06.04.2020

Hiring security engineers but unsure on salary levels?

In a competitive market like cyber security it’s essential you stay up to date with the latest salary levels for security engineers. This will not only help you attract new staff but enable you to adjust your compensation and benefits to retain the talent you have already.

Hiring security engineers but unsure on salary levels?

Every company in the UK is improving their security posture, from big banks and government institutions to the smaller start-ups. The majority of organisations are setting up SOC services (analysis, monitoring etc.) in-house so they have greater control over their security defence, and if they are still working with an outsourced SOC, companies still need someone within the infrastructure team to focus on the security remediation work.

Yes a SOC will inform you of any threats, any issues that get into your infrastructure, but companies still need someone to do the dirty work; to fix vulnerabilities, to apply patches, to create systems that are secure from the ground up. So how much do you need to pay for good quality security engineers, and what different skill sets can you find within the market?

There are over 5000 adverts for security engineers on LinkedIn; ranging from cloud-based, to Windows, network focused to application-based. So, after you’ve established the skill set you need for your organisation, how can you make sure you are seen as an attractive employer? What sort of salaries do you need to pay to make sure you are getting the right talent with the right skills?

For us, within the industry we tend to see security engineers grouped into 4 main categories; security engineers, application security engineers, network security engineers and the emerging DevSecOps engineer that mixes within cloud circles. Yes, most of them overlap, and there’s going to be some blurred lines with skill sets crossing over, but for the time being we’ll focus on these 4, picking out the average salaries across the UK and the trends within each role.

Security Engineers

According to Andrew Rogoyski, when he was VP Cyber Security Services at CGI, security engineers concentrate on “building and maintaining IT security solutions that help organisations stay protected against cyber threats." Whether they are focused on firewalls, AV, IDS/IPS they’re building systems and infrastructure with security in mind from the ground up. In terms of security engineer salaries:

Junior – £20,000 - £35,000

Mid – £35,000 - £50,000

Senior – £50,000+

Network Security Engineers

Probably not closely aligned to AV but more focused on firewalls, routers, switches, networking monitoring tools (Solarwinds, Nagios, Zabbix etc.), network security engineers will be building security protocols and technology within the networking infrastructure.

Junior – £20,000 - £35,000

Mid – £35,000 - £50,000

Senior – £50,000+

What’s different with network security engineers (and the skill sets to follow) is they will have typically spent time in networking roles, developing a good base knowledge before specialising within security. 9 times out of 10 they will have already progressed up the ladder in terms of career and salary, so expect these salary guides to sometimes be a little lower.

Application Security Engineers

Now here comes the fun skill set – the rarest of the bunch in all honesty and the one every organisation is crying out for. Application security engineers are more focused on working closely with development teams, helping to secure the software development lifecycles and securing applications across the organisation. The reason application security engineers are rarer is because you need someone with a strong development knowledge. Most of the time, if you’ve got someone with a strong dev background, they are probably going to be a dev…

Junior - £30,000 - £40,000 (unless you manage to find a grad, you’re probably going to have a dev with a couple of years’ commercial experience)

Mid - £40,000 - £60,000

Senior - £60,000+ (although to get someone with a good level of experience as an application security engineer you’re probably going to need to be paying £80,000-£100,000 minimum)

DevSecOps Engineer

Again, a tricky skill set to find as you’re combining the world of development, security and operations (infrastructure and networking), so basically combining all of the skills for the above roles… You’ll be needing someone with a sound knowledge of AV, strong security firewall configuration, strong development/scripting languages and someone really experienced in security who can operate across cloud platforms with ease. Sounds easy right?! Well guess what, it’ll come at a price…

Junior – not really going to happen unless it’s a grad.

Mid – again, quite rare but you’re probably looking at someone with a good background in any of the above roles starting as a DevSecOps engineer for the first time. £60,000 would be the right sort of starting point.

Senior – anything from £80,000 - £120,000 for a perm role (but sorry to say you’ll have more luck with a contractor for this skill set)

Staying in touch with the latest salary information is essential for employers, whether you’re looking to bring in new hires or just check what the competition are paying their staff in equivalent roles to retain your current team.

There are lots of things to consider when deciding the salary for a security engineer, so hopefully these points give you something to think about when looking to grow your team.

If you have any questions about what to pay your security engineers or need some informal advice, then please feel free to get in touch.

Sign up for industry updates