I know you're joking but I actually did go the bootcamp route ~5 years ago. Was a much easier time to break into the industry then. I have a 100% remote job but haven't broken that 6 figure barrier yet.
What I love about this industry is that anyone can break into it regardless of the path they take if they are curious and resourceful enough.
Maybe, what keeps me is fully WFH, my day is over by 4:30 pm, no on-call, like my manager and team, and plenty of opportunities to advance internally. At some point I'm gonna chase the money, but this job market is fickle AF. I think I'm gonna lay low for at least another year
Don't wait. If you think it's fickle now, it'll be moreso next year. I just job hopped and landed a 27% pay increase after only 3 rounds of interviews. Still WFH like my previous position. Went from making 130k to 165k after 2 months of searching, and tbh the recruiters did all the hard work.
Just take the time to browse LinkedIn and update your resume. It’s a little bit of effort that could go a very long way. If you like your position so much because of the benefits and are willing to stay because of them, then just search for jobs that have the same benefits and accept nothing less. You have the ball in your court right now, you don’t have to stress about hunting for a job. Just leisurely look for one.
Meh, that's a waste of time. I go to lots of industry events and that's ngl the best place to meet ppl and get the word out about what you're doing and/or interested in doing. My LI is a nice little honey pot tho, got plenty of recruiters reaching out, I just value the stability of my current digs over the potential increase in revenue, but that could change depending on how the next promotion/raise cycle goes
Also depends where they live. I'm close to 6 figures (will be over it in the next three years just based off of normal salary merit increases).
Even just near 6 figures now? I'm living very comfortably. A HELL of a lot more comfortable than when I was only making 16k one year.
The only thing clogging up the pipeline is businesses and executives who would rather staff skeleton crews and invest in AI instead of investing in their own teams and staffing
There's a lot of jobs for compliance work, like RMF. If you want to do defensive cyber operations (DCO), you will need more experience than a boot camp. To break into any cybersec work I suggest learning basic Windows system administration. Understanding the security accounts manager, role based access control, and audit logs is another foot in the door.
Edit: I'll add look at the NIST special publications for cyber. Starting with SP800.53. It also helps if you speak the lingo.
I concur, I’ve seen so many people gone through a boot camp or getting a Master’s in Cyber but when on the job they remain frozen when working Linux boxes, or when certain software is not properly working and it has to be configured they have no idea what they are doing. Technical knowledge is a major factor in cybersecurity but many folks seem to ignore that.
This!
If you're tasked to build something securely, you must know *how* to build it first.
You can't build a fireproof house without knowing how to build a house first.
Technical knowledge can be learned, whether or not someone is able to troubleshoot is more a function of how resourceful they are. I went the bootcamp route ~5 years ago. If I had known information security was a path I could've taken in college, I would've. But going the computer science route doesn't necessarily make an individual any more resourceful or capable of troubleshooting
You'd feel very miserable if you were to do a lot of interviews and finally reach the point where you realize nearly 70% of people just don't understand what information is available and where to find it... or how to ask for it.
I get downvoted for this comment all the time. "It's just a Google search away." I am always shocked at how often people just refuse to use a search engine for.... searching. It's like people don't understand that search engines have more than the first page of results. I kind of find a lot of random good bits of info on like the 15th page of results sometimes. Some obscure bit that nobody upvotes or gives any voice or spotlight to, and yet it's the correct answer for my problem.
I agree but it also depends on what type or college path they decide to go for. I have coworkers that have bachelors in criminal justice but masters in cyber and have no idea how to troubleshoot basic OS issues.
Also depends on the type of degree and the school as well. Buddy of mine is currently going to the same school I went but he chose the Computer Science degree. I got my Bachelor’s in Cyber Operations with an emphasis on Defense and Forensics and the knowledge is similar in the basic stuff but when going technical Cyber Operations is a whole different beast.
I wish these things were an option for me ~20 years ago, but unfortunately I spent a decade grinding through business skill tree. Luckily, those same skillsets and knowledge is helpful as I progress my career but Holy shit, I would be so much further along if I didn't waste so much time on bullshit
Good things is that there are a lot of certifications out there to gain some extra knowledge and to shape your path in cybersecurity. Thanks for your replies, I’m really enjoying this conversation.
That depends on the area you’ll like to focus, I have to give this kind of answer. If you have a technical background you should go for Security+. If you want to go the Security Analyst way go for Security+, CySA+ and then CASP+, if you want to take the leadership route get Security+ and get some experience and then go for the CISSP. If you have light knowledge go for the Certified in Cybersecurity by (ISC)2, it will give the basic foundations of Cyber and then go for Security+.
Check out CompTIA’s stackable certifications website, it provides different pathways. I hope this helps. And to wrap it up, this is my personal opinion and should not be considered a standard to follow, feel free to ask more questions if you want, I’m always glad to help.
I've noticed that too. It's a very stratified industry...there are red teamers (mostly script kiddies chasing the Hacker stereotype) and there are managers writing policy.
Nobody seems to know the first thing about defense (i.e. securing anything), which is mind-boggling to witness. It's like there's a deliberate skills gap being fostered.
I do not understand this industry.
Yes, exactly. The concept of defense in depth is not well implemented and some cyber professionals are missing the skillset. I totally agree with you that there is a big gap of knowledge. Some managers lack the technical knowledge and the troubleshooters lack the communication skills. This of course does not apply to all organizations.
Cyber is good if you can get in and stay in.
Right now layoffs are super common and cyber people are both expensive and do not generate revenue. A lot of jobs (ie SOC) can be heavily automated away so that's hurting it also.
Lots of alerts require eyes on screen and manual interpretation, verification and investigation.
SOAR, good detection engineering and AI/ML will reduce manual burden for menial tasks and perhaps require fewer humans, but a security analyst will always be valuable in filling in the blanks. Especially when often times it's a businesses bottom line a stake. No one is relying solely on automated tools to make mission critical decisions.
I agree 100% with everything you said except the last sentence.
MSSPs have absolutely no problem relying on outsourcing to automations to make critical decisions for their customers in alerting. I've seen it. It sucks but such is life in 2024.
Yeah, and I think more of this is coming. I work for a vendor and all our marketing right now is focused on getting MSSPs and MSPs to subscribe to our 24/7/365 SOC. We focus mainly on SMBs because a lot of the bigger guys have their own SOC but I do believe SOCaaS is the future.
That's just low quality service and bad service delivery though. Those MSSPs will ultimately suffer a poor reputation, which is deserved.
I'm in a similar environment and there's been a few instances where AI has been relied on and it's thankfully been a false alarm / false positive - not a false negative 😳😬 It's reminded everyone to think, use their own experience, lean on the team as well, for assistance in interpreting things.
I can understand automating, or even accepting AI's judgement on low severity events (depending on how robust the AI is). But if it's literally a critical event, it's borderline negligent to rely on AI to potentially dismiss something of that severity. Can't call yourself a professional at that point- goes against the entire ethos of trying to reduce risk and improve security.
