Many information security professionals are very good at doing the right things. They understand the importance of perimeter security, endpoint security, reasonable controls inside and outside to address various threats. Do a hundred good things and one bad thing, you will be remembered for that one bad thing. That is the reality of life and that holds true for infromation security. Typically as you advance in your career you are paid little more money because of:

1. The leverage of scenarios [scenarios aka experential knowledge].

2. Skills and Certifications. Moreover, less time required to acquire new skills

3. Competency. [Translates to lower probability of making mistakes and higher probability of doing it right]

The above are measures of security professional to meet the expectations of the job and does not help in commanding premium pay.

Information security professionals can command premium pay for the following:

A. Knowledge of how security affects business vice-versa.

B. Identify business risks in the realm of information security, qualify and institute control measures.

C. Measure, track information security, communicate value to upper management and across the board .

D. Predict/Prevent bad events and institute plans to handle bad events.

It is not surprising to note that all of the above items are in the domain of business.

Towards the right extreme of the graph you will find Security Directors, Chief Security Officers and Senior Security Consultants. This graph was made to start conversations in the mind of the blog readers so this has to be taken with a grain of salt.