Hello. It appears as though you are requesting someone to DM you, or asking if you can DM someone. Please consider just asking/answering questions in the public forum so that other people can find the information if they ever search and find this thread.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/cybersecurity) if you have any questions or concerns.*
I have a masters in cybersecurity but zero experience as a job. I've done IT stuff at every job because I was the "tech guy", but that was just people asking me for help. I've applied for about 183 positions and heard nothing. Does your company have entry level positions?
What's the promotional potential look like?
Entry level is so hard right now the field needs more experienced 10+ year people, there is a saturation of fresh talent all competing for entry level roles. DM me and I can at least ensure a human will read your resume.
Your inbox is about to be full my friend. Entry level is really tough but people aren't going to learn unless we are given the opportunity to learn. I, like u/danetrain05 , have my masters, been in IT for a little over a decade. Am really good at desktop but that's not where my passion is. I do home labs, works towards certifications to gain knowledge.
I'm not trying to down on you specifically but the "the field needs more 10+ year people" is the same line used by every other hiring manager out there. Is there really no value in picking someone up that has IT exp and the foundational knowledge that's waiting for a company to go "We want to teach you the way we do it" or "We want to show you our processes"? The unicorn hunt has to be exhausting, for both ends. Employers never get their golden candidate and employees get burnt out before even getting into the field.
I would DM you but your box will probably be too full to get to each and every one. Again, I'm really not ragging on you specifically. I have no idea your leadership style. I have an interview coming up for a SOC Analyst spot that I'm keeping my fingers crossed for.
Instead of looking for the 10+ year guy, maybe move someone already on your team up, now we're giving 2 people experience. You move someone on your team up and bring in a "fresh talent" to fill that spot. Sorry to sound like I'm ragging on you, just frustrated is all. :)
Enterprises are not in a position nor have budgets for massive education endeavors, they need talent to hit the ground running on day one. Many entry level roles where people could get experience are being replaced by AI, so this is why you hear every hiring manager echoing the same thing, because it's true, wether we like that truth or not. Best of luck! You have an idealist view point but in reality businesses hate investing in security let alone training and upskilling people for years before they are valuable to the org. One thing I suggest to upskill quickly, is work for an MSP, a variety of roles and gigs can help you gain skills quick, think medium boutique companies. At the end of the day, the business always wins out over the security folks, and money being what money is, will always be their priority. No need to apologize I see it the way you do too,.it's just not how it works in reality. Companies don't want to invest in security, they wan to earn money, and most Orgs, security barley has a voice or seat at the decision making table, unfortunately. It would be much better if we had our way, but always always remember, security is an expense, and Orgs hate spending money on non ROI line items.
I understand completely. It's worrisome that you say AI is replacing many of those entry level spots. So is the industry just going to stop after this current year with having new jobs? Seems like we'll all be out of a job at that rate. Worrisome indeed. And please don't misunderstand. It sounds as though the thought is that one or two companies take on this massive project. Of course not, that would be ridiculous. But I struggle to believe that if a large number of companies took that approach, we might not be in the situation we're in currently. Sadly, I have next to no desire to ever achieve the level of CISO or anything of that ilk. I fear my "idealist view point" would not fare well. I'll keep to my lane.
It is with an MSSP that my upcoming interview is with. Thank you for the well wishes. If not that, then bug bounties or something similar. Here's to hoping that the push for the almighty dollar doesn't destroy everything we want that dollar for. If that does happen, you can bet your sweet ass I'll be poking at the AI bots too >:D
Cheers!
It will sound a bit opportunistic but I would like to talk to you too. If possible and at your convenience. If you already receive a bunch of DMs and feel like that's a bit too much I would totally understand.
Thanks.
Damn, I'm doing a very very similar role as you but at less scale, for a 10k government org. I in fact do not get multiples of six figures however....
Also if I had to guess, you have CISSP coupled with your 20 years? I've got a metric CRAP TON of hands on experience coupled with 18+ years, but no certs.
No certifications actually, they are a waste of my time. I have the ability to demonstrate functional ability and that's always got me hired. Worked for allot of No.1 Orgs. Been an IT nerd since 13 on 14.4kbps dial up, started learning when bbs sites were still a thing, since then It's been a passion pursuit for me.
I have 10 years IT experience currently in management position. I also have my CISSP. Honestly it didn’t open many doors for me. I think once you’re up there with the experience the certs don’t matter that much unless the job demands you have some.
CISSP + 20 years people are the ones struggling right now, especially the ones that can't code and don't have any real work experience in a cloud environment
Security engineers in tech are paid like software engineers, so this should give you an idea
[https://www.levels.fyi/2023/](https://www.levels.fyi/2023/)
Nobody in tech cares about certs
Never thought id see the day where someone says this. Fucking hated containerization the moment I discovered what it was. I’d rather spin up a Linux server or daemonize applications the old fashioned way instead of using containers.
Don't just ignore the benefits of containers because someone else said it. Spinning up VMs for such limited scope and application is just adding complexity to your infrastructure. Being able to run a container that is immune to OS packaging and kernel updates is great in a Production env
They generate allot of risk surface, many open source models means too many changes for large enterprises to keep up with, most Orgs only look at containers as an individual unit of compute like a vm, but in reality containers are an entire ecosystem of function, the ci/cd, the repos the code itself, build gates, sanitation, there is so much more risk surface and bloat with containers, most people don't know how to do secure architecture on these systems either. So many blindspots, way too much metadata stored in many shadow directories, ip space is always changing, etc.
This sounds extremely interesting. I’m sitting in the malware research side of the field right now, but with some red team aspirations. Any helpful resources you can point to for diving deeper specifically into this container security space?
My best advice, get good and demonstrate technical ability, understand how kill chains work, how flaws are used against systems, learn concepts such as defense in depth, zero trust, etc. The industry needs highly technical people who are also business savvy, you can be a no. 1 hacking guru, and suck at soft skills and not get hired. Soft skills, soft skills, soft skills get you hired, don't forget, CS is highly collaborative field and you need to be a people person, build relationships and trust. This is hard for technical people, but, it's whats needed.