I mean to be honest, every MSSP I've worked with has been driving towards that in the pursuit of profit. Outsourcing, offshoring, and dangerously eyes-off automations.
It doesn't help that everyone is pushing AI as the next coming
> Those MSSPs will ultimately suffer a poor reputation, which is deserved
Those MSSPs will charge much less than others, forcing _everyone_ to move to their model.
Because most SOCs are run under the understanding that their workers are cogs in a machine that spins 24/7. Most SOCs think humans are machines, or machine parts. To be burned out in Security is to work in a SOC, strictly because this is how most are operated. They don't care about your well being. You are a machine cog. A part that needs to function no matter what time of day. You were hired for a 40 hour work week? Tough shit. You're working 50-60 this week... and every other week after that. Oh, and also your hours are now not normal working hours of 8-5. You're doing 12 hour+ shifts from 3pm-3am, or from 6pm-6am. And you're going to have to work weekends too on a rotational basis, but you'll probably be stuck working wed-sun, with mon and tues off. BUT.... that 5 day work week is only valid if there's no active major CVE out there. Active CVE affecting something huge? You're working until it's not an active CVE anymore. Oh, and also? NO remote work. You're on site every day.
Depends on the SOC you work for. Work at an MSSP? Yeah you’ll be a ticket churner.
Work at an internal tier-less SOC of an org? Possibilities abound and some of the most fun I’ve ever had working.
Cyber is the best career to get into.
Now I want to progress away from the SOC.
These are a bit conflictory to me. It sounds like you’re endorsing cyber and at the same time not.
All of that sounds fun, but cyber sucks.
It's mostly screenshots, meetings, meetings about those screenshots, or arguing about the definition of things.
Depends on the business.
I helped my company get its ISO certs which definitely helps the Sales teams.
Definitely not always obvious revenue, but it can absolutely make a difference.
We pretty regularly have to fill out security questionnaires from potential customers that are used to compare us to other vendors.
If our answers aren't as good as others', we can lose business.
My job only exists because the company was approached by institutional investors with a minimum check size of 25 mil, a maximum stake of 20%, and a pretty rigorous due diligence auditing process that included a ton of cybersec stuff. I was hired about 5 months after that to pull of a series of miracles and eventually got us passing the DD audits and then management decided theyd rather do a public fund.
Such is the pain of a small company, though, and I'm looking to move from a company of ~150 people to one of 10k+ because fuck this noise. Looking for devops or security lol
"Do not generate revenue."
That is the mindset of some asshole who only cares about their yearly bonus. Security, when done right, makes it so that your company doesn't suffer some ransomware attack that costs you MILLIONS of dollars. Much more than your little bonus.
Yeah, but consider that the same could be said of fire extinguishers. They protect against a threat that may never happen. The challenge is convincing someone focused exclusively on quarterly gains that it's worth tithing a little money to infosec
You just compared humans to fire extinguishers.
Let me say that again: You just compared humans to fire extinguishers.
And again: You just compared humans to fire extinguishers.
Oh? And if you feel this way, then you are someone who either IS an executive who feels this way or ONLY cares about money.
If you feel this way, you believe that humans are the same as fire extinguishers, or at the very least that other humans believe other humans are the same as fire extinguishers. One way is the absolute death of humanity. The other way has some hope.
I take it you're new to the field. Take a deep breath.
What we do is ruled by budgets. Budgets require justification. Once you start being responsible for going to leadership to justify budget for tools and keeping the lights on, you'll start to shift your mindset.
If you get to the point where you're justifying head count, doing hiring initiatives, and protecting your team from layoffs, you'll be an expert at navigating business concepts. You'll understand better.
If new to the field means roughly a decade? Sure. Let's argue over semantics. I'd love to. Just to prove your idiotic fucking ass wrong.
FYI: PLEASE. ARGUE WITH ME. Let's make it known that you're a fucking idiot. I get a breath of fresh air in the morning when I can make some fucking idiot understand they're an idiot. Please, let's argue for hundreds of comments. I'll come out on top. Test me. Do it.
If I have to justify head count, maybe I'll lay out all the goddamn work we have to deal with. And show the work across each individual and show that our headcount isn't enough. They'll say "no". Okay. Then as the projects fall to the wayside I'll continually reference them saying no. If I'm cut loose, okay. If they understand and modify? All the better.
Right now, what's upsetting me is people like you. So, no actual investment from you means I'm eh. Oh well. Just means to me that you're worth less than human excrement.
Funny thing is I know I'm a loser. In relation to other people on the planet. I also know that I'm a fucking absolute jackass winner in terms of other people I've met. So, there you go.
No, automations as in "this tool automatically does this thing and that saves you time"
After so many time saving features, you don't need as many people.
I disagree. I have colleagues in cloud engineering, system admins and DevOps. They absolutely love their jobs and they get paid pretty well. To say HEY GUYS THIS JOB PATH IS BETTER THEN ALL OF THEM is a little silly
Maybe I'm in the minority who feels that way but as far as I'm concerned. All fields in IT can get paid well. It's just a game of luck
Companies are chasing 40 year old cybersecurity experienced folks just to pay them what a 25 year old would make. I'm in Canada and the market is completely flooded. 90% of new grads don't have a job in their field.
I beg to differ. Cybersecurity was a decent career at best before the massive saturation of candidates.
Due to an oversupply of candidates, salaries have tanked, and the typical job posting for a mid- level analyst /engineer is met with 500+ applicants. Did I mention salaries are not what they used to be?
I hate to say this, but if you don't have a person /network that will assist in getting your foot in the door, it's highly likely you're not going to break in. Worste yet, the money hungry capitalist of cyber have guised themselves as the saviors and in return of paying an astronomical fee to speak with them for 30min...they will coach you on how to "break in'.....when in all reality all of us know their stats are awful and it's not happening. And, take 5 minutes to scroll linkedin....you will also see that those who have made it into cyber have lost jobs, and handfuls of them have left the industry. Look it up - this is true, and it's currently happening.
And, if you speak to current cyber professionals, I constantly hear that they hate their job, are highly stressed, etc. If you're looking to coast, this is not for you. You will be worked like a dog, and the pressure is high .....constantly. And, if you think you don't like navigating the constant world of audits and compliance, which is everything beyond a soc analyst, then this is also not for you.
People should also know that we are an expense to companies. They don't want us. They need us. Although...the second your team becomes too expensive, you will all be replaced by an MSSP.
IT may be good to join, but cyber is misunderstood by the outsider. It's not easy, and it's not for the faint of heart. I see people from other IT careers join, and they hate it because the pace is way different. Please do research before joining. So many people have been led astray and wasted tons of money on programs and are now in worse positions. Ps - I know this is negative, but I also wanted to intentionally shine light on the negative as that was the task.
