This topic contains 12 replies, has 7 voices, and was last updated by 
MattNYC 4 years, 1 month ago.
- AuthorPosts
Anonymous0Yeah I’m going to attend a community college and was thinking of taking this.
Today this is one of the best fields to work on.
High demand, not many people working on it, but the downside is that you have to be very specialized in order to nail a job in the area.
If you wish to go in it, do it. But be prepared!
"Young was I once, I walked alone, and bewildered seemed in the way; then I found me another and rich I thought me, for man is the joy of man." Odin, Hàvamàl, stanza 47.
I agree with @darkkenshi. I had the good fortune to get into a different branch of STEM which had the same characteristics: high demand, few people in it, hard work to qualify.
It meant I always could find a job. It also meant I got laid off once in a while, but it sure beat getting laid off from a low demand, overcrowded specialty.
Society asks MGTOWs: Why are you not making more tax-slaves?
Hey GodEater, cybersecurity’s a sub-field within Information Security (IS or “infosec” for short). I’ve been working in the IS world for about 13 years. High-demand, good work, smart people. My work has primarily been in the financial services industry (either as a direct employee, or working for a consulting firm with FIs as clients), so it’s protecting people’s personal information or money from bad guys – an interesting, engaging job i can be proud of.
Having said that, there are really 2 parts to the field:
1) CyberSecurity – More technical, think crypto-algorithms, doing the actual web-app hacking (inserting escaping chars into input fields, trying to make sense of error outputs, escalating privs, etc.).
2) Risk Management – Translating technical vulnerability info in to language the business people (who’re paying the bills, in the end) or compliance folks can understand.You can definitely do both 1 & 2, but CyberSec will primarily be techies (think crypto-algorithms, sql injection/xfscripting, etc.), whereas RM requires more communications skills. In my role as a Risk Management guy, i work with developers, sysadmins, business reps, legal/compliance folks, middle-managers & executives.
One note – A “hot” area within InfoSec now is mobile app security. We’re already seeing the shift to cloud security. Like any other discipline, you’ll have to keep current if you want to maintain a high salary demand. Work that’s being commoditized will lower the pay grade (possibly even be offshored to a large degree), whereas new s~~~ has a much higher pay rate – nobody even knows how to figure out cloud security yet, so there’s sizable $$$ to be made. But you could’ve said the same thing about
Webapp security ~15 years ago, or
Sarbanes Oxley ~13 years ago, or
PCI 7 years ago, or
Mobile app security ~2 years ago.Today it’s cloud. Tomorrow it’ll be something else.
Having said all that, i think it’s a great field full of great challenges & smart people. Right now i couldn’t imagine being anywhere else.
Anonymous0Hey GodEater, cybersecurity’s a sub-field within Information Security (IS or “infosec” for short). I’ve been working in the IS world for about 13 years. High-demand, good work, smart people. My work has primarily been in the financial services industry (either as a direct employee, or working for a consulting firm with FIs as clients), so it’s protecting people’s personal information or money from bad guys – an interesting, engaging job i can be proud of.
Having said that, there are really 2 parts to the field:
1) CyberSecurity – More technical, think crypto-algorithms, doing the actual web-app hacking (inserting escaping chars into input fields, trying to make sense of error outputs, escalating privs, etc.).
2) Risk Management – Translating technical vulnerability info in to language the business people (who’re paying the bills, in the end) or compliance folks can understand.You can definitely do both 1 & 2, but CyberSec will primarily be techies (think crypto-algorithms, sql injection/xfscripting, etc.), whereas RM requires more communications skills. In my role as a Risk Management guy, i work with developers, sysadmins, business reps, legal/compliance folks, middle-managers & executives.
One note – A “hot” area within InfoSec now is mobile app security. We’re already seeing the shift to cloud security. Like any other discipline, you’ll have to keep current if you want to maintain a high salary demand. Work that’s being commoditized will lower the pay grade (possibly even be offshored to a large degree), whereas new s~~~ has a much higher pay rate – nobody even knows how to figure out cloud security yet, so there’s sizable $$$ to be made. But you could’ve said the same thing about
Webapp security ~15 years ago, or
Sarbanes Oxley ~13 years ago, or
PCI 7 years ago, or
Mobile app security ~2 years ago.Today it’s cloud. Tomorrow it’ll be something else.
Having said all that, i think it’s a great field full of great challenges & smart people. Right now i couldn’t imagine being anywhere else.
How is your work schedule like and how much travel can you do with this job?
How is your work schedule like and how much travel can you do with this job?
My hours are pretty typical 8-5. Considering the NYC grind that most people have to deal with, i have it pretty sweet. This is in part to two things:
1) The bank i work for is one of the largest in the world; we have >1,000 IS professionals globally, so there’s always someone to cover for me when I’m out of the country for 10 days or whatever. If you work for a smaller company & you’re the only IS guy, you will *never* fully be off the clock. This was a huge challenge at my last company where i ran IS for a global, but relatively small firm in terms of # employees.
2) The bank i work for also has a great time off policy; I think it’s actually the best private-sector firm (in terms of time off, anyway) in that respect. At my level it’s 22 days vacation per year, plus all the bank holidays, plus about half a dozen sick days, plus a couple personal days.
Note that the above is during business as usual type stuff. When s~~~ hits the fan – breach or potential breach, it’s all hands on deck – doesn’t matter if you have scheduled vacation, or it’s a holiday or whatever. But that’s most places in the IS field, nature of the beast. That’s why i like larger companies – even if i’m “on the beach”, i get solid support from guys who are covering.
