Let’s do something taboo today and talk about money. CISSP money. What exactly is realistic when it comes to CISSP salary expectations?
The average CISSP salary is somewhere around $120,000. That’s average, and CISSP covers a broad range of jobs, but keep that number in mind if someone offers you $54,000. I’ve seen $54,000 cited as the low end and that’s, frankly, ridiculously low.
The problem with averages
CISSP is, depending on who you ask, anywhere from the third to the sixth most valuable certification in IT and security. But this number is somewhat problematic because of the range of people expected to have CISSPs. Many organizations expect their CISO to have it. A CISO is a very high-ranking job. It’s anywhere from a Senior Vice President to a Senior Director. In my experience, too few organizations place the CISO at the SVP level, but even VPs and senior directors of large corporations get pretty hefty salaries. That does drag the average upward.
And immediately upon completing CISSP, you’re probably not going to go straight to average. What you get will depend on what else you have, what you were doing before you got CISSP, how well you sell your pre-CISSP experience, and the cost of living where you live.
A CISSP who lives on either coast of the United States will make more than one who lives in the midwest. I’ve worked for more than one company who tried to exploit that, by basing security services in the Midwest where the cost of living is lower. You have to make 2.3 times as much to live in New York and have the same standard of living as you have in St. Louis. It was much cheaper in the long run to pay me the prevailing St. Louis rate, then fly me to the east coast when they needed me in person there.
And when I talked with my peers in places like Kansas City and Omaha, they made somewhat less because the cost of living was lower. Interestingly, that’s changed in the last several years, so it’s possible the difference in salary isn’t as great anymore.
Entry-level CISSP jobs vs entry-level security jobs
An acquaintance of mine brought up a problem, however. He searched Linkedin for entry-level security jobs, and found a bunch of stuff that requires “CISSP, CISM, or equivalent.” That’s a bit of a problem.
None of the entry-level security jobs I can think of require either a CISSP or a CISM to do well. I’ve worked with people who did those jobs badly, but getting a certification wouldn’t have fixed them. I’ve worked with people who did those jobs well, and after doing those jobs for a few years, they moved onto another job, did well there, and got CISSP once he had more than enough work experience. I was honored when one former coworker followed that career path and asked me to sponsor him.
A job with a title like “Security Analyst I” shouldn’t require CISSP. It just shouldn’t. If you have CISSP-level expectations of that role, it’s not an Analyst I role. You need to either adjust your expectations, or reclassify the role. The only roles I’ve ever held with a CISSP that didn’t include the word “senior” in them did have the word “engineer” or “manager” in it.
My CISSP lowball salary expectation stories
I’ve seen unrealistic expectations throughout my IT career, and getting a CISSP doesn’t eliminate those. It makes them a bit more rare, but I can still tell you some lowball stories.
I took a call from a relatively large company in the St. Louis area about a CISSP job. It was comparable to what I’d been doing and the commute time wasn’t bad, so I was interested. Well, I was interested until they told me the pay was $60,000 a year. The going rate on that job in St. Louis at the time was no less than $85,000. Plus, the place uses elements of the stack rank system. Why take less money to work in that kind of environment?
I guess I declined them politely enough because the same place called me again a couple of years later. They pitched me a very senior-level gig that was an unusual combination of what’s usually multiple roles. They told me it paid $80,000. I would have been a questionable fit for the role, and that gave me a polite way out. I know people who would do pretty well in that role, but they were making more than $120,000 where they were.
And I once turned down a written $80,000 offer. In person, even. All I had to do was sign it and say yes, and I literally handed it back to him and said no. I was interviewing for jobs in the 90s and the interviews were going well, so I saw no reason to accept what I saw as a lowball offer. It ended up taking about three weeks to find what I was looking for. If you do the math, that was worth the wait.
How to find the right salary for your qualifications
CISSP or no CISSP, you can find the prevailing rate for your qualifications with some digging. Look at the job openings in your area. Find some jobs you’re qualified for. If you can’t find a good match, there are a couple of ways to expand your search. Search for jobs that peers in the same pay grade as you would be qualified for. Or, find some cities with a cost of living similar to yours and search there. Not all job descriptions include salary information but you should be able to find a few.
That information will help you recognize lowball offers if you get one. While $90,000 is well below average for a CISSP, you may find that’s the prevailing rate for non-managerial jobs that either require CISSP or list it as desirable. In some parts of the country, that’s fair. In other parts of the country with a higher cost of living, it would be a lowball offer.