security. If an organization is required to spend the amount that represents the impact multiplied by the probability of that loss, then do you spend $1.00? Or do you spend $1,000,000? The answer lies somewhere in between.

A Nobel prize to the individual who figures out this equation.