Maril: 0:14

Welcome back to another episode of The Cyber Queens. As always, I'm one of your hosts, Maril Vernon, resident offensive and hacking expert. I'm joined by other co-host, Nathalie.

Nathalie: 0:25

I'm Nathalie Baker, SOC manager and all-things Blue Team. And we are also joined by a special guest, Claire Southwell.

Claire: 0:33

Hi, I'm Claire Southwell. I work with Nathalie in the SOC.

Maril: 0:37

And today we are here discussing the theme of debunking salary expectations. There is a very common misconception out there in the greater cyber verse at large, that cyber people should immediately be making a hundred thousand dollars a year right out of college. And we are just here to tell you that, while there is unlimited earning potential in this field, you can rise as far and as fast as you want, you're not gonna be there day one. Day one is not where it happens.

Nathalie: 1:06

Usually if you have taken an internship while you're in college or while you're doing whatever boot camp or however you decide to get in, if you work as an intern first, you could graduate college making a hundred thousand dollars. You very well could, because then you have experience to back it up. But the key is you have to have the experience to back up the salary.

Maril: 1:28

A lot of that unfortunately is gonna be cost of living. One of my interns went on to accept an initial offer of$90K in Washington, DC, though. I'm sorry, in this work from anywhere environment, that's not gonna be everybody.

Claire: 1:39

It's completely true.

Maril: 1:42

More realistically, and- I feel so bad because there are so many people who wanna be pentesters or who wanna get into cyber. And they're like, but I need to start making a lot of money now. And I'm like, don't get me wrong. I understand. I was there. I was a single parent. I did not have thousands of dollars for SANS certs, I did not have 5, 6, 7 years to wait to learn to Python before I could even dream of being like in this field. I need to get started now. And I need to rise very quickly. So it's absolutely doable. It's absolutely possible. I meet so many people who are like,"I'm not gonna say yes to this analyst. I'm not gonna say yes to this entry level position. I'm not gonna say yes to something that's not what I want. I want pentesting. I will only be a pentester. There it is." Okay, great, fine. Hold out. But you're gonna be a 60K a year pen tester, cause again, you have no pentesting experience. And pentesting by the way, starting out with that is very unique. Still. Even in the current environment. Most of those folks were somewhere else first. You learned something in the trenches of IT ops or SOC or something before you move into offensive security. They're missing out on these great opportunities, somewhere that they could get their foot in the door, teach them about the org, teach them about the security outlook, teach them about what they need to know to then paint themselves as like the offensive or GRC or whatever expert they wanna be. I'm like, you guys are missing out because you're not willing to make 45 grand a year for six months to a year? 60 grand for six months to a year?

Nathalie: 3:01

It doesn't have to be long term it's it can be very short term if you learn fast. I think that a lot of think you have to sit there for 10 years to gain such experience to make to that salary difference. And it's not. You can't move up quickly. I started out I took a break from my IT career and then came back in and within two years I was in a security role. And that was when it was harder to get into security, there weren't entry-level security positions available. Because of that, I was like I wanna make entry level security a thing.

Maril: 3:36

I think it really has become a thing more nowadays. It used to be that any entry level security person was already like a mid-career level something else person. But nowadays we have people like me starting their careers in security. So you can get into a security function right away, but I will say, it is much easier if you start somewhere else first, because it lets you again, learn your organization. What are their obstacles? What are their goals? What are their hopes and dreams related to security? And you can say, "Hey, listen, I know this isn't my job. I'm stepping outta my lane here because I'm the person who pushes your patches, but I notice we don't use a DLP tool and I'm thinking we could really decrease our attack surface and our exposure to someone emailing PII or something they shouldn't be if we just installed one of those. I'm happy to head that project. I'm happy to admin the tool once it's up and running," and then people start seeing you in a security context. But you had to already be working for that org first. You had to already be interfacing with those managers first. Claire, how about you how long have you been working for Nathalie?