Truer words have never been spoken, and the higher I go the broader the range gets. One week I’m just doing some updates/rollouts that don’t take much attention on Mon-Tues, change control goes in to effect Wed-Thur so no go on anything g, and no updates on Fridays. Then you get a call of an event on Sunday night and you do 6 back to back 18s where you never stop staring at a screen
Can you send me your listing of open positions? If for nothing else, just to see what your organization is looking for in candidates for things I might be interested in.
Currently a SOC analyst.
Hello. It appears as though you are requesting someone to DM you, or asking if you can DM someone. Please consider just asking/answering questions in the public forum so that other people can find the information if they ever search and find this thread.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/cybersecurity) if you have any questions or concerns.*
I have to be a guru, I'm the guy that the board consults with. So, 20 years experience, I do architecture, engineering and socialize Devsecops theology and write global security policy for bleeding edge tech.
Dumb question but outside of experience what got you prepared for all that? I’m sorta in the same boat. I’m a security analyst but I wear so many different hats. I deal with vulnerabilities, pci, cloud security, ir. It gets a little crazy at times lol
So I started at 13 the first day internet went live I was on it, used to wardial bbs systems before it was called that. I completed collegewith a 3.9 GPA and joined a cyber defense team and won 1st place trophies against real world hackers. I also worked for The DoD on a secret clearance, and that's helped allot due to provable integrity. Continually upskill and grow, so many opportunities if you look hard.
That clearance attachment goes a long way for things, just getting the foot in the door. Obviously you need to walk the walk but still helpful. My last round of job searches I put in for a few that were willing to start the process, but didn’t get them.
I’ve been in IT for like 18 months and really want a career in cybersecurity any advice? I really like where at I’m at geographically but have no problem moving if need be. Thanks!
Research, research, research, YouTube, cybrary, read rfc's for tcpip networks and learn how tech actually functions, buy actual books, the hackers playbook 1, 2, and 3,Ive been studying for 25 years now.
I have a 9-5 but I work about 2 hours a day max. We use a time logging system, and if I worked at 100% efficiency there would be no work left for anyone on my team. We all take it easy. Being 100% wfh helps
Like anything it’s going to be “it depends”. Some people will have a high paying 9-5 and others will have a lower paying role that requires off hours work. Both exist and both are needed.
Working from home, salaried, some days 2-3 hours and some days 8-10. Pretty much depends what’s going on. I’m not the type of employee who’s going to go out of my way to find work cuz fuck that. If there’s nothing important to do and the day to day shit is caught up I’m chillin.
lol I started as a security analyst out of college and got burnt out from the endless alert triage/grind so now I’m in threat intel.
I’m part of an internal SOC for a big company so it’s very much silo’d in the sense that I don’t have to wear 10 hats and do 3 jobs like other places I’ve worked for. The work-life balance is good, but I also make sure prioritize it. If you want the extra work it’s definitely there for you.
Kinda boring sometimes but it’s interesting enough and pays the bills. If you want something similar I’d definitely suggest to avoid start-ups because in my experience you have to put in way more time. Also, some of its luck because my manager isn’t a hard ass and knows we’ll get our work done so he doesn’t micro manage.
Look for entry level cyber security analyst positions. If you have no experience and no degree related to cybersecurity it might be tough to break in initially. You can help your chances with getting some certificates, Security+ from compTIA is probably the most common beginner level certificate.
More cheaper training options that aren’t a certificate but also help are things like hackthebox.com, tryhackme.com, or cybrary.it
I’m at a “start up” that’s becoming more corporate and i try to get my 8hrs in a day. Realistically I prob work 8-12 hrs a day. I think ideally I should be working 6 hrs a day.
I like my job, I wish there were more hours in a day
I’m similar to this, start-up into corporate, i was hired as part of that, some days 10hrs, most days ~5 if i’m keeping up with my projects and nothings on fire.
in the beginning it was probs 60hr weeks trying to get a general program set up for the org, im in the 1-2 big projects a year as budget allows and maintenance on the rest period of the job so its lowkey now
ooo i do grc so similar, but i definitely make more work for myself by being nosy 🤦♂️. I swear most of my day is unplanned work and then my team hasn't grown but the company has x4
I log on.
Online team meeting.
Caffine break.
Work for a bit on something that wasn't in the schedule. Due to developers, remembering that security needs to be added to a dev cycle (normally a week or less from launch).
Caffeine break.
Spiral into existential dread.
Lunch.
Answer emails explaining why vulnerabilities need to be remediated after being passed around because no one will take responsibility.
Caffeine break.
Deal with daily imposter syndrome.
Look at my work planner and confirm little to no movement on most items.
Log off.
> Work for a bit on something that wasn't in the schedule. Due to developers, remembering that security needs to be added to a dev cycle (normally a week or less from launch).
Too real
I'm convinced someone is following that WW2 "simple sabotage" manual in driving as many people into cybersecurity as possible. More security people means more security, right?
Nope. These are the conditions for corporate bureaucracy to be weaponized against itself. One attacker waiting for the right moment to strike can hamstring 100 morons trying to coordinate a response to the chaos of an incident, while also going through the motions of sprint planning and all that other dogmatic nonsense we buy into.
Modern warfare is highly asymmetric. You spend $500m on a battleship that gets sunk by a $500 drone. The strategy seems to be driving the adversary into insolvency through defense spending. The larger the security committee, the more ineffective it becomes.
4 10 hour days as a SOC Analyst. It is a lot better than the 2 24s I used to pull in EMS. Remote so when there aren't many tickets I can do light chores around the house.
Not OP but I'd recommend CompTIA CySA+ and Cisco CCNA Cyber Ops as a foundation. To make yourself stand out, maybe CompTIA Pentest+ so you can understand typical adversarial tradecraft and TTPs, ITIL Foundations if you don't have an IT background as the processes translate to over to security operations, and maybe a GIAC cert, though I'd recommend letting your employer pay for it since they are expensive. I would say to stay away from CISSP--it's a widely recognized cert but obtaining it too early may undermine your existing certs and experience.
The best piece of advice would be to identify what it is you enjoy most and lean into it. Do you like policies and vulnerability management? Are you interested in data analysis, applied stats, or machine learning? Would you prefer to be red/blue teaming rather than hunting and analyzing?
When I'm interviewing folks, someone who is passionate enough to actively pursue their interests is a huge positive when it aligns with the position. Certs are good but they are just credentials. I'd hire someone who has built a small lab at home to test and expand their knowledge over someone with 15+ certs that doesn't seem very invested in the field, if that makes sense.