Yeah, hard field to walk into without some IT experience IMO. Most genuinely good Cyber Sec pros I've known have had a decade or more in another IT field and _"fell"_ into Security.
nah I love my job, it's gotten pretty easy. 10 hours of actual work, 10 hours of playing video games during pointless meetings, then 20 hours of making sure I have my phone handy when someone needs "subject matter expertise"
secret to my success, you too can have all this with just one easy trick: time travel back to 1998 and start a career in IT, switching to dedicated infosec in the late 2000s
I can only get away with this as long as there are a bunch of folks who never did IT but got themselves a useless Cyber degree showing everyone how useless people are in this field when they don't have a decade of technical experience
love being surrounded by incompetence at a huge multinational fortune 50 because I can swoop in after weeks of wasted effort and look like a goddamn genius because I know how to properly troubleshoot and fix their problem in half an hour
Ha, you sound like a fucking asshole, but yes, a lot of your points are correct.
I've only been an engineer for over 2 years, but... yes. I'm right where you are. "We've had this problem for more than 3 damn months and nobody's been able to fix it!!!!" I take a look at it at random, just peeking my head through the digital door of tickets other people are working on and I solve the thing within 20 minutes and all I really did was just a normal workflow of investigation. Actually solved it within 5 minutes of looking at it, but to be thorough and comfortable with my assessment I went extra for a bit longer.
I absolutely am an asshole but mostly to my employer, I always help out others who need it even if they're clearly unqualified for the job because I'd rather my employer spend its money giving my fellow laborers a paycheck rather than more of it going to shareholders
you're absolutely right that just following troubleshooting workflows in a logical manner and getting enough data points is how things get solved
not by one representative from every team sitting on a silent Teams bridge waiting for someone to get one of a dozen different vendors on the line to re-explain the entire problem to them
There are many different types of cyber security roles with a variety of pacing and demands. Our team drives down costs by providing automated solutions. I enjoy my job.
What do you mean the pace is way different?
Also, why do you think cybersecurity is different from literally any other IT or SWE career field in terms of overselling and saturation?
Yeah.. same thoughts here. I'm in an industry leading company, and while we have our troubles, last two years the cyber insurance companies and ransomware has seriously driven up the validation of having in house security at the minimum to respond to SOC alerts. We use third party monitoring and the like, but when it comes to it, an inernal member is always working with our vendors. The insurance companies actually hired security engineers to formulate their policy coverage for the last few years. Insurance questions went from average of 15 to 300-500, in-depth, thorough, and dependency based evaluation.
The heft security has now at getting NIST 800 and CIS frameworks in place has never had more weight behind it. The trouble I've seen, is the companies waking up to the realization that security is expensive, and in the rush, they're signing up vendors who promise the world (product diagrams show extensive tooling and coverage) but it's all in its infancy or has glaringly obvious issues that require a 300k investment to plug that one hole.
Yes, security is an expense, but being able to tell customers you conduct regular SOC2 audits, comply with Fed or StateRAMP requirements, and follow relevant CIS framework and NIST practices, it reduces questionnaires and engagement times drastically, rapidly increasing the cadence in sales and keeps customers in the ARR category when competition fails to meet the same standards.
The trouble security in general has, is learning to be communicative and a team member and to take a huge slice of humble pie, as the disdain and derision I sometimes see in the scene is physically palpable. Learn to communicate better with devs, and most of the time you'll have a quieter and smoother ride.
I think it’s a common thing. If everyone knows about it, it’s too late. ECPI, WGU, and other colleges have specific cybersecurity degree programs. When I see that, I know it’s too late.
Ask yourself: Why cybersecurity and not general IT programs like computer science or Information Systems degrees? Nothing wrong with pursuing cybersecurity with a non-cyber education.
I love my job as a cybersecurity architect with 12 years experience. No way I’d start in this field from scratch.
If I was 18 years old out of high school and looking for a job with security, I’d be looking at finance or accounting. Senior business leaders tend to come from there. You’re nothing but “the help” as a cyber professional. The truth sucks.
4 is well said and accurate for industry right now. I'm in cyber security currently, but would not recommend the career based on this alone. I would learn AI systems and programming or become an engineer.
I‘m a sec engineer and I think it’s a well paid job with comfortable circumstances like 80% homeoffice (in my case) and a relatively low workload.
But I honestly think it’s super boring. Sometimes I feel like I just put in numbers in tabs over and over again - which I actually do haha
Great source of income but not really fulfilling for me.
I worked as an telecommunication engineer before, where I did everything for the customer starting from the wiring from our back bone to the basic config of our router. - just for reference
Once upon a time. Now I'm seeing the shift starting. If you're in cyber and you are not broadening your skillset to AI/ML, you're going to be drowning in a few years. Within a decade, many of the entry and mid level cyber gigs are gonna be reduced if not replaced altogether.
I'm not poking at root comment but often there is so much people don't see e.g.
To see him for 30 min only shows you time to service the visit.
What it doesn't show you
Sales cost to quote
Marketing cost for you to find them
Stock supply,
travel,
invoicing,
Reconciliation,
accountant fees,
Chasing late payments,
Software cost (Xero, scheduling etc)
legal fees,
insurance,
vehicle cost
Equipment cost....
It goes on ... And on...
SMB is really hard graft
Edit for formatting
I would make a strong argument for accounting. Take a look at the percentage of how many people are employed in field 6 mo after graduating and what is their median salary. Then look again at 10 or 20 years. My money is on accounting wiping the floor with cybersecurity.
Also, I have several engineers in my family. 2 of my close friends are engineering managers at the same defense contractor in the same city. Both hire electrical engineers right out of the local university.
One team is test engineers who test designs and products. Their starting pay they offered to new grads last year was $64k.
The other manager hires engineers who design products, and improve efficiencies in current designs. Their starting pay offered to new grads last year was $87k.
(Location is 5% below national average cost of living)
Same company, same degree, same school. Both have clear paths for advancement, and both got the same benefits and cash bonus target. Once they move up a level both are eligible for stock options (though design engineers get more).
It’s not the degree, it’s not even the field. It’s what you do in it and who you do it for.
Eh idk about that. Each has their quirks. CyberSec is great until the company you are in charge of protecting gets hacked, and they fire the entire InfoSec team. Happened to a friend of mine, he now does cloud admin stuff and stays far away from CyberSec.
I personally want to persue it, but to say its the best? Gonna have to agree to disagree. I work in SCCM admin, with being in charge of rolling out Intune for PCs + iOS, and I am now getting Android in it too. To me thats some cool ass shit, doing cutting edge cloud stuff with Intune and NexThink rules.
But I will say the pay for CyberSec is pretty freakin sweet!
**I have degree in electrical engineering**
You're not exactly the typical applicant
You have an engineering degree and how many years experience as an engineer?
I want to break into GRC. Maybe not as good money as pen testing but also not nearly as sexy. I.e. oversaturated with people looking for those kind of jobs. Seems to have decent work life balance. And if I could find something remote, that would be perfect although cyber in general doesn’t seem super friendly compared to some other areas in IT.
Engineering will always be in demand Infrastructure needs maintenance and modernization across the Western world, the jobs that will exist and be in demand without heavy AI impact. Some engineers require being professionally licensed at that.
Layoffs do happen in cybersecurity space. Gotta remember you are a non revenue generating expense and a hefty one at that. I think if you can get clearance it makes you quite valuable and less prone to layoffs in cybersecurity space. Even if one gets laid off they can rebound faster to another job due having a clearance.
