back to article IT salary not enough? Want to make £10,000 a DAY?

Cybersecurity experts are currently billing desperate companies £10,000 a day – yes, a DAY – according to recruiters Manpower. The company said on Tuesday that there is a "booming business and finance sector" in the UK looking for talent, noting that the high-profile hacks at Sony and TalkTalk have "created a surge in demand …

  1. Rainer

    Names?

    So we can avoid them, when making purchasing decisions.

    1. h4rm0ny

      Re: Names?

      Would you prefer companies like TalkTalk that don't appear to spend anything on IT security? Sure - throwing money at something in a panic doesn't fix everything, but it can sure help. There are highly skilled security consultants out there - I have worked with them. And at least if a company is paying that level of money the upper management are at least likely to be listening to the results. The problem I most often see is not a lack of security knowledge in the lower and mid-levels (though I have seen that too), but that senior management don't listen to those below them on the subject. I've seen more than once an engineering team having to sneak in security fixes and upgrades as part of a non-security focused project in the sense that management approve some new service or feature and the engineers all use it as an opportunity to try and clean up out of date libraries, fix flaws, etc., knowing that rolling it into something else on the quiet is the only way it will get done.

      Of course that's not the way things should be done, but the engineers know they'll take the blame if there's a problem. At least with the highly-paid consultant (and like I say - some of them really are very good), it shows upper management are theoretically listening to them.

      1. Rainer

        Re: Names?

        The state of (in-)security in a company has rarely anything to do with the amount of money you spend. Especially, if you spend it on a consultant charging five-figures per day.

        Security is a process, a line of thinking. It's really how you do business, how your employees think and work.

        Spending that amount of money just for a single consultant looks a bit strange to me.

        (had done pen-tests early in my career, where I once happened to see the remaining traces of my own (legal) break-in attempts when a couple of months later the client was hit by "Code Red" and really had to get serious with cleaning up the servers...)

  2. Anonymous Coward
    Anonymous Coward

    Dilemma

    To earn 10,000 a day and get sued for a million when you get it wrong, or to earn less and be safe...

    1. Anonymous Coward
      Anonymous Coward

      Re: Dilemma

      To earn 10,000 a day and get sued for a million when you get it wrong, or to earn less and be safe...

      Nah, that's what contract disclaimers and insurance are for. The trick is to gather a few people together in one company, that way you get a collective insurance which is higher, yet each pays less.

      My main problem is that most of these people are script kiddies in a suit (especially the bigger consultancies have loads of these).

      They waltz in with a laptop, usually with nmap and nessus, run a test script and then just list the results in a nicely formatted report. Like so many other people in the "finding faults in other people's work" business (like auditors), their competence rarely extends into interpreting what they find, let alone assisting the company with actually fixing the issues. Heck, often they don't even know how to rate the risk of what they have found in context of the company they are reviewing.

      I've taken stock exchanges apart in many countries, entertained myself by winding up governments by finding embarrassing problems and I even had my hands on the direct controls of the trading value of one of the world's most important commodities (no, that's fixed now, that's why I was there :)), but I have NEVER just let the team whose work I had to review in the cold without help.

      I have been on the receiving end of audits too - I know what it feels like to have an outsider find faults that your boss then uses in your next performance review. Unless the person is indeed a total and utter idiot with no hope of improvement I usually try to find good things that they can build on to fix the issues, it's ethically simply better.

      Yeah, I know. It shows I'm old school.

      1. SecretSonOfHG

        Re: Dilemma

        <<Like so many other people in the "finding faults in other people's work" business (like auditors), their competence rarely extends into interpreting what they find>>

        Have an upvote here. I've always wanted to find so concise wording to describe what I feel each time I have to deal with "auditors" (security or otherwise)

        1. Anonymous Coward
          Anonymous Coward

          Re: Dilemma

          Have an upvote here. I've always wanted to find so concise wording to describe what I feel each time I have to deal with "auditors" (security or otherwise)

          Thank you :). To be fair, auditors do have a function, but what gets on my nerves is this weird attitude problem some appear to have. Just because someone grants you the right to offer your opinion doesn't mean you are always right. I know it's a character flaw but I find great pleasure in taking down such people a peg or so, the work I do is FAR too critical to allow egos to get in the way.

          Then again, I'm old enough to get away with deliberately cultivating a few awkward traits. It's kinda fun to get paid to be ol' grumpy :)

          1. RobertD

            Re: Dilemma

            What you need to remember about audits is that they are ultimately checking to see if you are operating in the way you said you would - in line with company policy, agreed standards etc. So if you're not, don't try to hide it, try to get the policies and procedures changed. And please also remember that auditors start off all fresh-faced and well-meaning, but years of dealing with grouchy IT boffins who think that the rules don't apply to them takes its toll.

