Re: Contract Rates??

[Chris Brenton <cbrenton () chrisbrenton org>]

Greets,

On Fri, 2009-10-02 at 10:57 -0400, Jon Kibler wrote:
> Question: Is the market for SENIOR security architects and and penetration
> testers fully saturated or is there a lot of unemployed senior level security
> consultants?

The real money is in writing malware:
http://www.chrisbrenton.org/2009/07/how-to-earn-money-with-your-own-personal-botnet/

;-)

With that said, the rates for the clients I work with are up for
security architects, but is down a bit for everything else. 

I have a theory. Back around 2001 we became so good at finding
vulnerabilities that the vendors went numb. It became expected practice
that software will be vulnerable, so vendors no longer worried about
saving public face. It become more cost effective and better for the
bottom line to just let end users do the QC.

I think we have reached a point where organizations are now in that same
boat with their networks. It has become expected that pen testers will
break in, so better to focus on compliance and the overall posture. If
there is a break in, that's just part of doing business.

Seeing the same thing on the forensics side. A CFO faced with paying for
an in-depth forensic analysis will typically just assume the worst and
move recovery forward. While malware has become more complex, the
process used to break in is IMHO sloppier than it was 2-3 years back. I
think this is because attackers know they do not have to completely fly
under the radar. They just have to be stealthy enough that it is not
cost effective to chase them down.

> The reason I ask, is, I am being inundated by head hunters and job shops looking
> for senior level security consultants (10-15+ years of experience) at rates of
> $35 to $45 per hour for architects and $25 to $35 per hour for penetration
> testers.

Seems a bit low based on what I've been seeing. Is this contract for
hire or full time with benefits? Obviously the perks (or lack there of)
will adjust the cost as well.

> A year ago, both pen tester and architect contract rates were in the $75 to $150
> per hour range, and some pen tester rates were even higher. Can anyone explain
> what is going on here?

SANS does a salary survey every few years. Last one was 2008 and can be
found here:

http://www.sans.org/security-resources/salary_survey_2008.pdf

Architect with 5 ys exp is listed at approx $98K/yr
Pen test with 5 ys exp is listed at approx $93K/yr

These appear to be full time positions rather than contract rates, so
adjust accordingly. 

HTH,
Chris
-- 
www.chrisbrenton.org


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------