Claire: 4:39

I've been working for Nathalie, which is my first cybersecurity role for a little over a year, getting towards a year and a half. Prior to that, I had done about a two month stint in tech support, completely unrelated. And before that, I had worked in retail. I did a few years working in loss prevention, which is actually how I started unofficially doing some tech support a lot, like what you just described, because we would have problems in our work environment. And I was the person who had the confidence to say,"Hey, I'm gonna Google that. I'm not gonna wait for the support team. I'm gonna figure it out." Or once I had gotten the answer from the support team, then the next time one of my coworkers had the same problem. I was the one saying, "Hey, I know how to fix that. Let's fix it." I was really hoping to actually pivot within the organization and get into tech that way, because that was around the time that I became interested in a career pivot. Unfortunately, that company was hit very hard at the beginning of the pandemic. So here I am now, and I'm pretty happy to be working for Nathalie. So it all worked out.

Maril: 5:42

Oh, yeah, I gotta impress the boss cause she's here on the podcast. I'm totally kidding. I would probably work for Nathalie.

Nathalie: 5:48

She would definitely say what she thought. If she didn't like working for me she'd tell you.

Maril: 5:54

Excellent. Good. Advocate for yourself.

Claire: 5:56

If I didn't like working for you, I wouldn't be here hanging out with you on a Saturday.

Nathalie: 5:59

Exactly.

Maril: 6:00

That brings up another important point. Always advocate for yourself. Don't be afraid to tell your manager if you're unhappy or they're gonna be unhappy when you leave and they had no idea why a sidebar. That's a great avenue into it. When you saw the SOC position, was that what you wanted when you wanted to get into tech or you wanted to get into cyber? Like why SOC? Or was SOC like simply the convenient thing, and are you hoping to go somewhere else, or what are you hoping to get out of it?

Claire: 6:25

So, yes, I saw the SOC position. I had heard really good things about the company, so I knew that it was a great place to work. And I had been waiting for a role to come available. I'd been watching their website for over a year. And I had been using my lunch breaks at my crappy retail job to take online courses, the whole deal. I was just waiting and applying to jobs and waiting for a good opportunity. But we talked about a lot of people expect an entry level cyber person to already have five years of other IT experience, which I did not have. So the SOC was amazing because it was that entry-levelish position. I was expected to have some basic knowhow, but I wasn't expected to have these years of experience under my belt. And I knew that this would be a good way to get some general experience, learn how a SOC works and hopefully find my niche and move forward.

Maril: 7:22

SOCs are so great, because you get exposure to so much. No matter what the thing is, you have to investigate, it could be firewall alert, web app alert, portal or API alert. Like you're gonna get exposed to a lot. Which is great.

Nathalie: 7:34

Server infrastructure.

Maril: 7:39

This next one might be a given that you said you just came from a crappy retail job, but was it a pay a pay cut or a pay increase for you to go work for the SOC?

Claire: 7:46

Oh, not only was it a pay increase, it was also just a huge quality of life increase because anybody who's worked retail knows that the scheduling is bad. You're gonna be working weekends. You're gonna be working different shifts every week. The pay is bad. In the company I worked for overtime was absolutely forbidden, so there wasn't even the possibility of overtime. You just had to go home leaving the team short-staffed. There were no perks. We did have benefits, but nothing great. So it's so nice to be in an environment where the schedule is regular. The whole team is very oriented towards work life balance, and we are all very respectful of each other's time and time off. There's plenty of PTO, which is amazing. There's lots of flexibility for people to have their real life in addition to their job and I'm so happy with it.

Maril: 8:37

That's amazing.

Nathalie: 8:38

PTO, having enough PTO and having that like work life, like I will yell at people if they're working on their PTO, I don't do that. Like you don't work on your PTO. If somebody has to work on their PTO, it's gonna be me. If I have to work double time or overtime, I don't care. It's my job. As a manager, it is not my people's job to work overtime. And if you don't take your PTO or you don't have anything scheduled early enough in the year, I'll start asking you about it. I'll be like, so when are you gonna start taking PTO? When are you putting PTO request in?