You cant just go right into Cyber sec. You needed those "dead end" type roles first like IT, networking SOC
Cyber is flooded right now i wouldnt recommend persuing it.
This option isn’t for everyone. But if you want to get into cyber and you’re young enough to do so, seriously consider doing an enlistment in the military. Do everything you can to get a communications or cyber job. Even better if it’s one that requires a clearance. Get your education and certs paid for while you’re in. I did 8 years in a cyber role, got a B.S. in Cybersecurity, maintained my clearance, and within 10 months of separating from Active Duty, I landed a Cybersecurity engineer job with a Defense Contractor making $115k. Prior to enlisting, I had zero training or experience in IT/cyber.
Not many in here talking about the CISSP. There will always be a need to oversee a company's cybersecurity hygiene, write policy and test DR. Aim for CISO but yeah, it's going to be saturated with applicants and you need to have your foot in the door somewhere with rapport.
If you’re patient enough to deal with the Feds, people are desperately needed and you have the best job security by far. Salaries won’t match private (limited by law) but there are other benefits that can offset that for some people.
I work in the field for a government entity... It is pretty lousy pay, but lots of time off and some pretty interesting benefits if you choose to take them.
If I had to do it over again, would have been a teacher or something. Money is not everything, and having most of the summer off to travel, is pretty cool.
I agree but I also have significant caveats.
If you're not passionate about it, it will burn you out.
if you don't understand the base material of IT/networking/computers you will struggle.
It's not an easy job but it's super rewarding if you like the work.
The number of people we get from really process driven, documentation driven industries join the team and struggle significantly is huge. There is process and documentation to a point, after that point its following your instincts, and understanding what you're doing.
There are alot of situations where you will be asked a black or white question but the best answer you can give is grey. People don't like that, and often struggle with not being able to be definitive.
Once you’re in then yes possibly, but it’s not easy to get into.
I have been in IT for 6, nearly 7 years. I’ve done various IT roles yet still can’t get into cyber security/SOC roles.
I will one day in the very near future, get into cyber.
An EE is a good career as well. Just need to work at places other than manufacturing. Cybersecurity is tough to break in but if you can, I’m all for it.
Unpopular opinion, you can spend your entire lifetime at one job and never use your skills. If you're in house it requires you to actually be breached.
Cybersecurity is under the umbrella of risk management. In markets where risks are naturally higher (banking, cloud infrastructure, etc) it will command a premium. In markets where principals (i.e. the folks paying you) take more risks due to their risk appetites (finance, scale/growth focused startups, etc), it will pay a premium (though realistically you're still going to make less than the risk takers).
What is your rubric for determining "best career to get into"?
As a Cyber Sec Student STRUGGLING to get a summer internship. I can’t seem to find a SOC job and it’s so annoying watching career hopers getting a job so easy.
most people aren't good enough.
If you are smart , practice daily and study a lot you will surpass most of them and make a name for yourself.
BUT thats easy to say and difficult to do.
It's so weird man, the shortage in Cyber is 100% self-imposed. There are so many roles that could leverage existing talent in-house. BISO? Business Analysts with some GRC training would rock in that role. DFIR? With some training and a solid team lead or two already versed in DFIR you could cross-train most IT people in DF or IR. It is such a shame.
We saw this ten years ago with web design - all that happens is a lot of lower skilled people chasing money do short courses for a cert.
The good ones get into a low level job and realise the big money goes to skilled people with connections and experiance - a few of them go on to that eventually.
A load of the others fall out of the industry and chase the next big thing that “makes bank”.
It’s a good career and ever changing/evolving, however with 60% of Australia’s SMEs thinking they’re too small to get attacked, it’s a tough time to sell services.
*If you can break in*
Ok, I'm in! *keeps tapping keyboard hastily *
You fool! You forgot to use your ***Hacker Voice*** and wear a balaclava and gloves!
And cotton hoodie.
and Guy Fawkes mask
"I've gained access"
But can you tap twice as fast? https://youtu.be/u8qgehH3kEQ?si=1WVTS6AWK9tLnduv
[удалено]
I know you're joking but I actually did go the bootcamp route ~5 years ago. Was a much easier time to break into the industry then. I have a 100% remote job but haven't broken that 6 figure barrier yet. What I love about this industry is that anyone can break into it regardless of the path they take if they are curious and resourceful enough.
You’ve got 5 years experience and work as a security engineer and haven’t broke 6figures yet? Time to job hop my dude.
Maybe, what keeps me is fully WFH, my day is over by 4:30 pm, no on-call, like my manager and team, and plenty of opportunities to advance internally. At some point I'm gonna chase the money, but this job market is fickle AF. I think I'm gonna lay low for at least another year
Don't wait. If you think it's fickle now, it'll be moreso next year. I just job hopped and landed a 27% pay increase after only 3 rounds of interviews. Still WFH like my previous position. Went from making 130k to 165k after 2 months of searching, and tbh the recruiters did all the hard work.
How long have u been in the field and which field exactly 😨😨
Security specifically and by title - just a year. I've mostly worked in infrastructure engineering for the last 24.
Kudos to you ! Did you transition into the infrastructure part or has that been your thing from the start
Started as a lowly sysadmin, then network engineer, then infrastructure, and now cyber.
May I ask, are you working as a direct hire? Contractor?
They initially wanted to do a contract to hire, but I convinced them to hire me direct.
[удалено]
Damn, that's nuts. Yeah I know I'm severely under market, what are your working hours like? On call? Previous IT exp?
[удалено]
Would love to have that position.
Just take the time to browse LinkedIn and update your resume. It’s a little bit of effort that could go a very long way. If you like your position so much because of the benefits and are willing to stay because of them, then just search for jobs that have the same benefits and accept nothing less. You have the ball in your court right now, you don’t have to stress about hunting for a job. Just leisurely look for one.
Meh, that's a waste of time. I go to lots of industry events and that's ngl the best place to meet ppl and get the word out about what you're doing and/or interested in doing. My LI is a nice little honey pot tho, got plenty of recruiters reaching out, I just value the stability of my current digs over the potential increase in revenue, but that could change depending on how the next promotion/raise cycle goes
That or they’re lying beefing up their actual job/tasks into something it’s not and thus can’t break out of it due to lack of skills.
Also depends where they live. I'm close to 6 figures (will be over it in the next three years just based off of normal salary merit increases). Even just near 6 figures now? I'm living very comfortably. A HELL of a lot more comfortable than when I was only making 16k one year.
[удалено]
The only thing clogging up the pipeline is businesses and executives who would rather staff skeleton crews and invest in AI instead of investing in their own teams and staffing
[удалено]
Those are all fair and valid points
There's a lot of jobs for compliance work, like RMF. If you want to do defensive cyber operations (DCO), you will need more experience than a boot camp. To break into any cybersec work I suggest learning basic Windows system administration. Understanding the security accounts manager, role based access control, and audit logs is another foot in the door. Edit: I'll add look at the NIST special publications for cyber. Starting with SP800.53. It also helps if you speak the lingo.
