Why did we do it?
To be honest, we did it because of you all. Having started my career in engineering and moving over
to security many
years ago, there wasn’t much in the way of guidance around roles and even less around how to
advance. As I progressed in
security, we kind of made it up as we went along. The skills, the levels, and the salaries were all
As I took security leadership roles, I vowed to not have my folks go through what I went through. The
uncertainty led me to jump jobs at a whim into another unknown. Constant reboots with new people,
companies was exciting, but to be honest, a bit draining and unnecessary when look back on it.
I wanted my folks to have what I hadn’t had: an understanding of where they were at in their career
they should be paid, and how to advance. With that information, I knew I could grow great teams and
progress my folks to
their full potential without all the disruptions I experienced in my path.
I created these paths over the course of my last decade as a security leader in the Boston area and
shared them freely
with anyone who asked. The impact was good, but the audience too small. As I traveled the world
these past two years at
my last CISO gig, I heard from folks at events, conferences, and meetups all asking for this type of
information I had.
As a result, we made the decision to open source the information so more folks could benefit from
what I have learned
and created. The career ladders are by no means complete, but they are a starting point when no
others may exist. I
encourage folks to use them, adapt them to their needs, and if they can, give back by suggesting
updates, or even including new ladders, geographical salary information, etc.
What’s in the ladders?
Let’s start with an overview. Within the Git repo, there are a variety of files and folders. Each
file is written in Git
- Readme.md – Is the basic overview document for the repo.
- License – We licensed this under The MIT License. If you are including it in
commercial, just give us a
nod for the hard work folks did to make this possible.
There is a unique folder for each career ladder. It has a title and an abbreviation in case you are
going to load it
into a system and need to track the ladders and the subsequent skills.
Within each ladder file, there are 3 files:
We’ll explain each one in detail below:
This file outlines the functional and technical skills required for the ladder. Each ladder
has a number of title
levels. Most ladders have from entry-level to director outlined. Where this progression
doesn’t exist, the opening
paragraph will explain why.
As you progress up, you will see at level 4 there are 2 titles in many of the ladders. This
is the place where senior
folks can make a choice: follow a technical track or a management track – more about that
Within each level there are a variety of skills needed. Each skill is represented by an ID to
make it easy to track. N/A
indicates that this skill is not required for this level. SAME indicates no change
from the prior level. You will notice
that in many of the tracks there is a progression pattern.
This progression is loosely based on the National Institute of
Health’s Competencies Proficiency Scale.
- Basic [NIH:Fundamental] – You kind of know about it.
- Working [NIH: Novice] – You have trainee level experience
and can find stuff out
you need it.
- Deep [NIH: Practical] – You can know the skill, but need
- Comprehensive [NIH:Advanced] – You can utilize the skill
without assistance and
coach folks on it.
- Expert [NIH:Expert] – You are the “goto” person, and can
talk about this to most
folks in the organization and to
people outside the org.
This progression is meant to outline how a person contributes to process enhancement.
- Administers – You can execute the process.
- Proposes – You know enough about the skill to propose
changes to make the process
- Leads – You can take proposed changes and implement them
to enhance the process.
- Defines – You can set the strategy/vision/components for
The US Federal government created a cyber skills harmonization project called NICE in an attempt to standardize cyber
job descriptions across the government. It was great work with one flaw. It listed the
aggregate of skills, tasks,
knowledge, and abilities but did not provide for progression. Many folks in the US have
started to use this collection
to create these role progressions, so we provided a mapping to help folks take the work they
have already done and get
into the progressions.
At the top of each is the roles we used to map the various items and by skill ID, a mapping
to the 4 core areas within
the framework. In some cases, we couldn’t find a direct mapping for each column, so they are
blank. Please contribute
back if you can supply the details.
I am going to apologize up front. I am a firm believer folks should be paid what they deserve
to be paid. If you are
purposely paying folks less than they deserve, you are going to dislike this file. It
represents what people are making
for the variety of roles and levels in the greater Boston USA market (I would say from
downtown to the I-495 corridor).
Within the levels, I included intern pay in per hour or for the summer season (not 6-month
co-op). Additionally, you
will notice at level 4 there may be 2 rows – one for technical and one for management.
Whether we agree or not, there
will be a compensation difference for these two tracks.
Let’s discuss the columns:
- Level – pretty self-explanatory as it follows the skills
levels in the ladders
- Title – This is expected title.
- Type – Is this a technical or management track position.
- Promote in Level – I realized early on that folks may not
quite have all the
skills to progress but deserve a boost in
pay. So, we accounted for this by allowing managers to give an in-grade promotion for a
job well-done. It includes the
- Usual time in grade – Having worked for the US DoD in the
past, I have not been a
fan of ‘time in grade’ requirements
but it is helpful for folks to see what it ‘usually’ takes to move up. Results will vary
for Rock-stars and slackers.
- Lower Salary – This is the floor salary I would expect to
see (in US dollars).
- Mid Salary – The mid-point for salary at this level.
- High Salary – Top of the rung. I haven’t experienced many
that are above this
(but it can happen). As you can see, there
is quite a spread, and it is purposeful. We recognize not every company can pay top
salaries and folks may be drawn to a
take a role for other reasons (like company mission). That said, if you are compensating
below the low, you run a big
risk of people leaving for a big pay bump.
- Variable compensation – This is the bonus/stock option
piece of comp. Let me lay
out the meanings:
- Not eligible – You are likely not going to get either of these unless
you are at an early stage startup, or the company
is flush with cash.
- Infrequent – 25% chance you will get variable comp.
- Frequent – 60% chance you will get variable comp.
- Mostly – 85% chance you will get variable comp.
- Always – 100% chance you will get variable comp (we usually see this in
VP levels and above).
What about the General Knowledge track?
This is meant to cover the soft skills required for each level for both individual contributors and
managers. We will
cover this in-depth in the second part of the blog series.
Well, let’s bring this to close. Please look for Career Ladders
Part 2 – No, I’ve Been Nervous Lots
of Times!, next week. We are
going to end with a question – Can you guess what 70’s movie this week’s blog post title refers to?
Drop your answer in
the blog stream!
- Marc French