Maril: 9:08

I'm the person who's like, if you work on my team, I'm like, listen, I'm a hacker. That's my job. If you don't sign off right now, I'm just gonna revoke your access. Go take your PTO , but do, as I say, not as I do, cause I'd be forced to take my PTO. It's very hard to step away. I don't have control issues though. And that leads into another great point when it comes to evaluating whether or not you're gonna take a position because again, the most crucial thing is that learning, the most crucial thing is to get in somewhere. Start finding a mentor, finding someone on the job to teach you how to get to the next tier is to consider your total compensation. Consider your full benefits. I know a lot of people who are like, oh, Amazon offered me, 200K to go work there, which is like 40K more than I'm making now. Amazon is one of those people with like mandatory overtime. You don't have an option. Work life balance is unheard of. Turnover is high. Professional advancement is difficult, cause you have to be able to step away from your work to advance yourself and do the learning. I know people who leave money on the table salary-wise for RSUs, cause they know they're gonna stay at a company for a long time and they want that big payday later on. So consider these things.

Nathalie: 10:13

You can negotiate into any kind of salary. You can usually negotiate. If you want more- like you want more vacation time ask for more vacation time, a company is more likely to give you more vacation time. You wanna get your education paid for, ask them what their education opportunities are. Like, ask them how you can advance, but also ask about like things you wouldn't think about short-term disability, long-term disability. Nobody needs it until you need. It's, it's like security. You don't think you need it until the one day that you do.

Maril: 10:44

Everyone gets all mad paying into insurance like "I never use this." That's good! You don't want to need it and not have it that's a way worse place to be in!

Claire: 10:54

You just mentioned paying for education I would say, definitely ask about that. Because I know from talking to people who work for other tech companies, managed service provider, similar jobs to what I do. Not everybody is getting ongoing training paid for and not everybody is allowed to even do that kind of thing on the clock. I know that if I have downtime, I'm encouraged to use that for education and professional growth. Not everyone gets to do that. So definitely find out going into a job. Can I study and learn and branch out and improve myself? Obviously the answer should be yes. And if you present it to the hiring manager in those terms, how are they gonna say no? But some companies have very strange policies about that. So definitely find out what you're getting yourself into.

Nathalie: 11:40

And how Claire interviewed was perfect. Cause she was like one of my favorite interviews. She turned the interview upside down on the interviewer. She started out with questions first and I was like, that's what you should do? It's so much fun. It was so much more fun because I was on the fly because you guys know I plan out my questions, I'm a very, I'm a planned person. So I have to plan out my questions, but we still got through all the questions that I have, but Claire was like, now I'm taking control of this interview and this is my interview. And I was like, go girl, go heck yeah.

Maril: 12:14

Sidebar from our topic. But I tell people, and I will say it a thousand times. Reverse classroom, your interviews. Put them in the hot seat. Interview them back. Otherwise, you basically have been explained, like what you should show up having on you already, but you don't really know what to expect. I'll be like, what am I doing here? I don't know. Do you know? Me either. Great.

Nathalie: 12:37

And you don't always have to be the yes person. So maybe that should be a whole different episode. You don't always have to be a yes person. Cause everybody thinks they have to say yes to everything. And that's how you get in those situations where you're unhappy later.

Maril: 12:51

I have some horror stories about that. So we should absolutely do an episode about that. But going back to what Claire was saying I had one job where if my work was done completely done, no one actively needed me. I didn't have a customer in front of me. I was reading a book and I got asked what are you doing? And I'm like, "Reading.""What?" A book about my job.""Why?""To get better at my job, I don't know?" And she's like, "Don't do that. Go find something to do." I'm like, this is something to do. This is something that is value added for me to do. Is not one of my goals that we've documented with HR, for me to become better at my job? This is how I get better at my job in a measurable fashion. I read a book and gain some knowledge I didn't have before. But people are still opposed to that, and that's bonkers. I'm the kind of person who will buy a boot camp and six months later I haven't started it and my boss is like, "how's that boot camp going?" And I'm like it's not. He's like, " from now on book out every Friday. You have no meetings every Friday. You are learning, you are getting through this material. We paid for it. It's gonna help." That mindset is a benefit. It's an intangible benefit that does not come standard with every job, every boss's mindset, but it's very important. And if they pay for it even better, let's say you front the dime for it. They can at least give you the time on the job especially if you've optimized your role and you've documented, and all of your processes are running smoothly. They can at least give you the time, but if they're gonna pay for it even better. It comes

Nathalie: 14:15

in different forms too, of being paid for. Cause some companies will pay just for college classes. All they care about is they will pay for you to go to college. And it's like, okay. And then some companies will pay for certification courses and all of necessary materials. Some have like training already set up through another system that they can offer you training. So you don't have to pay for the training. Anything outside of that you'll have to pay for. Some companies they pay for all the training material, but they won't pay for the certification test. So make sure you're asking those intricacies of what their education benefits are in your interview.