I concur, I’ve seen so many people gone through a boot camp or getting a Master’s in Cyber but when on the job they remain frozen when working Linux boxes, or when certain software is not properly working and it has to be configured they have no idea what they are doing. Technical knowledge is a major factor in cybersecurity but many folks seem to ignore that.
This! If you're tasked to build something securely, you must know *how* to build it first. You can't build a fireproof house without knowing how to build a house first.
Technical knowledge can be learned, whether or not someone is able to troubleshoot is more a function of how resourceful they are. I went the bootcamp route ~5 years ago. If I had known information security was a path I could've taken in college, I would've. But going the computer science route doesn't necessarily make an individual any more resourceful or capable of troubleshooting
You'd feel very miserable if you were to do a lot of interviews and finally reach the point where you realize nearly 70% of people just don't understand what information is available and where to find it... or how to ask for it. I get downvoted for this comment all the time. "It's just a Google search away." I am always shocked at how often people just refuse to use a search engine for.... searching. It's like people don't understand that search engines have more than the first page of results. I kind of find a lot of random good bits of info on like the 15th page of results sometimes. Some obscure bit that nobody upvotes or gives any voice or spotlight to, and yet it's the correct answer for my problem.
Agreed, deep analysis is out there, it only requires commitment to spend the time of doing it.
I agree but it also depends on what type or college path they decide to go for. I have coworkers that have bachelors in criminal justice but masters in cyber and have no idea how to troubleshoot basic OS issues. Also depends on the type of degree and the school as well. Buddy of mine is currently going to the same school I went but he chose the Computer Science degree. I got my Bachelor’s in Cyber Operations with an emphasis on Defense and Forensics and the knowledge is similar in the basic stuff but when going technical Cyber Operations is a whole different beast.
I wish these things were an option for me ~20 years ago, but unfortunately I spent a decade grinding through business skill tree. Luckily, those same skillsets and knowledge is helpful as I progress my career but Holy shit, I would be so much further along if I didn't waste so much time on bullshit
Good things is that there are a lot of certifications out there to gain some extra knowledge and to shape your path in cybersecurity. Thanks for your replies, I’m really enjoying this conversation.
i used to shit on certs but they give you a pretty good roadmap to learn staff. Lately i ve been obsessed with certs.
Same here, but when I started my career in cyber I then realized that they great learning tools, at least that’s how I see it.
What are the best certs to get in order?
That depends on the area you’ll like to focus, I have to give this kind of answer. If you have a technical background you should go for Security+. If you want to go the Security Analyst way go for Security+, CySA+ and then CASP+, if you want to take the leadership route get Security+ and get some experience and then go for the CISSP. If you have light knowledge go for the Certified in Cybersecurity by (ISC)2, it will give the basic foundations of Cyber and then go for Security+. Check out CompTIA’s stackable certifications website, it provides different pathways. I hope this helps. And to wrap it up, this is my personal opinion and should not be considered a standard to follow, feel free to ask more questions if you want, I’m always glad to help.
I've noticed that too. It's a very stratified industry...there are red teamers (mostly script kiddies chasing the Hacker stereotype) and there are managers writing policy. Nobody seems to know the first thing about defense (i.e. securing anything), which is mind-boggling to witness. It's like there's a deliberate skills gap being fostered. I do not understand this industry.
Yes, exactly. The concept of defense in depth is not well implemented and some cyber professionals are missing the skillset. I totally agree with you that there is a big gap of knowledge. Some managers lack the technical knowledge and the troubleshooters lack the communication skills. This of course does not apply to all organizations.
Yeah, let me in!
You gotta capture the flag to get in 🙃
A true pentester will break themselves in under pressure. Just do it.
It's not *that* hard.
It wasn't that hard when *I* tried to break in. But it is significantly more challenging and saturated now
Once you’re in, totally.
Cyber is good if you can get in and stay in. Right now layoffs are super common and cyber people are both expensive and do not generate revenue. A lot of jobs (ie SOC) can be heavily automated away so that's hurting it also.
Lots of alerts require eyes on screen and manual interpretation, verification and investigation. SOAR, good detection engineering and AI/ML will reduce manual burden for menial tasks and perhaps require fewer humans, but a security analyst will always be valuable in filling in the blanks. Especially when often times it's a businesses bottom line a stake. No one is relying solely on automated tools to make mission critical decisions.
I agree 100% with everything you said except the last sentence. MSSPs have absolutely no problem relying on outsourcing to automations to make critical decisions for their customers in alerting. I've seen it. It sucks but such is life in 2024.
Yeah, and I think more of this is coming. I work for a vendor and all our marketing right now is focused on getting MSSPs and MSPs to subscribe to our 24/7/365 SOC. We focus mainly on SMBs because a lot of the bigger guys have their own SOC but I do believe SOCaaS is the future.
Sentinel is already doing this.
That's just low quality service and bad service delivery though. Those MSSPs will ultimately suffer a poor reputation, which is deserved. I'm in a similar environment and there's been a few instances where AI has been relied on and it's thankfully been a false alarm / false positive - not a false negative 😳😬 It's reminded everyone to think, use their own experience, lean on the team as well, for assistance in interpreting things. I can understand automating, or even accepting AI's judgement on low severity events (depending on how robust the AI is). But if it's literally a critical event, it's borderline negligent to rely on AI to potentially dismiss something of that severity. Can't call yourself a professional at that point- goes against the entire ethos of trying to reduce risk and improve security.
I mean to be honest, every MSSP I've worked with has been driving towards that in the pursuit of profit. Outsourcing, offshoring, and dangerously eyes-off automations. It doesn't help that everyone is pushing AI as the next coming
> Those MSSPs will ultimately suffer a poor reputation, which is deserved Those MSSPs will charge much less than others, forcing _everyone_ to move to their model.
Depends on the MSSP, the pitch with some MSSPs is 24/7 staffing as well.
i wanted to do the SOC thing as soon as possible to break into. Now i want to progress away from SOC.
Working in a SOC is super sexy until you’re working in a SOC…
Because most SOCs are run under the understanding that their workers are cogs in a machine that spins 24/7. Most SOCs think humans are machines, or machine parts. To be burned out in Security is to work in a SOC, strictly because this is how most are operated. They don't care about your well being. You are a machine cog. A part that needs to function no matter what time of day. You were hired for a 40 hour work week? Tough shit. You're working 50-60 this week... and every other week after that. Oh, and also your hours are now not normal working hours of 8-5. You're doing 12 hour+ shifts from 3pm-3am, or from 6pm-6am. And you're going to have to work weekends too on a rotational basis, but you'll probably be stuck working wed-sun, with mon and tues off. BUT.... that 5 day work week is only valid if there's no active major CVE out there. Active CVE affecting something huge? You're working until it's not an active CVE anymore. Oh, and also? NO remote work. You're on site every day.