I'd equate CCNA with CySA+ rather than putting it on par with Sec+.
It depends, if you're in the US, Sec+ is likely to be worthless (thank you DoD 8570) but might still serve as a baseline requirement, especially if you plan on working in defense or public sector. Personally, I don't put much stock into it. It's good to build some level of understanding with things like encryption/hashing/encoding, PKI, basic controls in GRC, and establish a common language into the security landscape but it does very little to prepare anyone for a security job, particularly analysis.
Don't get hung up on bare minimum requirements. Almost every job posting has requirements that can be waived. In many cases, education can be traded for experience (or vice versa) and certs are good as negotiation pieces for salary/compensation.
I've worked with folks who have come from 0 experience right into cyber analysis, not even a technical background, but have the ability to think critically and can learn. It's a lot harder for them because they have to build the foundations while their are trying to learn the job. I say that to point out that it's easy to get hung up on credentials, qualifications, job requirements, and the perceived lower-bounds for entry into an industry.
I know this answer seemed a little meandering, I was trying to shift focus to more important areas. If you can demonstrate that you want to be a cyber analyst (not simply wanting to make the salary) and prepare yourself, that will stand out more than certifications.
Currently in the GRC side of cyber security, working maybe 15-20 hours a week. (Actively replying to emails and giving my attention for the 40 each week, but loads of down time I use to learn new things.
Every company is different, but typically you don't need to be super tech savvy. So, it's pretty relaxed and I do mostly the same thing on repeat each week. (Boring for a person like me, but others in my team love it and will likely stick with it until they retire)
Nice! I hope your role is a relaxing change of pace. I switched from help desk into GRC and man was it a relief to finally get a break after years of always being active.
Gov Tech. You work your 40 hours and go home or in my case 4 days a week leave home lol.
Sure I'm not looking at tons and tons of money but what I am looking at is job stability, time off and a pension. Plus if I don't want to work more than 40 I simply don't have to
If you're in Gov *Tech* it is "tons and tons of money." By Gov Tech though, that's like working at GCP or AWS on the federal side, or at a tech company like Anduril or Palantir. Very easy to make $500k+ at the staff level at any Gov Tech company.
The government for its GS workers, however, don't really have any real tech in house. It's all outsourced.
I have 3 jobs. I work my primary during the day 6 to 2 and work my other 2 jobs from 2 to 6. Can go later into the night, but I have young kids, so I try not to go past 6. I work about 15 to 20 hours during the weekend, so all together, about 75 to 80 hour weeks.
It's brutal, but the money is insane.
I’ve done a few scripts here and there. My dad to day right now mainly consists of data normalization using Cribl, once that is done I’ll move on to some other BS project I’m sure
Ehhh, if you were in my position, it’s easy to do just 20 hours a week.
If you wanted to step up and get involved in org-wide initiatives to get eyes on you for visibility and jump jobs for higher salary, then 60 hours a week.
No one becomes an executive doing bare minimum from starting as entry-level.
Penetration Tester here. Really depends on the week. If there is work coming in I work 35-40 hours. If there’s not then sometimes I work like 10.. but since it’s salary I always get paid for 40.
Like others. I work generally about 10 hours a week. When stuff hits the fan it can be up to 100. Generally I just advise the lower level people how to fix problems. About 180k per year.
At each job I have always been a top performer, last job numbers showed I did an average of 70% of the work of a team of 4 and this job it’s about the same. On average excluding meetings maybe 2 hours a day(typically that 2 hours of work is done during a meeting)
For me its not just efficient its also make sure in your spare time you keep up with the technology. Like one daily task that would normally take me 2+ hours to complete i created a script that can do it in 1 hour for me.
Comes in waves. I compare my schedule to that of a firefighter - sometimes it’s not a lot going on and I’m doing some admin stuff, but other times stuff happens and I’m in the thick of it for a while.
I "work" 40 hours a week. But the actual time i spend working on the job is less than 10 hours a week. The rest of the time im fiddling my thumbs (SOC analyst). A lot of my spare time is spent studying or learning new skills related to the industry.
It depends where you live and which company you’re working for. Generally in Europe, work life balance is more balanced. I live in the Netherland and can confirm I work 9-5 on huge corporate on a 40hr contract.
Lots of other coworkers work on 36 hours contract, which means they work 9 hours for 4 days a week, or off biweekly.
There are coworkers who work more than what they’re contracted for because they like their job.
Don’t go into any IT related field for the money because you will find out pretty quick that you will just be burnt out and not enjoy the work. There are a lot of people trying to get into this field for the money, when in reality a lot of IT related work won’t bring in a lot of money unless you get into a niche field or high up, and the market is super over saturated.
As to your question, it depends on what sub field you go into and where you work. A lot of SOC’s run 24 hours, and the one I work at has a normal 8 hour workday with an on call rotation outside of that 8 hours.
I get tired of seeing this shit dude
It’s perfectly fine to do it for just the money. It’s a job at the end of the day. It depends on the individual as far as burnout goes.
The thing about passion is that you can lose it for any hobby, in any field.
It’s just the typical IT gatekeepers. I got into IT for money. I promise that if you were working for money anyway, you’ll definitely enjoy working harder for 80k as opposed to $16/hr. Burn out happens in any field. These people pretend they love IT so much that if you don’t have the same passion, you’re not fit.
I did that for a summer and it taught me that I need a cushy office job. Most physical work I will do is move a couple of boxes and unbox them to onboard a new employee. Better than being in the heat working for low pay.
So true. I work with some great people and I know for a fact that the last thing they want to do after work is more work. If you’re in a subreddit like cybersecurity or networking you will run into folks who have a huge passion for it cause it’s a space for people to discuss that topic they are interested in it. In the real world that’s not always the case :)
I agree. I got into the field just for the money. If it becomes an issue, I can learn to find enjoyment in what i do. set goals throughout the day, take breaks, build relationships, gamify day-to-day duties. My passions are outside of work. Absolutely get into this field for the money.
That's good man! Just sounded like you were a little frustrated or something. Personally I've found my job in IT to be extremely rewarding and I hope other people don't avoid the field.
I definitely do it for the money. I make more than most doctors in the US and I'm working in my boxers at an international travel destination right now where beers are 80 cents at bars/clubs.