Maril: 14:52

Does that budget go towards travel and accommodations or just the physical material? Making sure. And it's so important to know the difference too, between things like paying for college credits or paying for certs, because certifications usually come out of your department's budget. Your security department says, we believe in this professional, we're gonna pay for this budget, but like master's degree help or college credit help is usually an HR benefit, it comes from an HR budget. So there's a way to maximize those things. We'll do another episode on some search and some alternate routes you can take. I had a company who would only pay for a master's program, not for an IT cert. So I found a master's program that got me to industry certs out of it as part of the curriculum. So I was able to federally fund it through my end through my company, but get industry certs I could rely on later. So there's always just something you can do, but the point is don't get super married to the salary, Gen-Zers and my peers, like we are all married to salary and I get it money in the door at the end of the month. I'm a single parent. Believe me. I understand, but we need to be realistic with ourselves. If you're gonna demand the moon and stars day one, then you better be able to deliver the moon and stars day one. Those are like the people who've been hacking since they were 12, people with engineer parents, people who've been around this material for a long time and don't have a strong learning curve. If you need the learning curve. I love the learning curve. I'm like, I wanna be an idiot for as long as permissible before I'm expected to actually output any products people wanna rely on. I need to do situational awareness. You don't have to say you don't have to take yes for an answer. If something you feel is under valued. Valuing you and the skills you do bring. Fight back advocate for yourself, but be realistic. Take the entry level jobs, take the analyst jobs, take the jobs in the departments that might work with security and get into security later.

Nathalie: 16:27

It will make you such a better security professional in longlong run. Once you've seen that under fundamental knowledge. And I always express that You might not make a boat of money right out the gate, but it's gonna make you a more well rounded security professional. You'll have understanding and more depth understanding than what a lot of your peers will have. I've always said that with the knowledge is more important than just as important, if not more important than depth of knowledge, because knowing how different technologies, especially on the defense side, because knowing how different technologies play into other technologies and how they all interact is really important for my side to know which pieces you can put a wall between and which ones you can't, which ones need to have a doorway there. And then I would say another thing that you should also look for in a company is do they support their women in the company? Especially as a woman, you have to know that. Like our company they nominate women for women in technology awards and stuff like that. You have to make sure that your company's actually going to support you and they're going to have your back. You know how many times I've gotten on calls with vendors? Or with somebody else's software person, software developer, and the software developer was trying to talk down to me and my boss was like, oh no, we're not having this. And then I would just go at them with facts make sure you have a company that's going to support you getting a little bit of an attitude with somebody. If they try to talk down to you, like not a client, but like a, if you're talking with a developer or something and they try to talk down to you no, I have all full rights to be like, who do you think you are?

Maril: 18:09

One of the things I evaluate when targeting company to see if I wanna work there is what is the ratio on men:women in leadership? Am I only gonna be dealing with the old guard? When I need to get a new initiative off the ground and they're gonna be like, "oh, good. Here comes, the boppy millennial chick security to ask for more money," or is someone actually gonna give what I'm saying credence, because I'm a qualified security professional. Mindset's a big thing. The other thing I'll say is if you do find yourself in the position where you have to take a lower paying position temporarily, especially career pivoters, this isn't Gen-Zers so much, but if you're a Millennial and you're trying to come from finance or law or something else into security, you might take a pay cut at first. Go into that pay cut with it being a means to an end."I'm gonna be in this job for eight months. I'm gonna learn these skills. I'm gonna glean every, I'm gonna make myself mini versions of all you people. I'm gonna learn your job and your job and your job. Optimize it. And then I'm gonna start job hunting for my next thing and I'm gonna get a 60% pay raise because now I can replicate everything you can do." Sometimes simply identifying the skills you can take with you, how to make yourself more marketable. That is the intangible benefit to taking that position.

