We Don’t Need No Stinking Ladders!
Welcome to part 1 of our 3-part blog series around our recently open-sourced security career ladders. Let’s dive right in.
(If you missed the link to our Git repo, you can find it here: https://www.productsecuritygroup.com/community )
Why did we do it?
To be honest, we did it because of you all. Having started my career in engineering and moving over to security many years ago, there wasn’t much in the way of guidance around roles and even less around how to advance. As I progressed in security, we kind of made it up as we went along. The skills, the levels, and the salaries were all just-in-time.
As I took security leadership roles, I vowed to not have my folks go through what I went through. The ambiguity and uncertainty led me to jump jobs at a whim into another unknown. Constant reboots with new people, products, and companies was exciting, but to be honest, a bit draining and unnecessary when look back on it.
I wanted my folks to have what I hadn’t had: an understanding of where they were at in their career progression, what they should be paid, and how to advance. With that information, I knew I could grow great teams and progress my folks to their full potential without all the disruptions I experienced in my path.
I created these paths over the course of my last decade as a security leader in the Boston area and shared them freely with anyone who asked. The impact was good, but the audience too small. As I traveled the world these past two years at my last CISO gig, I heard from folks at events, conferences, and meetups all asking for this type of information. The information I had.
As a result, we made the decision to open source the information so more folks could benefit from what I have learned and created. The career ladders are by no means complete, but they are a starting point when no others may exist. I encourage folks to use them, adapt them to their needs, and if they can, give back by suggesting adjustments and updates, or even including new ladders, geographical salary information, etc.
What’s in the ladders?
Let’s start with an overview. Within the Git repo, there are a variety of files and folders. Each file is written in Git markdown language.
Readme.md – Is the basic overview document for the repo.
License – We open sourced this under The MIT License. If you are including it in something commercial, just give us a nod for the hard work folks did to make this possible.
There is a unique folder for each career ladder. It has a title and an abbreviation in case you are going to load it into a system and need to track the ladders and the subsequent skills.
Within each ladder file, there are 3 files:
We'll explain each one in detail below:
This file outlines the functional and technical skills required for the ladder. Each ladder has a number of title levels. Most ladders have from entry-level to director outlined. Where this progression doesn't exist, the opening paragraph will explain why.
As you progress up, you will see at level 4 there are 2 titles in many of the ladders. This is the place where senior folks can make a choice: follow a technical track or a management track - more about that later.
Within each level there are a variety of skills needed. Each skill is represented by an ID to make it easy to track. N/A indicates that this skill is not required for this level. SAME indicates no change from the prior level. You will notice that in many of the tracks there is a progression pattern.
Competency Progression – This progression is loosely based on the National Institute of Health’s Competencies Proficiency Scale.
Basic [NIH:Fundamental] – You kind of know about it.
Working [NIH: Novice] – You have trainee level experience and can find stuff out when you need it.
Deep [NIH: Practical] – You can know the skill, but need help sometimes.
Comprehensive [NIH:Advanced] – You can utilize the skill without assistance and can coach folks on it.
Expert [NIH:Expert] – You are the “goto” person, and can talk about this to most senior folks in the organization and to people outside the org.
Process Progression – This progression is meant to outline how a person contributes to process enhancement.
Administers – You can execute the process.
Proposes – You know enough about the skill to propose changes to make the process better.
Leads – You can take proposed changes and implement them to enhance the process.
Defines – You can set the strategy/vision/components for the process.
The US Federal government created a cyber skills harmonization project called NICE in an attempt to standardize cyber job descriptions across the government. It was great work with one flaw. It listed the aggregate of skills, tasks, knowledge, and abilities but did not provide for progression. Many folks in the US have started to use this collection to create these role progressions, so we provided a mapping to help folks take the work they have already done and get into the progressions.
At the top of each is the roles we used to map the various items and by skill ID, a mapping to the 4 core areas within the framework. In some cases, we couldn’t find a direct mapping for each column, so they are blank. Please contribute back if you can supply the details.
I am going to apologize up front. I am a firm believer folks should be paid what they deserve to be paid. If you are purposely paying folks less than they deserve, you are going to dislike this file. It represents what people are making for the variety of roles and levels in the greater Boston USA market (I would say from downtown to the I-495 corridor). Within the levels, I included intern pay in per hour or for the summer season (not 6-month co-op). Additionally, you will notice at level 4 there may be 2 rows – one for technical and one for management. Whether we agree or not, there will be a compensation difference for these two tracks.
Let’s discuss the columns:
Level – pretty self-explanatory as it follows the skills levels in the ladders doc.
Title – This is expected title.
Type – Is this a technical or management track position.
Promote in Level – I realized early on that folks may not quite have all the skills to progress but deserve a boost in pay. So, we accounted for this by allowing managers to give an in-grade promotion for a job well-done. It includes the new title.
Usual time in grade – Having worked for the US DoD in the past, I have not been a fan of ‘time in grade’ requirements but it is helpful for folks to see what it ‘usually’ takes to move up. Results will vary for Rock-stars and slackers.
Lower Salary – This is the floor salary I would expect to see (in US dollars).
Mid Salary – The mid-point for salary at this level.
High Salary – Top of the rung. I haven’t experienced many that are above this (but it can happen). As you can see, there is quite a spread, and it is purposeful. We recognize not every company can pay top salaries and folks may be drawn to a take a role for other reasons (like company mission). That said, if you are compensating below the low, you run a big risk of people leaving for a big pay bump.
Variable compensation – This is the bonus/stock option piece of comp. Let me lay out the meanings:
Not eligible – You are likely not going to get either of these unless you are at an early stage startup, or the company is flush with cash.
Infrequent – 25% chance you will get variable comp.
Frequent – 60% chance you will get variable comp.
Mostly – 85% chance you will get variable comp.
Always – 100% chance you will get variable comp (we usually see this in VP levels and above).
What about the General Knowledge track?
This is meant to cover the soft skills required for each level for both individual contributors and managers. We will cover this in-depth in the second part of the blog series.
Well, let’s bring this to close. Please look for our part 2 - No, I’ve Been Nervous Lots of Times!, next week. We are going to end with a question – Can you guess what 70’s movie this week’s blog post title refers to? Drop your answer in the blog stream!