      2. Vic

        Re: Dilemma

        My main problem is that most of these people are script kiddies in a suit

        I was contracting at a place where one of these muppets turned up. He was there to do an in-depth security audit of the grid I was running.

        After a couple of weeks of probing and, dear $deity, so many meetings, he came up with a firm plan to ensure the security of the grid. We had to move everything from CentOS to RHEL.

        There were a number of issues with that grid[1], but that wouldn't have solved any of them[2].

        Vic.

        [1] One of which I deliberately put in place, because I had to build a bespoke application in 2 weeks, and I simply didn't have the time to do it properly.

        [2] It would actually have made things worse - these machines very deliberately had no direct Internet access. And there was no budget to set up Satellite or similar.

        1. RobertD
          Pint

          Re: Dilemma

          £10k a day? I wish...

          Anyway thanks Vic for getting to the heart of why security is always poor, always an add-on and we keep seeing breaches - not enough time, and no money. Still, it keeps me in a job.

          Cheers!!

        2. Anonymous Coward
          Anonymous Coward

          Re: Dilemma

          We had to move everything from CentOS to RHEL

          At least it was still a platform you were somewhat familiar with. I've had to deal with numpties that wanted to move everything to Windows. That can sort of work if your whole outfit is Windows and you have the extra resources available to cope with that, but if you're wall to wall *nix, adding Windows to the mix "for security" is, umm, let's stay polite and call it "ill advised" (stop laughing, that really happened, and they were very insulted when I fell from my chair in helpless laughter when they proudly presented it :) ). I prefer to have a BSD box for relay and gateway duties, but I must admit that is residue from the days I built Gatekeeper firewalls, I prefer to keep a mix of platforms at the border to prevent cascade security failures.

          Sometimes you have to address issues in stages. I recall an outfit in HK that had massive spam problems (lots of customers being infected and acting as spam relay). Yes, we could have cleaned up the customer machines, but the first step was a network change: we simply set up a mail relay and then blocked port 25, at which point outbound traffic volume dropped like a brick. After that we helped customers clean up - because the mail relay required authorisation customers did not have much of a choice :).

          1. Ken 16 Silver badge
            Facepalm

            Re: Dilemma

            The OS doesn't matter, aside from standardising so the staff know how to work them and can apply the same fixes to them. Also there's no point identifying a risk unless you offer options to contain it. If your options make sense you may get the work to apply them too - kerching!

        3. Anonymous Coward
          Anonymous Coward

          Re: Dilemma

          "We had to move everything from CentOS to RHEL."

          Well at least it would have been fully supportable, even if it was moving from one OS with very high vulnerability levels to another equally as bad...

          "I've had to deal with numpties that wanted to move everything to Windows. "

          Good for internet facing stuff if a current version with the correct Microsoft security template applied. Tends to have far fewer holes than commercial Linux distributions, and is less likely to be hacked. If you are on BSD, no real gain though.

          1. Anonymous Coward
            Anonymous Coward

            Re: Dilemma

            Good for internet facing stuff if a current version with the correct Microsoft security template applied. Tends to have far fewer holes than commercial Linux distributions, and is less likely to be hacked

            BS. You still need to keep default Windows install away from the Net until you have a number of extras installed such as anti-virus, whereas a decent Linux distro is basically connect-safe out of the box, even before patching.

            Either platform can be made relatively safe, it just takes considerably more work with Windows, also because not all of the tools to do so are native to the platform. Overhead matters.

      3. Davester

        Re: Dilemma

        Old school, good school. I've been developing enterprise applications for years, and want to move more into security. From your experience, would you be so kind to recommend best practises or book to get a sold grounding in security - sort the boys from the men? :-) Much appreciated, Dave T

        1. Anonymous Coward
          Anonymous Coward

          Re: Dilemma

          I've been developing enterprise applications for years, and want to move more into security. From your experience, would you be so kind to recommend best practises or book to get a sold grounding in security - sort the boys from the men? :-)

          Your main work challenge is to differentiate yourself from many others, most notably the cowboys who spend less on educating themselves and thus have more bandwidth to advertise.

          To educate your thinking you could start with reading most of Bruce Schneier's book. Skip "Applied crypto" unless you're deep into math and want to learn about the depths of cert and cert management, but the rest is generally good stuff (I'm no fan of his self advertising, but his books are worth the investment). Also read up on what Ross Anderson publishes - anything Ross does is (a) decent and (b) uncompromising. Ross is the one person whose approval means you have done something absolutely right.