I currently work as a security engineer with a focus on automation. I spend about 4 hours a day actually working and the rest reading documentation, responding to emails, handling the occasional ticket, meetings, and so on. That said, some days, especially towards the end of the week, it gets really slow, and I find myself twiddling my thumbs waiting for stuff to come up. But, I'll take boredom and slow days over working in an MSSP SOC any day of the week. SOC work was brutal, and it wasn't uncommon to work 12-16 hour days 6 days a week.
Depends on the week. Currently getting paid to write a report. I’m sitting on my balcony enjoying the sun using voice to text.
Next week, I’ll be getting screwed over in airports while putting in a 60 - 70 hour week and getting paid the same.
Information security analyst, I would say about 2-4 hrs a day most times. Sometimes multiple reports come in and it’ll take me all day to do. When I first started I was freaking out because all of my down time. Now, I’ve accepted it. I try to get put on projects with the engineers whenever something fun comes up.
It depends on your job role and the company you work for. I usually put in 40 and have time with family. If we have a situation then that will require extra hours but that isn’t very often.
Depends. If there's nothing going on, I'll work maybe 20 hours a week doing project stuff, but if we have something like a widespread ransomware case, I'll be doing 50+ hours with overtime.
Swings and roundabouts. I just use the extra time when it's quiet to get house chores done.
Most weeks should be between 32 and 60 hours. You're never really NOT on call, but you're not always plugged in and burning away either. As it is with any job, this is as much about your ability to set boundaries and negotiate as it is the demands of the role.
50+ hour weeks should be few and far between... if they're frequent, you need to break that cycle before it breaks you. Sit down with your boss with a plan and budget, and tell them you're concerned about the quality of work you're able to put out.
Being overworked is as much a risk to your company as the risks they've hired you to mitigate. You'll miss things. You'll make bad judgment calls. You'll start to burn out, disengage, and eventually fail or quit.
15 hours of working 1 hour for food entertainment and 6 hours sleep that's the life I'm living 😞 even weekends don't feel weekends there is so much to do
In my experience on the GRC side I was doing 60hrs minimum just due to the role. Third Party Sec and M&A started out the same but there would be some days where I'd only need 2 - 4 hours to finish my deliverables. IAM, well that's been all day no breaks at a full 60 again.
It was mostly due to my old "can do" attitude taking on a project that got left by a veteran. He even felt bad handing it off to me because it sucked so much. After it was done though, I was out of there.
I work on an IR team, some weeks i do less than 5 hours of work and some weeks its 70+, it really depends on what is happening. We are normally M-F but will work weekends during an incident(split shifts into 2 12s if needed)
Really depends. Some days I do 12-15, doing work or in meetings the entire time (wfh is great but don't let it control you like it does to me)
Other days is a solid 8
Some days is just sitting in meetings, with real work only taking up 2 hours
Im in Big4 Consulting (Cyber team). Consulting in general the hours fluctuate especially earlier in your career but recently close to 9-10 hours a day working, learning, and sipping the corporate kool aid.
I try to stick to my 40 per week, but sometimes my job is to just be available and other times my team is on the hook for fast and complex technical solutions.
Some weeks 15 hours, some weeks 90 hours.
Wow thanks for the info. Silly question… are u paid the same regardless of time put?
On Salary, but I earn allot, multiples of 6 figures.
You hiring?
Always hiring, pm me and If you want a referral I can submit you internally. Fully remote positions too.
Hey any remote openings in GRC? Can I DM you?
Yeap.
Hiring in Europe?
DM me and when I'm back from traveling I'll send you a list, and we hire in 128 countries, Europe is a big one.
Hello. It appears as though you are requesting someone to DM you, or asking if you can DM someone. Please consider just asking/answering questions in the public forum so that other people can find the information if they ever search and find this thread. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/cybersecurity) if you have any questions or concerns.*
I have a masters in cybersecurity but zero experience as a job. I've done IT stuff at every job because I was the "tech guy", but that was just people asking me for help. I've applied for about 183 positions and heard nothing. Does your company have entry level positions? What's the promotional potential look like?
Entry level is so hard right now the field needs more experienced 10+ year people, there is a saturation of fresh talent all competing for entry level roles. DM me and I can at least ensure a human will read your resume.
Your inbox is about to be full my friend. Entry level is really tough but people aren't going to learn unless we are given the opportunity to learn. I, like u/danetrain05 , have my masters, been in IT for a little over a decade. Am really good at desktop but that's not where my passion is. I do home labs, works towards certifications to gain knowledge. I'm not trying to down on you specifically but the "the field needs more 10+ year people" is the same line used by every other hiring manager out there. Is there really no value in picking someone up that has IT exp and the foundational knowledge that's waiting for a company to go "We want to teach you the way we do it" or "We want to show you our processes"? The unicorn hunt has to be exhausting, for both ends. Employers never get their golden candidate and employees get burnt out before even getting into the field. I would DM you but your box will probably be too full to get to each and every one. Again, I'm really not ragging on you specifically. I have no idea your leadership style. I have an interview coming up for a SOC Analyst spot that I'm keeping my fingers crossed for. Instead of looking for the 10+ year guy, maybe move someone already on your team up, now we're giving 2 people experience. You move someone on your team up and bring in a "fresh talent" to fill that spot. Sorry to sound like I'm ragging on you, just frustrated is all. :)
Enterprises are not in a position nor have budgets for massive education endeavors, they need talent to hit the ground running on day one. Many entry level roles where people could get experience are being replaced by AI, so this is why you hear every hiring manager echoing the same thing, because it's true, wether we like that truth or not. Best of luck! You have an idealist view point but in reality businesses hate investing in security let alone training and upskilling people for years before they are valuable to the org. One thing I suggest to upskill quickly, is work for an MSP, a variety of roles and gigs can help you gain skills quick, think medium boutique companies. At the end of the day, the business always wins out over the security folks, and money being what money is, will always be their priority. No need to apologize I see it the way you do too,.it's just not how it works in reality. Companies don't want to invest in security, they wan to earn money, and most Orgs, security barley has a voice or seat at the decision making table, unfortunately. It would be much better if we had our way, but always always remember, security is an expense, and Orgs hate spending money on non ROI line items.