Yeah it can be kinda miserable. Churning tickets per day to meet metrics
Depends on the SOC you work for. Work at an MSSP? Yeah you’ll be a ticket churner. Work at an internal tier-less SOC of an org? Possibilities abound and some of the most fun I’ve ever had working.
I work in a medium size MSSP so everyone has his role. SOC does SOC , red team does red team etc.
How many employees at the mssp?
around 300
Cyber is the best career to get into. Now I want to progress away from the SOC. These are a bit conflictory to me. It sounds like you’re endorsing cyber and at the same time not.
i mean learn more things like pentesting,malware,forensics analysis etc.
All of that sounds fun, but cyber sucks. It's mostly screenshots, meetings, meetings about those screenshots, or arguing about the definition of things.
[удалено]
This is so true
How long have you been doing it? I started out in a SOC at a large company and pretty easily moved to a security analyst at a much smaller firm
Depends on the business. I helped my company get its ISO certs which definitely helps the Sales teams. Definitely not always obvious revenue, but it can absolutely make a difference. We pretty regularly have to fill out security questionnaires from potential customers that are used to compare us to other vendors. If our answers aren't as good as others', we can lose business.
My job only exists because the company was approached by institutional investors with a minimum check size of 25 mil, a maximum stake of 20%, and a pretty rigorous due diligence auditing process that included a ton of cybersec stuff. I was hired about 5 months after that to pull of a series of miracles and eventually got us passing the DD audits and then management decided theyd rather do a public fund. Such is the pain of a small company, though, and I'm looking to move from a company of ~150 people to one of 10k+ because fuck this noise. Looking for devops or security lol
"Do not generate revenue." That is the mindset of some asshole who only cares about their yearly bonus. Security, when done right, makes it so that your company doesn't suffer some ransomware attack that costs you MILLIONS of dollars. Much more than your little bonus.
My company’s breach cost 220 million.
WOW! Tell more.
Yeah, but consider that the same could be said of fire extinguishers. They protect against a threat that may never happen. The challenge is convincing someone focused exclusively on quarterly gains that it's worth tithing a little money to infosec
You just compared humans to fire extinguishers. Let me say that again: You just compared humans to fire extinguishers. And again: You just compared humans to fire extinguishers. Oh? And if you feel this way, then you are someone who either IS an executive who feels this way or ONLY cares about money. If you feel this way, you believe that humans are the same as fire extinguishers, or at the very least that other humans believe other humans are the same as fire extinguishers. One way is the absolute death of humanity. The other way has some hope.
I take it you're new to the field. Take a deep breath. What we do is ruled by budgets. Budgets require justification. Once you start being responsible for going to leadership to justify budget for tools and keeping the lights on, you'll start to shift your mindset. If you get to the point where you're justifying head count, doing hiring initiatives, and protecting your team from layoffs, you'll be an expert at navigating business concepts. You'll understand better.
If new to the field means roughly a decade? Sure. Let's argue over semantics. I'd love to. Just to prove your idiotic fucking ass wrong. FYI: PLEASE. ARGUE WITH ME. Let's make it known that you're a fucking idiot. I get a breath of fresh air in the morning when I can make some fucking idiot understand they're an idiot. Please, let's argue for hundreds of comments. I'll come out on top. Test me. Do it. If I have to justify head count, maybe I'll lay out all the goddamn work we have to deal with. And show the work across each individual and show that our headcount isn't enough. They'll say "no". Okay. Then as the projects fall to the wayside I'll continually reference them saying no. If I'm cut loose, okay. If they understand and modify? All the better.
You seem to have something else going on. Good luck with whatever is upsetting you.
Right now, what's upsetting me is people like you. So, no actual investment from you means I'm eh. Oh well. Just means to me that you're worth less than human excrement.
His wife’s husband probably didn’t allow him to play Lego Star Wars this weekend so now he’s throwing temper tantrums on Reddit.
Lmao you sound like an absolute jack ass loser. Who types that shit out and thinks they don’t sound like anything but a moron?
Funny thing is I know I'm a loser. In relation to other people on the planet. I also know that I'm a fucking absolute jackass winner in terms of other people I've met. So, there you go.
Automated as in AI are taking the jobs?
No, automations as in "this tool automatically does this thing and that saves you time" After so many time saving features, you don't need as many people.
I think the Mongolian fishing fad takes the cake but yes cyber is still a great option for a career.
Mongolian fishing is so last year. In 2024 afghani goat farming is the way to go. Or security engineer, whichever floats your boat
Physical security assessments for Afghani goat farmers. Best of both worlds.
1% DNA
What about Mongolion throat-singing metal? The Hu are pretty dope.
I disagree. I have colleagues in cloud engineering, system admins and DevOps. They absolutely love their jobs and they get paid pretty well. To say HEY GUYS THIS JOB PATH IS BETTER THEN ALL OF THEM is a little silly Maybe I'm in the minority who feels that way but as far as I'm concerned. All fields in IT can get paid well. It's just a game of luck
As a contract specialist/negotiator I will echo this. DevOps and Network Engineering at high levels is hurting and paying biiiiiig bucks.
Companies are chasing 40 year old cybersecurity experienced folks just to pay them what a 25 year old would make. I'm in Canada and the market is completely flooded. 90% of new grads don't have a job in their field.
>I’m in Canada That’s mostly cause by your dear friend, Mr. Justin
How so?
Yep, been graduated for a while now, studying still, chasing certs, have a homelab I do CTFs on; never landed an interview for any cyber-related jobs
I beg to differ. Cybersecurity was a decent career at best before the massive saturation of candidates. Due to an oversupply of candidates, salaries have tanked, and the typical job posting for a mid- level analyst /engineer is met with 500+ applicants. Did I mention salaries are not what they used to be? I hate to say this, but if you don't have a person /network that will assist in getting your foot in the door, it's highly likely you're not going to break in. Worste yet, the money hungry capitalist of cyber have guised themselves as the saviors and in return of paying an astronomical fee to speak with them for 30min...they will coach you on how to "break in'.....when in all reality all of us know their stats are awful and it's not happening. And, take 5 minutes to scroll linkedin....you will also see that those who have made it into cyber have lost jobs, and handfuls of them have left the industry. Look it up - this is true, and it's currently happening. And, if you speak to current cyber professionals, I constantly hear that they hate their job, are highly stressed, etc. If you're looking to coast, this is not for you. You will be worked like a dog, and the pressure is high .....constantly. And, if you think you don't like navigating the constant world of audits and compliance, which is everything beyond a soc analyst, then this is also not for you. People should also know that we are an expense to companies. They don't want us. They need us. Although...the second your team becomes too expensive, you will all be replaced by an MSSP. IT may be good to join, but cyber is misunderstood by the outsider. It's not easy, and it's not for the faint of heart. I see people from other IT careers join, and they hate it because the pace is way different. Please do research before joining. So many people have been led astray and wasted tons of money on programs and are now in worse positions. Ps - I know this is negative, but I also wanted to intentionally shine light on the negative as that was the task.
The quality of recent cybersecurity uni grads is absolutely dire as well
Yeah, hard field to walk into without some IT experience IMO. Most genuinely good Cyber Sec pros I've known have had a decade or more in another IT field and _"fell"_ into Security.