Given the above, i travel plenty on my time off (salary’s competitive, so $$$ to travel as a single guy is never an issue – i think i did 7 international trips in the last 2.5 years or so, if that’s any indication). If you’re looking to travel for work i’d recommend a consulting firm – one of the big 4, or a second tier firm – they’ll put you on the road 4-5 days a week for some client engagements, plenty of frequent flyer miles, plenty of Hilton points, etc. I did that for ~8 years and learned a hell of a lot. I eventually stopped the travel and traded it in for a more stationary gig because i was “settling down” with a girl. I don’t need to tell you how well that went lol.
Other questions? I love talking about this s~~~, ask away!!
Thats awesome MattNYC.
I’m aspiring to get into the tech sector. I’ve taken a bunch of free courses and so far it’s actually pretty interesting.
Is college the way to go? Or is it overrated these days? I hear that many tech guys are self taught.
Not my property... Not my problem
Anonymous11Security is very challenging technically and from the business side too.
The bean counters and PHBs are reticent to spend money to prevent things from happening they don’t understand. There is nothing tangible for them to see so no value. Go in front of a CxO and blather about esoteric vulnerabilities until his eyes glaze over. You will get shut down before you can begin. Executive buy in is one of the toughest parts of the job.
MattNYC gives a very excellent synopsis as his industry has major incentive to do it right due to protecting money. My jaded view is from 20 years in the business in corporate and consulting roles. I think you really have to find a place with the right culture if that’s what you want to do. Success is measured by nothing happening. That’s a tough sell. My clients vary in how they deal with it.
One big challenge I recently had was to convince an executive that his normal user account did not need to have full domain administrator privileges after an audit I performed for his company. I did not bother asking for permission. I just took away his excessive rights and then fixed two things he needed access. A prior consultant was either lazy or intimidated. Yeah, Cryptowall running with domain admin rights can we say f~~~ing mega disaster.
That being said everything can be cracked unless it’s powered down, and humans are always the weakest link.
As far as school goes, you don’t need to go to college. However, it does open more doors for you. I have a degree in a STEM field as well as Management so it’s easier for me to flip from tech geek to PHB handling. My IT knowledge is all from on the job training and course work.
No matter what always keep learning. MattNYC is right about the Cloud being a challenge. I’ve found that my soft people handling skills are quite valuable in dealing with Cloud providers. I do a lot of third party coordinating these days too.
https://www.kali.org/penetration-testing-with-kali-linux/
this would be a good starting point?
"If pussy was a stock it would be plummeting right now because you've flooded the market with it. You're giving it away too easy." - Dave Chapelle
Anonymous0Thanks for the replies. Got me more confident in getting into this field.
Is college the way to go? Or is it overrated these days? I hear that many tech guys are self taught.
The answer here will depend on your goals a bit. And i’ll speak largely to the Risk Management & CyberSecurity fields, not technology in general.
College is required in almost all cases if you want to get in to a large company doing this sort of work. For example – of the 10 largest banks in the world, i’m pretty sure all of them require a 4-year degree of some type to do full time security work. Ditto for the largest consulting firms (Deloitte, KPMG, etc.).
Having said that, there are a bunch of regional consulting firms out there that’ll need help, and they don’t have the explicit college requirement – I know because i worked at one, and while i had a college degree, the senior tech guy/part-owner (this motherf~~~er was *brilliant*!) didn’t go to college. In fact, he may not have finished high school. But he was really good at solving client problems – he just built his firm, helped current clients, developed new clients, and the business was eventually bought out by successively larger firms.
The guy i just mentioned – he makes a good living. He’s respected by his coworkers & clients, but he’ll only ever work for regional clients, not larger/international ones that’ll all have that college degree requirement.
For me, seeing the most advanced IS programs in the world, run on the largest networks, at the largest financial institutions – all of that is a big draw for me. I see challenges on a regular basis that regional firms couldn’t even dream of – the scale/complexity just isn’t there for smaller firms. The tradeoff, of course, is degree requirements, more paperwork/overhead, having to actually deal with HR on occasion, that sort of thing.
. Success is measured by nothing happening. That’s a tough sell.
Agreed. Although fortunately (or unfortunately, depending on how you look at it) just about every firm has been breached at some point by now. It’s only a question of whether or not it’s successfully discovered. With hacks, ID theft, etc in the newspapers, execs are more aware of these sorts of infosec risks more than ever before. Which can work in our favor.
When hacks & breaches occur at other companies, or in the newspapers, etc. and execs come to me asking “Can that happen here?” it’s a great opportunity to educate them. Most execs know how to think about risk in some capacity (legal/compliance risk, budget risk, currency risk, whatever), they’re just not always used to dealing with information security (“IS”) risk. Enter the IS professional – translating technical information security/cybersecurity risks in to terms execs can understand – namely time & money.
people handling skills are quite valuable in dealing with Cloud providers. I do a lot of third party coordinating these days too.
Yeah, 3rd party risk is going to be with us forever. They definitely introduce risk in to their clients; but it’s not always easy to know what that is. The most extensive framework i’ve seen here for assessing is the BITS AUP SIG – last i checked that had upwards of 1500-ish control questions, but that was a few years back. I was hit with that a few times while working for vendor companies – f~~~ing nightmare!
- AuthorPosts
You must be logged in to reply to this topic.
921526
921524
919244
916783
915526
915524
915354
915129
914037
909862
908811
908810
908500
908465
908464
908300
907963
907895
907477
902002
901301
901106
901105
901104
901024
901017
900393
900392
900391
900390
899038
898980
896844
896798
896797
895983
895850
895848
893740
893036
891671
891670
891336
891017
890865
889894
889741
889058
888157
887960
887768
886321
886306
885519
884948
883951
881340
881339
880491
878671
878351
877678