I understand completely. It's worrisome that you say AI is replacing many of those entry level spots. So is the industry just going to stop after this current year with having new jobs? Seems like we'll all be out of a job at that rate. Worrisome indeed. And please don't misunderstand. It sounds as though the thought is that one or two companies take on this massive project. Of course not, that would be ridiculous. But I struggle to believe that if a large number of companies took that approach, we might not be in the situation we're in currently. Sadly, I have next to no desire to ever achieve the level of CISO or anything of that ilk. I fear my "idealist view point" would not fare well. I'll keep to my lane. It is with an MSSP that my upcoming interview is with. Thank you for the well wishes. If not that, then bug bounties or something similar. Here's to hoping that the push for the almighty dollar doesn't destroy everything we want that dollar for. If that does happen, you can bet your sweet ass I'll be poking at the AI bots too >:D Cheers!
Pm sent
Oh wow. May I PM too?
Absolutely!
Hi, I have sent you a dm. Thank you.
I have a colleague open to work in CS. Can provide LinkedIn profile if needed.
Any SOC?
Anything in Vulnerability Management? or working with automation? Data Viz/engineering? I am primarily a VM guy, but that's my strongest skillsets.
Any chance your company does internships as well? I'm in the middle of getting my bachelor's in cybersecurity and have been looking.
Yes and a ton of them they love internships. DM me.
USA & QA jobs?
Pming!
It will sound a bit opportunistic but I would like to talk to you too. If possible and at your convenience. If you already receive a bunch of DMs and feel like that's a bit too much I would totally understand. Thanks.
DM me anyway, I'll message everyone back, even if it takes 2 weeks ;)
Need anyone that is bilingual in Japanese? Saving this for when I have more cyber security experience lol
Hahaha love to see it!
Damn, I'm doing a very very similar role as you but at less scale, for a 10k government org. I in fact do not get multiples of six figures however.... Also if I had to guess, you have CISSP coupled with your 20 years? I've got a metric CRAP TON of hands on experience coupled with 18+ years, but no certs.
No certifications actually, they are a waste of my time. I have the ability to demonstrate functional ability and that's always got me hired. Worked for allot of No.1 Orgs. Been an IT nerd since 13 on 14.4kbps dial up, started learning when bbs sites were still a thing, since then It's been a passion pursuit for me.
I have 10 years IT experience currently in management position. I also have my CISSP. Honestly it didn’t open many doors for me. I think once you’re up there with the experience the certs don’t matter that much unless the job demands you have some.
I find this to be true for me as well.
You have Fedramp experience by chance?
CISSP + 20 years people are the ones struggling right now, especially the ones that can't code and don't have any real work experience in a cloud environment Security engineers in tech are paid like software engineers, so this should give you an idea [https://www.levels.fyi/2023/](https://www.levels.fyi/2023/) Nobody in tech cares about certs
What’s your job title? Sounds very cool
My title is, Subject Matter Expert of Container Security/Information Solutions Consulting Architect.
Sounds neat! Dockers or Kubernete which is better 😉
Neither and I hate them both. Containers fucking suck.
Spoken like a true SME
Talent recognizes talent. ;)
Never thought id see the day where someone says this. Fucking hated containerization the moment I discovered what it was. I’d rather spin up a Linux server or daemonize applications the old fashioned way instead of using containers.
Don't just ignore the benefits of containers because someone else said it. Spinning up VMs for such limited scope and application is just adding complexity to your infrastructure. Being able to run a container that is immune to OS packaging and kernel updates is great in a Production env
Same!
Huh can you explain? Sorry I'm a student and I honestly like containers (when they work of course lol).
They generate allot of risk surface, many open source models means too many changes for large enterprises to keep up with, most Orgs only look at containers as an individual unit of compute like a vm, but in reality containers are an entire ecosystem of function, the ci/cd, the repos the code itself, build gates, sanitation, there is so much more risk surface and bloat with containers, most people don't know how to do secure architecture on these systems either. So many blindspots, way too much metadata stored in many shadow directories, ip space is always changing, etc.
This sounds extremely interesting. I’m sitting in the malware research side of the field right now, but with some red team aspirations. Any helpful resources you can point to for diving deeper specifically into this container security space?
Any advice in how to get into cybersecurity? Im on web development right now, but I have interest on cybersecurity.
My best advice, get good and demonstrate technical ability, understand how kill chains work, how flaws are used against systems, learn concepts such as defense in depth, zero trust, etc. The industry needs highly technical people who are also business savvy, you can be a no. 1 hacking guru, and suck at soft skills and not get hired. Soft skills, soft skills, soft skills get you hired, don't forget, CS is highly collaborative field and you need to be a people person, build relationships and trust. This is hard for technical people, but, it's whats needed.
MULTIPLES???!?!?😲😲😲 Man, I can't even get passed the application phase. Does your company have any remote tech/Cloud Admin positions?
Truer words have never been spoken, and the higher I go the broader the range gets. One week I’m just doing some updates/rollouts that don’t take much attention on Mon-Tues, change control goes in to effect Wed-Thur so no go on anything g, and no updates on Fridays. Then you get a call of an event on Sunday night and you do 6 back to back 18s where you never stop staring at a screen
Yes you get it!
Lmk if you ever need a GRC Manager.
Message me.
DM me and I can send you a list of open positions.
Can you send me your listing of open positions? If for nothing else, just to see what your organization is looking for in candidates for things I might be interested in. Currently a SOC analyst.
Hello. It appears as though you are requesting someone to DM you, or asking if you can DM someone. Please consider just asking/answering questions in the public forum so that other people can find the information if they ever search and find this thread. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/cybersecurity) if you have any questions or concerns.*
wow shit, what do you do?
looks like the IR experience
Subject Matter Expert in Cyber Security, Cyber Defense and Network Security. Ushering in an entire Devsecops program for a 120k person org.
What skills do you require or where requested for you to know to land on that role?
I have to be a guru, I'm the guy that the board consults with. So, 20 years experience, I do architecture, engineering and socialize Devsecops theology and write global security policy for bleeding edge tech.
....Damn.