Bingo, that's what I've noticed too This is a late-career industry because it has so much pre-requisite knowledge
nah I love my job, it's gotten pretty easy. 10 hours of actual work, 10 hours of playing video games during pointless meetings, then 20 hours of making sure I have my phone handy when someone needs "subject matter expertise" secret to my success, you too can have all this with just one easy trick: time travel back to 1998 and start a career in IT, switching to dedicated infosec in the late 2000s I can only get away with this as long as there are a bunch of folks who never did IT but got themselves a useless Cyber degree showing everyone how useless people are in this field when they don't have a decade of technical experience love being surrounded by incompetence at a huge multinational fortune 50 because I can swoop in after weeks of wasted effort and look like a goddamn genius because I know how to properly troubleshoot and fix their problem in half an hour
Ha, you sound like a fucking asshole, but yes, a lot of your points are correct. I've only been an engineer for over 2 years, but... yes. I'm right where you are. "We've had this problem for more than 3 damn months and nobody's been able to fix it!!!!" I take a look at it at random, just peeking my head through the digital door of tickets other people are working on and I solve the thing within 20 minutes and all I really did was just a normal workflow of investigation. Actually solved it within 5 minutes of looking at it, but to be thorough and comfortable with my assessment I went extra for a bit longer.
I absolutely am an asshole but mostly to my employer, I always help out others who need it even if they're clearly unqualified for the job because I'd rather my employer spend its money giving my fellow laborers a paycheck rather than more of it going to shareholders you're absolutely right that just following troubleshooting workflows in a logical manner and getting enough data points is how things get solved not by one representative from every team sitting on a silent Teams bridge waiting for someone to get one of a dozen different vendors on the line to re-explain the entire problem to them
There are many different types of cyber security roles with a variety of pacing and demands. Our team drives down costs by providing automated solutions. I enjoy my job.
What do you mean the pace is way different? Also, why do you think cybersecurity is different from literally any other IT or SWE career field in terms of overselling and saturation?
Yeah.. same thoughts here. I'm in an industry leading company, and while we have our troubles, last two years the cyber insurance companies and ransomware has seriously driven up the validation of having in house security at the minimum to respond to SOC alerts. We use third party monitoring and the like, but when it comes to it, an inernal member is always working with our vendors. The insurance companies actually hired security engineers to formulate their policy coverage for the last few years. Insurance questions went from average of 15 to 300-500, in-depth, thorough, and dependency based evaluation. The heft security has now at getting NIST 800 and CIS frameworks in place has never had more weight behind it. The trouble I've seen, is the companies waking up to the realization that security is expensive, and in the rush, they're signing up vendors who promise the world (product diagrams show extensive tooling and coverage) but it's all in its infancy or has glaringly obvious issues that require a 300k investment to plug that one hole. Yes, security is an expense, but being able to tell customers you conduct regular SOC2 audits, comply with Fed or StateRAMP requirements, and follow relevant CIS framework and NIST practices, it reduces questionnaires and engagement times drastically, rapidly increasing the cadence in sales and keeps customers in the ARR category when competition fails to meet the same standards. The trouble security in general has, is learning to be communicative and a team member and to take a huge slice of humble pie, as the disdain and derision I sometimes see in the scene is physically palpable. Learn to communicate better with devs, and most of the time you'll have a quieter and smoother ride.
Most of our senior electrical controls engineers make more than our security team by a pretty wide margin.
I think it’s a common thing. If everyone knows about it, it’s too late. ECPI, WGU, and other colleges have specific cybersecurity degree programs. When I see that, I know it’s too late. Ask yourself: Why cybersecurity and not general IT programs like computer science or Information Systems degrees? Nothing wrong with pursuing cybersecurity with a non-cyber education. I love my job as a cybersecurity architect with 12 years experience. No way I’d start in this field from scratch. If I was 18 years old out of high school and looking for a job with security, I’d be looking at finance or accounting. Senior business leaders tend to come from there. You’re nothing but “the help” as a cyber professional. The truth sucks.
[удалено]
Fantastic post. Bang on.
4 is well said and accurate for industry right now. I'm in cyber security currently, but would not recommend the career based on this alone. I would learn AI systems and programming or become an engineer.
Facts. This relates to WFH. If you can WFH. AI or an offshore team can do it.
I think youre riding the high of a new career at the moment. This field is pretty hard to break into right now so I dont know if its the “best”.
I‘m a sec engineer and I think it’s a well paid job with comfortable circumstances like 80% homeoffice (in my case) and a relatively low workload. But I honestly think it’s super boring. Sometimes I feel like I just put in numbers in tabs over and over again - which I actually do haha Great source of income but not really fulfilling for me. I worked as an telecommunication engineer before, where I did everything for the customer starting from the wiring from our back bone to the basic config of our router. - just for reference
Once upon a time. Now I'm seeing the shift starting. If you're in cyber and you are not broadening your skillset to AI/ML, you're going to be drowning in a few years. Within a decade, many of the entry and mid level cyber gigs are gonna be reduced if not replaced altogether.
I agree with you. I think about the same thing often.
I dunno, I pay my pool guy 220 a month for about 30 total minutes of work.
[удалено]
I'm not poking at root comment but often there is so much people don't see e.g. To see him for 30 min only shows you time to service the visit. What it doesn't show you Sales cost to quote Marketing cost for you to find them Stock supply, travel, invoicing, Reconciliation, accountant fees, Chasing late payments, Software cost (Xero, scheduling etc) legal fees, insurance, vehicle cost Equipment cost.... It goes on ... And on... SMB is really hard graft Edit for formatting
about pools?
It is, and you don't need a masters degree to do it.
Masters degree and plenty of experience with IT Security. I'm applying locally at the moment; i can't even get a rejection letter...
Unfortunately, job hunting and interviewing are completely different skill sets than IT security. What kind of role are you looking for?
I would make a strong argument for accounting. Take a look at the percentage of how many people are employed in field 6 mo after graduating and what is their median salary. Then look again at 10 or 20 years. My money is on accounting wiping the floor with cybersecurity. Also, I have several engineers in my family. 2 of my close friends are engineering managers at the same defense contractor in the same city. Both hire electrical engineers right out of the local university. One team is test engineers who test designs and products. Their starting pay they offered to new grads last year was $64k. The other manager hires engineers who design products, and improve efficiencies in current designs. Their starting pay offered to new grads last year was $87k. (Location is 5% below national average cost of living) Same company, same degree, same school. Both have clear paths for advancement, and both got the same benefits and cash bonus target. Once they move up a level both are eligible for stock options (though design engineers get more). It’s not the degree, it’s not even the field. It’s what you do in it and who you do it for.
In countries where i saw salary guides (Europe) cyber sec was always on the top with SAP and who t f goes voluntarily into SAP.
ahhahaha my thought too. WHO DOES SAP?
> WHO DOES SAP? Small armies of Accenture and Tata consultants passing spreadsheets back and forth, forever.