          You could also start reading most of the materials of the Hacker Highschool - it may have been written (and is actively used) to educate kids, but it's good stuff for a grounding (full disclosure: I'm one of the authors :) ).

          Start paying attention to security alerts such as from CERT and Kaspersky and other sources, and Brian Krebs' site is also a good read (also read the "about" - many of us sort of fell into security due to interest and aptitude, not because it was paying well - that happened later. Most of the time you're just found a nuisance :) ).

          You also need to decide on where you want to go. Build on what you already know, and learn about the rest of the stack as and when, but keep one thing in mind: good security people also need people skills. Most of the industry relies on fear to sell, your job should be to allay some of that fear because that is the right thing to do. Also learn to negotiate: security is often a cost, and you thus have to learn how to balance risk versus available budget. On the plus side: if management is asking for a consultant is usually is to justify a budget.

          Good luck, let me know how you get on.

          1. ButlerInstitute

            Re: Dilemma

            "Bruce Schneier's book"

            Which book ?

            He's written several.

            1. Anonymous Coward
              Anonymous Coward

              Re: Dilemma

              "Bruce Schneier's book"

              Which book ?

              He's written several

              Apologies, that sentence misses one character: it should have been books, so all of them :). Pretty much all of them are worth reading, not all of them relate to security per se but it's good to see the context in which you seek to function as well. And his blog is occasionally also interesting although I find Eugene Kaspersky's more interesting - he seems to have a wider perspective.

      4. P. Lee

        Re: Dilemma

        >Like so many other people in the "finding faults in other people's work" business (like auditors), their competence rarely extends into interpreting what they find

        That's true, though its almost always also true that the client also can't be bothered to pay anyone to analyse their own applications and workflows. You can rarely do much when that is the attitude. Without knowing yourself, how can you improve yourself?

        At that cost level, we are talking about a consultant, not pen-tester. It works because at that price-tag, you have the attention of the very top people in the company. If you can talk to them and you can demonstrate the business case for improving security, something might actually come of it and they might start putting some decent security-improvement programs in place.

        For 15k, that's probably a good deal for the client who previously had to endure unintelligible talks on nmap and EMET, web filtering and dark web peado drug pushers from fear-salesmen who had no interest in improving the client's business prospects.

      5. The First Dave

        Re: Dilemma

        But do you call yourself an expert? Everyone on the inside knows that most people who think they are experts in anything to do with IT are really just one level above complete noob ...

        1. Anonymous Coward
          Anonymous Coward

          Re: Dilemma

          But do you call yourself an expert?

          Absolutely not. You can only ever be considered an expert by others, because if there is one thing you need to train yourself in in security is to avoid any ego getting in the way. Calling yourself a specialist is OK, but anyone who introduces themselves as expert has in my opinion declared themselves unsuitable (and insufferable to boot :) ).

          Which brings me to another VERY important tool to learn: teaching others. There is really no better method to discover that your knowledge has blind spots than seeking to teach others who will ask questions that you have overlooked (I encourage those I educate to challenge me too because only facts should matter). If you want a way to distinguish someone who you could call an expert and wannabee jerks who only spout jargon, see if and how the person teaches. The ability to convey knowledge in understandable, low jargon language is a sure sign you're dealing with someone who actually knows what they're talking about.

          Teach to learn: it has worked for me for quite a few years.

    2. Anonymous Coward
      Anonymous Coward

      Re: Dilemma

      No ... you never get sued. You simply have a few recommendations that are far too expensive to implement. If something goes wrong you point at them, shake you head knowingly .... and negotiate your rate for the damage limitation exercise.

      Kerching!

      Posted anonymously due to working in IT security for 24 years.

    3. J.G.Harston Silver badge

      Re: Dilemma

      Who said anything about *earning* £1000? They're getting *paid* £1000.

    4. Dr Dan Holdsworth

      Re: Dilemma

      Ah no, because you will be trading as a limited company when you do the work and being a canny consultant, you will not be leaving very much money in the limited company from day to day. Your company will pay its sole employee a salary sufficient to satisfy National Insurance and all other payments will be as company dividends. No UK tax obligations will be evaded, but any that are not compulsory will be avoided.

      Should the company be sued, the court is perfectly welcome to fight over the thruppence ha'penny that the company coffers contain.

      1. RobertD

        Re: Dilemma

        If I remember correctly (not guaranteed), then you are actually liable for the amount of issued share capital, which I suppose could be thruppence ha'penny.

  3. cbars Bronze badge
    Joke

    Have you tried

    turning it off an....?