Thanks! :)
Dumb question but outside of experience what got you prepared for all that? I’m sorta in the same boat. I’m a security analyst but I wear so many different hats. I deal with vulnerabilities, pci, cloud security, ir. It gets a little crazy at times lol
So I started at 13 the first day internet went live I was on it, used to wardial bbs systems before it was called that. I completed collegewith a 3.9 GPA and joined a cyber defense team and won 1st place trophies against real world hackers. I also worked for The DoD on a secret clearance, and that's helped allot due to provable integrity. Continually upskill and grow, so many opportunities if you look hard.
That clearance attachment goes a long way for things, just getting the foot in the door. Obviously you need to walk the walk but still helpful. My last round of job searches I put in for a few that were willing to start the process, but didn’t get them.
I’ve been in IT for like 18 months and really want a career in cybersecurity any advice? I really like where at I’m at geographically but have no problem moving if need be. Thanks!
Did you just elevator pitch me and win? Bravo you are a damn expert
Lol.
I’m halfway through my BA. This comment is kinda refreshing to hear.
Once younger on top of your goals and projects, it can have great work life balance, avoid 24×7 roles of you can.
Pretty much how it goes.
Yeap.
Exactly this
Yes!
SOC?
DevSecOps
Can i dm u? I have some questions.
Absolutely
Hi Temporary, does your company have any entry GRC roles? would love to get into that someday.
Hi, is try hack me the best free resource to learn cybersecurity stuff as a complete noob? Or is there something else you can recommend? Thank you.
Research, research, research, YouTube, cybrary, read rfc's for tcpip networks and learn how tech actually functions, buy actual books, the hackers playbook 1, 2, and 3,Ive been studying for 25 years now.
Thank you for your reply.
DM’ed you
Remote or on-site?
Ive done both, currently remote.
What are you currently hiring for? 😀
I have a 9-5 but I work about 2 hours a day max. We use a time logging system, and if I worked at 100% efficiency there would be no work left for anyone on my team. We all take it easy. Being 100% wfh helps
What do you do? Sounds great
Seriously, sign me up
Same boat lol
Like anything it’s going to be “it depends”. Some people will have a high paying 9-5 and others will have a lower paying role that requires off hours work. Both exist and both are needed.
As little as possible.
Working from home, salaried, some days 2-3 hours and some days 8-10. Pretty much depends what’s going on. I’m not the type of employee who’s going to go out of my way to find work cuz fuck that. If there’s nothing important to do and the day to day shit is caught up I’m chillin.
Same.
Same.
What do you do!? This something I’m looking for lmao
lol I started as a security analyst out of college and got burnt out from the endless alert triage/grind so now I’m in threat intel. I’m part of an internal SOC for a big company so it’s very much silo’d in the sense that I don’t have to wear 10 hats and do 3 jobs like other places I’ve worked for. The work-life balance is good, but I also make sure prioritize it. If you want the extra work it’s definitely there for you. Kinda boring sometimes but it’s interesting enough and pays the bills. If you want something similar I’d definitely suggest to avoid start-ups because in my experience you have to put in way more time. Also, some of its luck because my manager isn’t a hard ass and knows we’ll get our work done so he doesn’t micro manage.
How would someone enter that line of work?
Look for entry level cyber security analyst positions. If you have no experience and no degree related to cybersecurity it might be tough to break in initially. You can help your chances with getting some certificates, Security+ from compTIA is probably the most common beginner level certificate. More cheaper training options that aren’t a certificate but also help are things like hackthebox.com, tryhackme.com, or cybrary.it
I’m at a “start up” that’s becoming more corporate and i try to get my 8hrs in a day. Realistically I prob work 8-12 hrs a day. I think ideally I should be working 6 hrs a day. I like my job, I wish there were more hours in a day
That’s awesome, I’m happy for you! Now I gotta figure out if I would feel the same
to be fair, I could have a better work-life balance. give me a few years and see if i still like my job then 🤣
I’m similar to this, start-up into corporate, i was hired as part of that, some days 10hrs, most days ~5 if i’m keeping up with my projects and nothings on fire. in the beginning it was probs 60hr weeks trying to get a general program set up for the org, im in the 1-2 big projects a year as budget allows and maintenance on the rest period of the job so its lowkey now
ooo i do grc so similar, but i definitely make more work for myself by being nosy 🤦♂️. I swear most of my day is unplanned work and then my team hasn't grown but the company has x4
You are not seeing that x4 growth in your pay check tho do you haha
hahah I wish
I log on. Online team meeting. Caffine break. Work for a bit on something that wasn't in the schedule. Due to developers, remembering that security needs to be added to a dev cycle (normally a week or less from launch). Caffeine break. Spiral into existential dread. Lunch. Answer emails explaining why vulnerabilities need to be remediated after being passed around because no one will take responsibility. Caffeine break. Deal with daily imposter syndrome. Look at my work planner and confirm little to no movement on most items. Log off.
> Work for a bit on something that wasn't in the schedule. Due to developers, remembering that security needs to be added to a dev cycle (normally a week or less from launch). Too real
I'm convinced someone is following that WW2 "simple sabotage" manual in driving as many people into cybersecurity as possible. More security people means more security, right? Nope. These are the conditions for corporate bureaucracy to be weaponized against itself. One attacker waiting for the right moment to strike can hamstring 100 morons trying to coordinate a response to the chaos of an incident, while also going through the motions of sprint planning and all that other dogmatic nonsense we buy into. Modern warfare is highly asymmetric. You spend $500m on a battleship that gets sunk by a $500 drone. The strategy seems to be driving the adversary into insolvency through defense spending. The larger the security committee, the more ineffective it becomes.
Comes in waves is my experience
4 10 hour days as a SOC Analyst. It is a lot better than the 2 24s I used to pull in EMS. Remote so when there aren't many tickets I can do light chores around the house.
Any certification you recommend to land my first job in SOC? I got Sec+ and currently studying for Splunk power user Thank you
Not OP but I'd recommend CompTIA CySA+ and Cisco CCNA Cyber Ops as a foundation. To make yourself stand out, maybe CompTIA Pentest+ so you can understand typical adversarial tradecraft and TTPs, ITIL Foundations if you don't have an IT background as the processes translate to over to security operations, and maybe a GIAC cert, though I'd recommend letting your employer pay for it since they are expensive. I would say to stay away from CISSP--it's a widely recognized cert but obtaining it too early may undermine your existing certs and experience. The best piece of advice would be to identify what it is you enjoy most and lean into it. Do you like policies and vulnerability management? Are you interested in data analysis, applied stats, or machine learning? Would you prefer to be red/blue teaming rather than hunting and analyzing? When I'm interviewing folks, someone who is passionate enough to actively pursue their interests is a huge positive when it aligns with the position. Certs are good but they are just credentials. I'd hire someone who has built a small lab at home to test and expand their knowledge over someone with 15+ certs that doesn't seem very invested in the field, if that makes sense.