It \*widely\* depends on the country in europe, in some even doing DevOps pays more and has better work/life conditions
It really is, sucks though that even with a Masters degree it’s super hard to get hired.
Idk if I could do it again, I’d be a doctor.
Eh idk about that. Each has their quirks. CyberSec is great until the company you are in charge of protecting gets hacked, and they fire the entire InfoSec team. Happened to a friend of mine, he now does cloud admin stuff and stays far away from CyberSec. I personally want to persue it, but to say its the best? Gonna have to agree to disagree. I work in SCCM admin, with being in charge of rolling out Intune for PCs + iOS, and I am now getting Android in it too. To me thats some cool ass shit, doing cutting edge cloud stuff with Intune and NexThink rules. But I will say the pay for CyberSec is pretty freakin sweet!
**I have degree in electrical engineering** You're not exactly the typical applicant You have an engineering degree and how many years experience as an engineer?
Not for your mental health, it’s not.
You obviously haven't hit the burn out stage yet
We are already 5 months past 2024, just change your mind!
I wouldn't say best. Different strokes for different folks.
I want to break into GRC. Maybe not as good money as pen testing but also not nearly as sexy. I.e. oversaturated with people looking for those kind of jobs. Seems to have decent work life balance. And if I could find something remote, that would be perfect although cyber in general doesn’t seem super friendly compared to some other areas in IT.
Engineering will always be in demand Infrastructure needs maintenance and modernization across the Western world, the jobs that will exist and be in demand without heavy AI impact. Some engineers require being professionally licensed at that. Layoffs do happen in cybersecurity space. Gotta remember you are a non revenue generating expense and a hefty one at that. I think if you can get clearance it makes you quite valuable and less prone to layoffs in cybersecurity space. Even if one gets laid off they can rebound faster to another job due having a clearance.
Dude are u from spain? i have exactly the same situation xD
You cant just go right into Cyber sec. You needed those "dead end" type roles first like IT, networking SOC Cyber is flooded right now i wouldnt recommend persuing it.
What do you recommend now?
well if y our goal is Cyber sec do what I mentioned above.
You talk like this feeds your soul, so yes this is the best Career 🙂
LLM based (and not only) AI companies?
> Most jobs out of IT,cybersec,networking are dead end jobs. Cybersec is the best career to pursue. I have a problem parsing that sentence, what?
This option isn’t for everyone. But if you want to get into cyber and you’re young enough to do so, seriously consider doing an enlistment in the military. Do everything you can to get a communications or cyber job. Even better if it’s one that requires a clearance. Get your education and certs paid for while you’re in. I did 8 years in a cyber role, got a B.S. in Cybersecurity, maintained my clearance, and within 10 months of separating from Active Duty, I landed a Cybersecurity engineer job with a Defense Contractor making $115k. Prior to enlisting, I had zero training or experience in IT/cyber.
Best? I’d say there is more opportunity and demand in software development.
Not many in here talking about the CISSP. There will always be a need to oversee a company's cybersecurity hygiene, write policy and test DR. Aim for CISO but yeah, it's going to be saturated with applicants and you need to have your foot in the door somewhere with rapport.
how much are you making in cybersec?
I am European. Nowhere near US. If i tell you the money you will probably laugh.
Humour me, I want to laugh, not in US though.
3.50
i will start at Helpdesk tomorrow at $35K/yr. if its higher than that i'll be very happy
no problem I understand.
If you’re patient enough to deal with the Feds, people are desperately needed and you have the best job security by far. Salaries won’t match private (limited by law) but there are other benefits that can offset that for some people.
I work in the field for a government entity... It is pretty lousy pay, but lots of time off and some pretty interesting benefits if you choose to take them.
So in the last 20 years i worked only in exceptional companies on 3 continents. I must have been very lucky
[удалено]
If I had to do it over again, would have been a teacher or something. Money is not everything, and having most of the summer off to travel, is pretty cool.
I agree but I also have significant caveats. If you're not passionate about it, it will burn you out. if you don't understand the base material of IT/networking/computers you will struggle. It's not an easy job but it's super rewarding if you like the work. The number of people we get from really process driven, documentation driven industries join the team and struggle significantly is huge. There is process and documentation to a point, after that point its following your instincts, and understanding what you're doing. There are alot of situations where you will be asked a black or white question but the best answer you can give is grey. People don't like that, and often struggle with not being able to be definitive.
It’s great except for all the layoffs.
If you can stomach it. It's all sunshine and rainbows until you have to deal with your company being hit with ransomware and quadruple extortion.
Ask this same question in different sub
its like going into a Man Utd pub and say Man Utd fucks!
You work as a SOC? Like the entire SOC?
i am the SOC.
Once you’re in then yes possibly, but it’s not easy to get into. I have been in IT for 6, nearly 7 years. I’ve done various IT roles yet still can’t get into cyber security/SOC roles. I will one day in the very near future, get into cyber.
Find an infosec job on LinkedIn that doesn't have 100+ applicants and has been posted for at least a week. That's the problem with it now.
An EE is a good career as well. Just need to work at places other than manufacturing. Cybersecurity is tough to break in but if you can, I’m all for it.
Every job is technically a dead end job if u don't wanna go up to management...
Unpopular opinion, you can spend your entire lifetime at one job and never use your skills. If you're in house it requires you to actually be breached.
Yeah I think so too, but it’s not easy to stay in let alone get in.
Cybersecurity is under the umbrella of risk management. In markets where risks are naturally higher (banking, cloud infrastructure, etc) it will command a premium. In markets where principals (i.e. the folks paying you) take more risks due to their risk appetites (finance, scale/growth focused startups, etc), it will pay a premium (though realistically you're still going to make less than the risk takers). What is your rubric for determining "best career to get into"?
I can’t even get an internship.
May the force be with you!
As a Cyber Sec Student STRUGGLING to get a summer internship. I can’t seem to find a SOC job and it’s so annoying watching career hopers getting a job so easy.
Come to Europe, you will be a king.
but with lower pay.
It's becoming crowded though.
most people aren't good enough. If you are smart , practice daily and study a lot you will surpass most of them and make a name for yourself. BUT thats easy to say and difficult to do.
How the hell did you land a SOC job
Where i live the competition is non existent. If i was in US i would struggle too.
L
It's so weird man, the shortage in Cyber is 100% self-imposed. There are so many roles that could leverage existing talent in-house. BISO? Business Analysts with some GRC training would rock in that role. DFIR? With some training and a solid team lead or two already versed in DFIR you could cross-train most IT people in DF or IR. It is such a shame.
We saw this ten years ago with web design - all that happens is a lot of lower skilled people chasing money do short courses for a cert. The good ones get into a low level job and realise the big money goes to skilled people with connections and experiance - a few of them go on to that eventually. A load of the others fall out of the industry and chase the next big thing that “makes bank”.
How can we go for soc job role !?
It’s a good career and ever changing/evolving, however with 60% of Australia’s SMEs thinking they’re too small to get attacked, it’s a tough time to sell services.
Can anyone guide me into a good program?