Claire: 19:14

I didn't apply at Appalachia, intending it to be a short term job at all. I'd love to be there for at least a few more years. But absolutely agree that if you can afford to take a short term pay cut, that's a fantastic option. Would you rather, if you're trying to make a career pivot, would you rather take a temporary pay cut? And learn the skills that you wanna learn in real life, not out of a book, not out of a Udemy course. Or would you rather keep working at the job that you hate that you're trying to leave and just squeezing that experience, that fake experience in your spare time? I would absolutely take the paycut, do the job that isn't your real long-term goal, but that helps you get to your long-term.

Nathalie: 19:53

If you're gonna bet on anybody, you should bet on yourself and that's be on yourself. When I when I first left the legal field and came back into the it field, I came in an IT support. I was making like 12 bucks an hour. And I was working like crazy hours sometimes. And look at me me now, now. It was very short term. Every job that I had after that for the first, like two years, I was just like job hopping every eight to 10 months, eight to 10 months, I was job hopping. And then I finally found a company and I was like, okay, this is the place that I can call home. And when you find that company, things will start to change. Like you will you'll know when you find that company, because it'll be the company that you can see yourself with and you can just keep growing and growing within that company. And then you'll work your way to the top. When I joined my company, they didn't even have a SOC. I stood that up and I was like, we need this, we need to have this. We wanna be a cybersecurity company. Let's do this.

Maril: 20:49

Put the money where our mouth is. I agree. I have minimum requirements that for even entertaining working at your company, I no longer do fixed PTO amounts. I am used to working for companies with unlimited PTO philosophies. So I'm like, that is the minimum requirement for me to tolerate working for your company.

Nathalie: 21:07

See, I think you have to be careful with unlimited PTO though. Cause some companies are like, we have unlimited PTO, but nobody ever takes PTO. You can't tell that you have to have PTO, like either get somewhere, that's gonna give you enough PTO to make you happy to start with and then gains you more. And there's some places that'll do if it's up to your manager's discretion, like some days you can just have free days off because your manager's like, you've been working really hard. Just unlimited PTO. A lot of people don't take PTO when they have an unlimited PTO and there's been numerous studies about that.

Maril: 21:45

I will say I've never experienced that. Everyone on my team uses it and we're forced to use it and we have to have it as a security check partially to make sure nothing nefarious is going on. But everyone I know really advocates for it, but it's the point that I don't have to earn it to take it, which I like, but that's my minimum. But as a benefit, I'm like do you have anything else to offer me to keep me happy while I'm here? That to me is fringe benefits. I need those to stay motivated to stay here. By the way, Gen-Z, please don't feel bad about job hopping every eight, eight months to a year. It is so typical now. It is so expected now. Sometimes that's the only way you're gonna make more money because your company will trap you in a 7% annual raise. And the next company is like,"Well, we're losing 100K every day, this project isn't done. So we're willing to spend an extra 60K bump to double your salary to have you come work for us." That'll pay for itself within a week. Don't feel bad job hopping. Don't only chase the money, we're saying don't only chase the money, but don't feel bad about doing it either because like Claire mentioned it is mental relief. It is a quality of life increase as well as a salary increase for a lot of us. A lot of times, no one came here to stay poor.

Nathalie: 23:01

You can also, typically get other things added in too. If you want, like when you go to renegotiate your salary every year, and one question I always ask in an interview is, how do you evaluate my performance? Is it on a yearly basis, bi-annually basis? Because I wanna know that there's like a certain day that you're going to make sure that I have this, or I have that, or I have this. Hat you're gonna make sure that I'm getting an like annual raises at the very least. But then also the fringe benefits. They're so great. There, there are some companies that, I know our company, we had we're gonna have a SOC-sponsored float. We're gonna go floating down a Creek.

Maril: 23:44

Oh, I forgot that. That's so much fun.