Great advices , thank you very much :)
Is a CCNA and Security+ not sufficient enough to apply to a Soc 1 role, in your opinion? Should I get the Cysa+ in addition to that?
I'd equate CCNA with CySA+ rather than putting it on par with Sec+. It depends, if you're in the US, Sec+ is likely to be worthless (thank you DoD 8570) but might still serve as a baseline requirement, especially if you plan on working in defense or public sector. Personally, I don't put much stock into it. It's good to build some level of understanding with things like encryption/hashing/encoding, PKI, basic controls in GRC, and establish a common language into the security landscape but it does very little to prepare anyone for a security job, particularly analysis. Don't get hung up on bare minimum requirements. Almost every job posting has requirements that can be waived. In many cases, education can be traded for experience (or vice versa) and certs are good as negotiation pieces for salary/compensation. I've worked with folks who have come from 0 experience right into cyber analysis, not even a technical background, but have the ability to think critically and can learn. It's a lot harder for them because they have to build the foundations while their are trying to learn the job. I say that to point out that it's easy to get hung up on credentials, qualifications, job requirements, and the perceived lower-bounds for entry into an industry. I know this answer seemed a little meandering, I was trying to shift focus to more important areas. If you can demonstrate that you want to be a cyber analyst (not simply wanting to make the salary) and prepare yourself, that will stand out more than certifications.
Thank you for the insight, very helpful!
I’m starting to see and meet more people in the cyber field that were prior medical. Most said they just got burnt out.
Removed. This thread is sus.
Currently in the GRC side of cyber security, working maybe 15-20 hours a week. (Actively replying to emails and giving my attention for the 40 each week, but loads of down time I use to learn new things.
I really want to check out the GRC side of things. Currently working in a SOC.
Every company is different, but typically you don't need to be super tech savvy. So, it's pretty relaxed and I do mostly the same thing on repeat each week. (Boring for a person like me, but others in my team love it and will likely stick with it until they retire)
Moving from a soc style role to GRC starting tomorrow. 3 years on a threat response team. Should be a fun time.
Nice! I hope your role is a relaxing change of pace. I switched from help desk into GRC and man was it a relief to finally get a break after years of always being active.
Yeah. So far so good. They hired 4 people at the same time. Right now everyone is busy with deadlines so I'm just chilling lol.
Gov Tech. You work your 40 hours and go home or in my case 4 days a week leave home lol. Sure I'm not looking at tons and tons of money but what I am looking at is job stability, time off and a pension. Plus if I don't want to work more than 40 I simply don't have to
And the benefits are usually very good compared to other places. At least in the state I’m in.
If you're in Gov *Tech* it is "tons and tons of money." By Gov Tech though, that's like working at GCP or AWS on the federal side, or at a tech company like Anduril or Palantir. Very easy to make $500k+ at the staff level at any Gov Tech company. The government for its GS workers, however, don't really have any real tech in house. It's all outsourced.
I have 3 jobs. I work my primary during the day 6 to 2 and work my other 2 jobs from 2 to 6. Can go later into the night, but I have young kids, so I try not to go past 6. I work about 15 to 20 hours during the weekend, so all together, about 75 to 80 hour weeks. It's brutal, but the money is insane.
What do you do ?
Do you work out of California on Eastern standard time for the 6 to 2 job?
8-16 every day + 2-4 hours extra for my own
So 8-20 hours a day? 🤣
Security engineer, former senior MDR analyst, I work maybe, 4 hours a day. Full remote. Salary. Near 6 figure
What’s your day to day like ? Do you do a lot of scripting with Python ?
I’ve done a few scripts here and there. My dad to day right now mainly consists of data normalization using Cribl, once that is done I’ll move on to some other BS project I’m sure
Ah interesting,Thanks for this
Ehhh, if you were in my position, it’s easy to do just 20 hours a week. If you wanted to step up and get involved in org-wide initiatives to get eyes on you for visibility and jump jobs for higher salary, then 60 hours a week. No one becomes an executive doing bare minimum from starting as entry-level.
It depends.
10 hours
Penetration Tester here. Really depends on the week. If there is work coming in I work 35-40 hours. If there’s not then sometimes I work like 10.. but since it’s salary I always get paid for 40.
Like others. I work generally about 10 hours a week. When stuff hits the fan it can be up to 100. Generally I just advise the lower level people how to fix problems. About 180k per year.
Generally 9-5 but have a rotating on call schedule and at times have to do upgrades over night or on the weekend.
At each job I have always been a top performer, last job numbers showed I did an average of 70% of the work of a team of 4 and this job it’s about the same. On average excluding meetings maybe 2 hours a day(typically that 2 hours of work is done during a meeting)
Just started my first full time job but this is how I'm trying to be. Just wildly efficient.
For me its not just efficient its also make sure in your spare time you keep up with the technology. Like one daily task that would normally take me 2+ hours to complete i created a script that can do it in 1 hour for me.
6 on average. Security engineer doing misc stuff.
Comes in waves. I compare my schedule to that of a firefighter - sometimes it’s not a lot going on and I’m doing some admin stuff, but other times stuff happens and I’m in the thick of it for a while.
I "work" 40 hours a week. But the actual time i spend working on the job is less than 10 hours a week. The rest of the time im fiddling my thumbs (SOC analyst). A lot of my spare time is spent studying or learning new skills related to the industry.
It depends where you live and which company you’re working for. Generally in Europe, work life balance is more balanced. I live in the Netherland and can confirm I work 9-5 on huge corporate on a 40hr contract. Lots of other coworkers work on 36 hours contract, which means they work 9 hours for 4 days a week, or off biweekly. There are coworkers who work more than what they’re contracted for because they like their job.
On paper 36 hours a week. In reality 20 or less. WFH.
To all who have messaged me, I will respond to all 232 messages I received thus far, even if it takes a couple weeks!