    1. Ken 16 Silver badge
      Trollface

      Re: Have you tried

      ..d leaving it off? That works for security.

  4. Tezfair

    Not bad for what is essentially a 'self taught' industry

    1. Warm Braw

      The fact that those rates are being paid shows how desperate the customers are to cover their own arses, not the expertise that's being bought. I have a few contacts in the IT security business and they all tell me they're overwhelmed by demand and desperate for staff and it's largely driven by panic responses to the latest wave of data breaches. Every boardroom suddenly wants to be reassured that they're "OK" - unfortunately an assurance they can't buy, however much they're prepared to pay.

  5. Lusty
    Paris Hilton

    "Patch your servers"

    "That seems too hard, anything else we can try?"

    "Yup, I have a friend who knows magic, he's £10k a day"

    "What's his number?"

    1. Dwarf

      Fools and their money

      Are easily parted ...

  6. Anonymous Coward
    Anonymous Coward

    Free advertising?

    Step 1: Say you'll pay insane amounts of money.

    Step 2: Appear on internet news sites.

    Step 3: Wait for a few more people to apply.

    Step 4: Pay whatever you would have anyway. Profit.

  7. a_yank_lurker

    Wrong Gig and Wrong Country

    10,000 / day which is $15,000/day. A couple of months or so in Blighty every year even after the tax frauds get shake one down should net at least $150,000. I have the wrong gig and am in the wrong country at those rates.

  8. amanfromMars 1 Silver badge

    Regarding the experts' dilemma lauded and/or lamented above .....

    It would rightly appear, with such a wad of experienced opinion posting above on the subject matter, that beautifully expensive daily cyber security rates are an ultimately useless indulgence paid by the intellectually challenged to the beautifully astute and active in APT ACTive fields of ...... well, Private Pirate Pwn Entanglement.

    And the proof of the effectiveness of such expert involvement, is in the admitted increasingly massively costly and growing hostile environment.

    Horse stable door bolted all springs immediately to mind.

    The real problem for virtual fixing would rather more appear to be ......... stop trying to maintain and retain unravelling and easily corrupted and perverse systems of elite executive order operations and SCADA administration, and do something/anything/everything different, for a radical evolutionary, fundamental revolutionary change. I do realise though, that such an obvious right solution, which in both its reality and virtual reality is just the beginning, may be extremely challenging due to a distinct lack of necessary future intelligence in media hosted and dependent leadership vessels.

    Dumb and stupid is as dumb and stupid does and the present would appear to stuck in a loop with "Insanity: doing the same thing over and over again and expecting different results." and " The difference between stupidity and genius is that genius has its limits." starring in leading B movie type roles, rather than the planet forging ahead in a blockbuster of a franchise fronting "We cannot solve our problems with the same thinking we used when we created them." and "The true sign of intelligence is not knowledge but imagination" and

    "To raise new questions, new possibilities, to regard old problems from a new angle, requires creative imagination and marks real advance in science."

    Bigger peanuts [£10k a day] begets bigger monkeys whenever the only change is a worsening situation, methinks ‽ . Do you?

  9. Anonymous Coward
    Anonymous Coward

    £10,000 a day - but not for very long...

    No doubt it is true that someone did get paid £10,000 a day, but I am willing to wager that it wasn't for very long and no doubt the recipient was under significant pressure to dig a desperate company out of a lot of sticky stuff...

    1. Naselus

      Re: £10,000 a day - but not for very long...

      Or that was the only way Talktalk could convince anyone to take the job after the hack had gone down...

  10. Anonymous Coward
    Anonymous Coward

    Whereas it would not surprise me that the consultant rates through one of the larger companies maybe charging that, the reality is that the daily rates of Mr InfoSec contractor are no where near.

    There is a massive skills shortage though - as there just isn't the skills base in the UK - with London relying on the script kiddies straight out of college and the wastelands outside of the capital just having to wait 6-8 months for the availability of qualified people.

    Of course this is driving the rates up (for now) - but if you flaunt that InfoSec is paying £10k a day the market will be flooded with wide-boys and our insurance premiums will vastly increase to compensate for those multimillion pound claims.

    Where you sold a PPI / InfoSec contractor - you could be entitled to a claim :)

    1. Anonymous Coward
      Anonymous Coward

      There is a massive skills shortage though - as there just isn't the skills base in the UK - with London relying on the script kiddies straight out of college and the wastelands outside of the capital just having to wait 6-8 months for the availability of qualified people.

      Ah, but that is self inflicted. This is the results of years of accounting based decisions on security, which required cheapo school leavers and their handlers, sorry, recruiters and HR to pretend that they could do the same job as people who have been doing this for a couple of decades which cost considerably more, supported by audit companies that got into the security business in the same way (cheap) and so could not afford auditors that could find fault (or were told not to, on account of otherwise losing the lucrative business of auditing accounts).