Nathalie: 23:49

But then, some companies will pay for conference attendance. Some companies do happy hours after work.

Maril: 23:56

There's office equipment reimbursements. There's FSA/HSAs. Like I'm one of the only people in my company who ask, do we have a flexible spending account I can use for dependent care? Cause I pay up the yin-yang for childcare and they're like, "oh, that's not something we typically offer. No one's asked. But if that'll make your life easier we can do that." I'm like great. It does make my life easier. Never be afraid to ask for these things. The last point I really wanna make this is a hard point is don't forget to factor your tax bracket into your salary requirements. Because there's actually a point past like 180K, where if you bump up into the 200, you're gonna net less because your tax bracket's higher, but you're not actually keeping as much of it. You have to get up to 220 before that starts to even itself back out. And you're technically netting the same at 180 and 220, if you're head of household, and unmarried. Just so you're aware.

Nathalie: 24:45

You're like I got a raise, but it's not, isn't really a raise.

Maril: 24:49

It's not really a raise. It's all going to, taxes. I'm still getting the same. It's still important to make those leaps because that's a milestone. Now you can say you can never pay me less than 220K. And although you're netting the same as you were at 180, when you only go up from there, you start to keep more of that. So keep that in mind, I made very poor calculations at one point in time and figured out my salary was not adequate to my needs because my big fancy salary came with big fancy taxes. So just be aware of that from a millennial . Okay ladies, we're gonna go ahead and wrap this episode up. Are there any key takeaways, any parting shots you really wanna leave our audience with regards to salaries and expectations?

Nathalie: 25:26

I would say, make sure that when you go in for that interview question, they're always going to ask you at the end of interview, what are your salary requirements? Be honest. Be honest with yourself and be realistic with yourself. It's super important to do that. If work life balance is important to you, you might take a lower paying job that first, but that's okay cause you can work from there and build.

Maril: 25:51

I always like to approach that one with what's the salary range for this position? Okay I think I deserve the higher end of that because on average, my position makes this, and I think I bring these skills and I think I can do this job. So I think I deserve the higher end of that. Or I'm gonna ask for a little more. Or I was gonna ask for this, see if they shortchange you. Claire?

Claire: 26:10

I agree. Ask. Be realistic. Think about what you're making now. Add more. And then once you've been in that role for a while, think about the raise. Is it coming at your one year? Is it coming sooner? Another thing we haven't really mentioned is just cost of living, especially right now. Inflation is insane. If you didn't get at least what is it? A 5% raise this year, you took a pay cut. You have to be getting a decent race every year. Even if you're not increasing your lifestyle spending, you need a raise. Let's be real. You need a raise. You're an adult life costs a lot of money. So advocate for yourself.

Maril: 26:51

That's a great one. Definitely always advocate for yourself. Don't wait for someone else to do it for you cause they won't. My takeaway is going to be please don't turn down the opportunities that are ancilliary to security, not necessarily exactly what you want, because you're afraid you'll never get into security. Those are the best ways to get into security and they make you a better security professional. I grew up in risk. I was a third party risk manager or not manager, but like third party risk analyst. I learned so much about security controls dealing with SOC 2 type 2 audits and risk in general, that it made me a better pentester. And I'm still one of the only red teamers I know to this day, who can tie technical findings into business risks and communicate to business managers and owners how the things we do in the technical side benefit and impacts the company on the business side, which is what the company ultimately cares about. They care about, bottom line, business dollars, attack surface, cybersecurity insurance. Those are all things that layman managers care about. So see the learning opportunity in every position. Find a way to pivot yourself into security, paint yourself as the go-to security person. And don't forget the ancillary benefits. When you're starting out, the lower salary might be worth it because they also have a learning budget, which that's the most important thing to you. You're still a student. You've graduated college, but you're still learning. So identify the people you can work with and learn from. And if they have rock stars there, take the paycut, work with the rock stars, use your personal development budget and turn yourself into the next rockstar. I think that's all we've got. So thank you so much for joining us for this episode of the cyber Queens. We hope you found it valuable. If you did, please hit that subscribe button and we will see you next time for more rants, feels, and advice. Bye.