However, as cyber hackers continue to evolve and develop new sophisticated attack mechanisms, making it increasingly difficult to defend the systems, it is crucial for entities to take active measures to protect their assets. In many cases, this means confiding in a trained cyber security or InfoSec professional, specialized in pentesting that can look for vulnerabilities in less traditional ways and undergo a complex cyber security posture assessment, scan and secure network segments based on the risks (threats and impacts) they represent.
So Why Hire Pen Testers? Though the risk analysis can easily be done by internal security teams, the help of pen testers is essential. These highly-trained professionals can “think like the enemy” and can employ creative ways to look for problems before they occur, going beyond the use of automated tools. Pentesters can perform technological offensives but also simulate spear phishing campaigns to identify weak links in the security posture of the companies and pinpoint training needs. The human element is essential to simulate a realistic attack and uncover all of the infrastructure’s critical weaknesses. “White hat” hackers are a security best practice for testing defenses and uncovering weaknesses in infrastructures and applications; pentesters can be important for organizations of any size and in any industry. Hiring these professionals means taking a proactive and inclusive approach to information security. Even government agencies, including the FBI, seek out assistance from grey-hat hackers, or other professional hackers (white or black hats) to test the security of their IT infrastructure, says Charles Cooper at CIO.com. Being a pen tester can be financially rewarding, as trained and skilled ones can normally secure good wages. Employers are willing to pay good dollars to attract and retain top-notch talents in the field. Most pentesters will be able to enjoy sizable salaries depending on where they live and their level of experience and training. According to a PayScale salary survey, the average salary is approximately $78K annually, ranging from $44K to $124K on the higher end. “Career duration is the biggest factor affecting pay for this group, followed by geography. The majority of workers are highly satisfied with their job. Most enjoy medical while a large number get dental coverage. Vision coverage is also available to a strong majority.” Infosec Institute studies also attest similar numbers when reporting on IT Security Salary by Job Titles. For Ethical Hacker & Penetration Tester the Institute reports the following:
Ethical Hacker’s Estimated Salary $70,000- $90,000 Penetration Tester Estimated Salary $80,000-$100,000; also see Average Penetration Tester Salary 2016
Those planning their next moves in this profession and thinking about starting this in-demand career can expect salary hikes and benefits. Computerworld’s IT Salary Survey 2016 Results show “continued strong gains for IT pros … [above all] tech workers in the right roles who work in the right industries located in the right metro regions reported even stronger gains in pay.” Not surprisingly, people are motivated by money. In fact, of the IT professionals polled by Computerworld, 52% of the survey respondents felt that their base pay is what matters most about their job. Of course, the actual pay also depends on the amount of training and the certification (if any) the professional has. According to Eric Geier, a freelance tech writer, in a PCWorld post, the Certified Penetration Tester (CPT) salary ranges from $50,000 to $100,000 per year or more although it really depends on “the company that hires you, and on your IT experience and education.” In addition, the “salary is based on value and contribution to the company, combined with the “going rate” for your particular skills and experience in your geographic region, as well as the specific perks and benefits you receive at your job…,” says Elaine Varelas, managing partner, Keystone Associates, as mentioned by Sharon Florentine, Senior Writer, CIO.com, who covers IT careers. There are also differences between public and private sector. In the public sector monthly earnings might be lower, but professionals might enjoy better job stability, retirement benefits and standard pay raises less linked to productivity and results. The penetration testing market is also increasing, and many professionals are making the move to this market segment and switching for higher salaries, better opportunities, and more complex challenges not only in the U.S. but in many other markets too. UK IT company ITJobsWatch lately published some statistics on pentesting employment looking at IT jobs advertised across the UK that had “Penetration Tester” in the job title within the past 3 months. When comparing data with the same period in 2015, the company found that the job ranking went up by 145 positions and the median salary ranged from 52,500 GBP to 60,000 GBP. When it comes to deciding what IT career path to pursue, do you know the difference between ethical hacking and penetration testing? The two terms are often used interchangeably. Ethical hacking is a broader field that encompasses all hacking techniques to find security flaws with the goal of improving the target owner’s system; whereas, penetration testing is a subset of ethical hacking and is more driven by the process of penetrating systems and accessing data in a target environment. Both specialists have their own role in the InfoSec field to detect legally and improve security weaknesses utilizing testing methodologies that allow the probing or penetrating the security of systems using both automated and manual techniques. There is also a difference between vulnerability assessments and pentesting. Vulnerability testing looks specifically for issues and is normally requested to improve the security posture of a system. Pentesting can be a subsequent step. Performed on a system already believed to be resilient to see if it can withstand a realistic attack. Pentesters can come from different walks of life. They might be cybersecurity professionals (system or network administrators, network engineers…) looking to specialize in a specific field, software developers, graduates with IT security degrees, students hacking as a hobby or actual hackers. Regardless of which skills and knowledge the professional has initially, all pentesters need to acquire that right mix of formal knowledge and hands-on, practical experience that allows them to be successful in the profession. If you want to make penetration testing a career, then you need to develop security-relevant skills