      What ye shall sow, ye shall reap, or something like that. I have seen setups in City offices that defy belief, and banks are not that much better because they aim for "just good enough" to avoid liability, which means they have no margin for error for when something serious happens. Add to that this idiotic idea of importing people who are willing to work for far cheaper rates (without taking into account that they will eventually clue up as well) and it really does not surprise me at all that overall security is *crap*.

      I've been in this business for a *long* time, and every time I think I must have seen it all I come across new examples that make me doubt humanity's long term viability as a species if the people involved are allowed to procreate.

      If there is one thing mislabelled, it's "common" sense.

      1. Naselus

        "Ah, but that is self inflicted."

        Actually I think you can cast the net on that a lot wider than just infosec. Companies basically stopped paying to train junior staff back in the early-to-mid '90s, and the cut-off line has gotten higher and higher since then; nowadays, if you don't have a board seat or at least an exec position, convincing your employer to part with a couple of K for much-needed training is harder than convincing them to tell you if they wear ladies underwear. Meanwhile, they'll spend that on fresh laptops for themselves every 12 months.

        And then they complain that there's a skills shortage and it's someone else's fault, honest. If they took some of the aforementioned PFYs straight out of school and then put them through 3-5 years of intensive on-the-job training (you know, like we do with electricians, who's job is somewhat less complex - and it's no disrespect to electricians in saying that) then maybe there'd be some skilled people out there. Instead, they expect them to appear out of nowhere.

  11. This post has been deleted by its author

  12. Anonymous Coward
    Anonymous Coward

    Follow the money...

    So a recruitment agency is telling us that the right person can earn untold riches if they've got the right keywords on their résumé...? A Recruitment Agency... Hmm...

    Why, people must be beating a path to their door, re-vamped C.V.s spilling out of their little folders as they run (metaphorically... across the internet...). What an unfortunate side effect of such an otherwise balanced and informative press release.

    To mis-quote George Bernard Shaw, "those who can, do; those who can't, recruit".

  13. Anonymous Coward
    Anonymous Coward

    Security is about prevention, mitigation and limitation.

    Unfortunately, prevention and mitigation are often subject to limitation due to inflation of the cost equation.

    But seriously, it's not about spend, it's about preventing simple attacks from succeeding, mitigating the damage (encrypting, with decent encryption, card details, date of birth etc, ensuring password hashes are strong by using a decent algorithm and salting etc. ) when successful attacks happen (because they will happen) and limiting the fallout from them by ensuring those proper measures are in place before they happen and communicating that effectively when it does.

    Transparency, not secrecy, should be the norm. What good is refusing to admit your mistakes when the entire world is going to assume the absolute worst anyway. TalkTalk, I'm looking at you.

    Realistically, if you're targeted by someone with sufficient resources, you will be compromised no matter how good your security, at least if you have users. Offline secure systems are another story, but are less and less common these days.

  14. sisk

    Looks like I picked a good time to get my CEH cert. Now, where do I find these five figure a day gigs?

  15. IHateWearingATie

    How savy are the companies paying £10k a day?

    Can they tell the difference between real advice and finely crafted bull***t wrapped up in a glossy poweroint? I'm pretty good at the latter - wouldn't need many idio... I mean clients to make it a lucrative side line.

    Ethics. I've heard of them.

  16. Anonymous Coward
    Anonymous Coward

    Outsource your security alarms

    let others take care of the mitigations and floods of alerts

  17. lawndart

    I've found a couple of security problems in your system.

    Firstly, your main live database is vulnerable to SQL injection attacks, such as appending the DROP TABLE command.

    Secondly, your backup software isn't working.

  18. A. N. Onymouse

    In my experience (30 years on counting) companies love expensive consultants because expensive advice is *always* better than free in-house advice.

    Invariably we will report a problem to the management and recommend a course of action.

    The management accept the issue and reject the action

    Management hire consultants at ridiculous rates.

    Consultants investigate (ask us) and, amazingly, come to the same conclusion as we did.

    Consultants present findings and bill.

    Management implement findings and pretend that they are new and exciting.

    We get more cynical.

    Consultant. (noun) Someone who borrows your watch to tell you the time and then bills you for it.

  19. IT Hack

    Checks

    How many companies vet these 'cyber'* security professionals?

    * Cyber - swear to fuck this use needs to end.

  20. Stevie

    Bah!

    Personally I don't even submit a CV unless we are talking a quarter of a million.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like