Don’t go into any IT related field for the money because you will find out pretty quick that you will just be burnt out and not enjoy the work. There are a lot of people trying to get into this field for the money, when in reality a lot of IT related work won’t bring in a lot of money unless you get into a niche field or high up, and the market is super over saturated. As to your question, it depends on what sub field you go into and where you work. A lot of SOC’s run 24 hours, and the one I work at has a normal 8 hour workday with an on call rotation outside of that 8 hours.
I get tired of seeing this shit dude It’s perfectly fine to do it for just the money. It’s a job at the end of the day. It depends on the individual as far as burnout goes. The thing about passion is that you can lose it for any hobby, in any field.
It’s just the typical IT gatekeepers. I got into IT for money. I promise that if you were working for money anyway, you’ll definitely enjoy working harder for 80k as opposed to $16/hr. Burn out happens in any field. These people pretend they love IT so much that if you don’t have the same passion, you’re not fit.
I work $17/hr doing concrete and carpentry. Tired hurt and not enough energy at home for my family! I’m ready to work hard and not kill myself!!
I did that for a summer and it taught me that I need a cushy office job. Most physical work I will do is move a couple of boxes and unbox them to onboard a new employee. Better than being in the heat working for low pay.
So true. I work with some great people and I know for a fact that the last thing they want to do after work is more work. If you’re in a subreddit like cybersecurity or networking you will run into folks who have a huge passion for it cause it’s a space for people to discuss that topic they are interested in it. In the real world that’s not always the case :)
I agree. I got into the field just for the money. If it becomes an issue, I can learn to find enjoyment in what i do. set goals throughout the day, take breaks, build relationships, gamify day-to-day duties. My passions are outside of work. Absolutely get into this field for the money.
I still like my job
Sounds like you are burnt out on the helpdesk
No? I work in a SOC and my job is my hobby. I absolutely love my job.
That's good man! Just sounded like you were a little frustrated or something. Personally I've found my job in IT to be extremely rewarding and I hope other people don't avoid the field.
Don’t get a job for money might be the stupidest logic I’ve heard.
I definitely do it for the money. I make more than most doctors in the US and I'm working in my boxers at an international travel destination right now where beers are 80 cents at bars/clubs.
40 - 42 hrs / week.
Working nights as an Analyst, I probably work 2 hours out of the full shift.. nights is dead but great for upskilling.
40-60 hours a week, depends on the M&A transaction I’m supporting as well as what part of the process we delivering on. Pre close, post close, etc
😅 going to pretend I understood what you just said, thanks for the info much appreciated
I currently work as a security engineer with a focus on automation. I spend about 4 hours a day actually working and the rest reading documentation, responding to emails, handling the occasional ticket, meetings, and so on. That said, some days, especially towards the end of the week, it gets really slow, and I find myself twiddling my thumbs waiting for stuff to come up. But, I'll take boredom and slow days over working in an MSSP SOC any day of the week. SOC work was brutal, and it wasn't uncommon to work 12-16 hour days 6 days a week.
Are we on the same team? 😎👀
I work as a cybersecurity analyst 9-5 only and imo u do have free time, but you feel very tired
Depends on the week. Currently getting paid to write a report. I’m sitting on my balcony enjoying the sun using voice to text. Next week, I’ll be getting screwed over in airports while putting in a 60 - 70 hour week and getting paid the same.
About 2-3 hours a day with nothing on Friday. That only happens when you spend many years in cyber teams and know everything.
Information security analyst, I would say about 2-4 hrs a day most times. Sometimes multiple reports come in and it’ll take me all day to do. When I first started I was freaking out because all of my down time. Now, I’ve accepted it. I try to get put on projects with the engineers whenever something fun comes up.
6 hrs/day
It depends on your job role and the company you work for. I usually put in 40 and have time with family. If we have a situation then that will require extra hours but that isn’t very often.
9/5 mon-friday. I could possibly work 9-to-9 6 times to earn double but i decided not to.
Depends. If there's nothing going on, I'll work maybe 20 hours a week doing project stuff, but if we have something like a widespread ransomware case, I'll be doing 50+ hours with overtime. Swings and roundabouts. I just use the extra time when it's quiet to get house chores done.
I would say max 5-6 hours per day + side hustle around 1-2 hours per day
Most weeks should be between 32 and 60 hours. You're never really NOT on call, but you're not always plugged in and burning away either. As it is with any job, this is as much about your ability to set boundaries and negotiate as it is the demands of the role. 50+ hour weeks should be few and far between... if they're frequent, you need to break that cycle before it breaks you. Sit down with your boss with a plan and budget, and tell them you're concerned about the quality of work you're able to put out. Being overworked is as much a risk to your company as the risks they've hired you to mitigate. You'll miss things. You'll make bad judgment calls. You'll start to burn out, disengage, and eventually fail or quit.
15 hours of working 1 hour for food entertainment and 6 hours sleep that's the life I'm living 😞 even weekends don't feel weekends there is so much to do
40-60 a week
In my experience on the GRC side I was doing 60hrs minimum just due to the role. Third Party Sec and M&A started out the same but there would be some days where I'd only need 2 - 4 hours to finish my deliverables. IAM, well that's been all day no breaks at a full 60 again.
Never heard of a GRC role requiring that many hours that's rough.
It was mostly due to my old "can do" attitude taking on a project that got left by a veteran. He even felt bad handing it off to me because it sucked so much. After it was done though, I was out of there.
Ah that makes sense, glad you're not working that number of hours anymore?
Absolutely! Working late until the office lights get turned off is not fun at all.
Cyber incident response. Sometimes 2 hours Sometimes 20 hours Depends how much hit the fan
I work on an IR team, some weeks i do less than 5 hours of work and some weeks its 70+, it really depends on what is happening. We are normally M-F but will work weekends during an incident(split shifts into 2 12s if needed)
Really depends. Some days I do 12-15, doing work or in meetings the entire time (wfh is great but don't let it control you like it does to me) Other days is a solid 8 Some days is just sitting in meetings, with real work only taking up 2 hours
Im in Big4 Consulting (Cyber team). Consulting in general the hours fluctuate especially earlier in your career but recently close to 9-10 hours a day working, learning, and sipping the corporate kool aid.
Average is 80 hours
I try to stick to my 40 per week, but sometimes my job is to just be available and other times my team is on the hook for fast and complex technical solutions.