not just through college studies in information security but also through extensive hands-on practice. To future-proof your career in today’s job market, it would also be important to think about becoming certified. A certification can help point out which areas to cover for each chosen career path and prove current and future employers that a professional has up-to-date knowledge in the field and is truly skilled for the job he or she is applying for. The value of education/training and certifications is also in making professionals stand out when competing with others for a position. Professionals need to prepare themselves for a hard career that might not always be as glamorous as movies might portray. Pentesters differ from traditional malicious hackers in having to go beyond trying to reach their objectives by having to take care of all bureaucratic formalities including documenting their methods and findings thoroughly. In most cases, they also need to perform their tests within the limits and time constraints given by clients. Working in this field offers some of the highest salaries in the industry, and obtaining certifications often helps in moving up the career ladder more quickly; formal professional certifications are now offered to professional in this fast-growing field. Pentesters can hold standard certifications like the OSCP that suits the realm of information security most specifically in the field of penetration testing. Such a cert helps in validating hands-on skills that go beyond theory and tests to include performance-based practical and written exams and reports. Many SMEs in the discipline of Penetration Testing also recommend the certifications offered by GIAC (such as GPEN, GXPN or GWAPT) or else by Infosec Institute (like CPT, CEPT or CWAPT). As to which certification to choose, the specific job/career you are seeking will provide the answer. EC-Council’s most sought-after CEH certification designed to become an ethical hacker is also popular among “white hat” hackers. Several courses are now available online to pursue these certifications. Many Hacking & Pen Testing courses also include the all-important hands-on portion that is so important for professionals in this field. CEH courses and CPT courses offer such additional training; hours of hands-on lab exercises allow for real knowledge transfer, and certification preparations are paramount in addition to pursuing a specialized degree that has only lectures and little practical experience. Certifications can really help securing the highest paying jobs in the field. For instance, according to Payscale.com the salary by EC-Council Certification in the USA is as follows:
CEH: Certified Ethical Hacker: $89,000 LPT: Licensed Penetration Tester: $92,000
CEH is among the highest paying technical certifications, according to the CertMag Staff. In their first Salary Survey 75 published a year ago in the Certification Magazine, they report that a CEH professional makes $118,370 salary (US Only); $79,930 salary (All Non-US); and $99,880 salary (US and World). Similar numbers can be found in the 2015 IT Salary Report by Global Knowledge & Windows IT Pro looking at Information Security Analyst Salary by Certification reports $95,155 for Certified Ethical Hacker (CEH) professionals. For Indeed.com a Network Penetration Tester can look at a salary of $107,000. At the end of the day, job candidates with any of the various security certifications that are compatible, but cover different security aspects and expertise, will likely make more money than those who do not have certifications. As seen in the Certification Magazine salary survey data, certification is a good thing, but it comes down to the specific set of skills, knowledge, experience and capabilities that validates your salary. For more salaries among security professionals, be sure to check out Foote Partners’ survey that provides salary and related IT skills pay for these areas – see the 2016 IT Salary+Skills Pay Survey Report: IT Security (US). Bruce Schneier, a renowned American computer security expert, says, “The point of penetration testing is “protection, detection and response–and you need all three to have good security.” So if an organization is not already using regular penetration tests to assess the security of their systems, applications, and the network as a whole, it should soon consider them. The assistance from penetration testers can identify vital steps to improve a company’s security posture and reveal entry points for real-world attack vectors, weaknesses in the infrastructure (hardware), application (software) and people (end users). Pentesters are expected to be even more in demand in the near future. Therefore, those choosing to follow this career path need to have the right combination of technical knowledge and hands-on experience that allows them to find creative new ways to attack systems and test their resilience. Pentesters also need to work and think like malicious hackers do and be as skillful and resourceful. Allen, Lee. Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide. Packt Publishing Ltd, 2012. CertMag Staff. (2016, February 5). Salary Survey 2015: An All-New Salary Survey 75. Retrieved from http://certmag.com/salary-survey-2015-new-salary-survey-75/ Cooper, C. (n.d.). If the FBI Hired A Hacker, Why Shouldn’t You? Retrieved from http://www.csoonline.com/native?prx_t=4i0CAshIHA4bgMA Cyber Degrees. (n.d.). Become a Penetration Tester. Retrieved from http://www.cyberdegrees.org/jobs/penetration-tester/ Fadilpašić, S. (2016, June 28). UK companies seek the help of hackers to stay safe online. Retrieved from http://www.itproportal.com/2016/06/28/uk-companies-seek-the-help-of-hackers-to-stay-safe-online/ Geier, E. (2012, February 15). How to Become an Ethical Hacker. Retrieved from http://www.pcworld.com/article/250045/how_to_become_an_ethical_hacker.html Gilmore, A. (2009, October 8). Penetration Testing: Hacking for a Cause. Retrieved from http://certmag.com/penetration-testing-hacking-for-a-cause/ IT Jobs Watch. (n.d.). Penetration Tester Jobs. Retrieved from http://www.itjobswatch.co.uk/jobs/uk/penetration%20tester.do PayScale, Inc. (n.d.). Penetration Tester Salary (United States). Retrieved from http://www.payscale.com/research/US/Job=Penetration_Tester/Salary Schneier, B. (2007, May 15). Is Penetration Testing Worth it? Retrieved from https://www.schneier.com/blog/archives/2007/05/is_penetration.html Stackpole, B. (2016, March 29). IT Salary Survey 2016: Do certifications really help? Retrieved from http://www.computerworld.com/article/3046583/it-salary-watch/it-careers-do-certifications-really-help.html