I have been working with security around 7-8 years now, depending on where you begin counting. During this time I have done a lot of technical security audits and web application audits for around five years, worked on host hardening related matters, vulnerability management and other things. Currently I am a technical lead for the global Incident Response function of the company.
What kind of skillset do you think this all needs? Here are some:
- Understanding of network topology, firewalls and networking in general
- Understanding of how an operating system works
- Understanding of services, protocols, how they interact etc
- Understanding of different web application platforms
- Understanding of vulnerabilities and design flaws
- Understanding of logs and other information sources
- Understanding of incident response processes
- Understanding of how to do forensics
- Understanding of security policies, organizations and how to interact with people
- The need to be interested in and follow what is going out there
- etc...
As you might have noticed, my latest blog posts have been a bit weird and not like my usual rants. As usual, the problem is about what you get paid for the work you do. What you get paid usually indicate how much a company values your work and how well it is in line with what you generally get paid for such work.
Would you feel valued and happy about it if you receive the same salary as a person who has local, small responsibilities, when your responsibilities are global and you need to have a lot broader knowledge of things? Sure, I enjoy my work most of the time but I still expect to get righteously paid for it, like most of us probably do. Most of us do not want to sell ourselves cheap. I have been told I'm grossly underpaid for what I do, and I have known that for a long time.
Maybe I'm just plain stupid for having been in this situation for so many years but I have hoped for it to get better. What would you, dear reader, do in such situation?
4 comments:
Since you asked advise, here is what I would do:
I would clearly require my manager to correct the situation.
I would also back up my compensation requirements with salary survey's (eg. SANS) from the security field.
If my manager is not willing or cannot influence the situation and the situation is not corrected, I would then escalate the situation to my manager's line manager and/or in practice dimension and/or discuss with closest trustworthy & wise friends/colleagues (eg. polling whether my thinking is in balance and requirements justified).
If that does not help, then I would evaluate my motivation/ satisfaction/ enjoyment level and if found lacking, I would start digging on things I am not satisfied with and discuss those with my manager, how to correct them. At least to me frustration comes first on things that do not work or progress and they start to bug my mind.
If that does not help enough, then I would start looking for new challenges inside or outside the company (order depends on the frustration level; eg. I was so frustrated to my previous employer that I started to seek directly new challenges outside the company).
All of the above I would try to do if possible openly with my manager without negative frustration.
Unfortunately, the current business climate seems to be against your specific situation, which makes this even more difficult. Because of this, I would consider carefully my responsibilities to my family and their security and think at every step twice and consult closest trustworthy friends/colleagues before making actions. I would possibly even do a formal plan with formal requirement and action list, if the situation would require one.
That is what I would do.. Please understand that is what I would do.. This may not be best for you.
some last thoughts.. When your company's responsibles see that you mean business (positively), then they can respond if they want and/or can and possibly use actions exceeding normal boundaries.
Finally, as I commented earlier, it is difficult to correct things when they have started to trouble too much. Mentally it is difficult to start being satisfied to something you have started feeling negatively earlier. Also, the lenght of time seems to be very long, which makes it also even more difficult to correct without actions exceeding normal boundaries.
All the best to you on the road you will take..
Thank you for all the support you have given, Pauli. I appreciate that a lot.
I believe everyone has at one stage or another during their career been in your shoes.
They are not nice shoes to be in. As my (personal) experience has shown that the organization's hands are often tied in its capability to correct this type of situations. Especially when it requires extraordinary measures.
As had there originally been a way and a will, the situation would not exist. Right?
But as Pauli has commented, I think it is wise to take a step back (if one can anylonger do so) to reflect and look at the big picture in order to identify what can still be corrected.
Put your self in your managers' shoes, help them help you.
And if it doesn't work out to your satisfaction, in the end there is so much more to life than just one job. If one is not happy, one should move on and seek new experiences what ever the reasons.
Should that be the case, it'll be better for you and your current employer.
But more importantly, what ever choice you do make think about making it as a family.
Just remember its a small world, don't burn any bridges while tredding your own path.
Good luck, may the New Year be even better than the last. :-)
- Jani,
I have discussed this topic with my manager and it has been acknowledged that the situation is wrong and must be corrected.
Taking into account the current economic situation there isn't a quick fix available but at least there has already been some progress. In the long run things hopefully get sorted out.
Maybe it was a bad choice to publicly wind this issue but I needed some opinions other than mine.
I simply can't take the risk of leaving because of my family, even thought I wouldn't be surprised if the axe falls in the near future anyways.
So, after calming down, I now try to look at year 2009 with clear eyes and see what interesting things I get to do and be part of. This also means that I will go back to my regular blog topics ;)
Post a Comment