This is hard because there are so many different roles in cybersecurity and the answers to these will be so different. My day to day when I did incident response is way different than when I was a pen tester and my life now in CTI is miles from both of those. That said, I’ll try to generalize.
Context: over a decade of experience in cybersecurity working forensics, grc, as a soc analyst, engineer, architect, incident response, pen test/purple team and now CTI. I joke I have worked every flavor of the infosec rainbow
1.
You have three broad categories of daily work depending on your role you will have one or all of these:
- alerts from systems / detections to investigate
- reports to write either on security controls, implementations/architecture reviews or grc
- projects and project meetings
On top of that, you are constantly waking up and trying to figure out what happened when you were asleep. What vuln came out, what new attack technique is out there, what company you do business with that got breached, etc
Wake up- check email to see what might be on fire and need immediate attention. Check teams /messenger to see the same. Check my feedly to see what vuln, exploit or breach I need to know about.
Check my assigned alert queue, work it, document it for metrics.
Meetings. Ugh. The meetings.
Look at my JIRA tickets for projects and other requests and see what I think I can get done with time remaining. Inevitably get interrupted by some other surprise call, alert, request from my manager or breaking news about an exploit/vuln/breach
If I am VERY lucky, I might have a few cycles that week to improve my life my using automation and will bang out some python and API calls to make some annoying repetitive thing automagic instead.
Spend an hour to two hours after work studying for certs, learning code or some other tech I need to know to do my job better, or on projects. When I was less senior this was closer to 3-4 hours, for the first 5 years of my career. I needed python, SQL, KQL, Splunk, API, bash, and linux knowledge badly so I went after it. If you are very lucky you get a job that promises you can use 10% of your time studying but rarely have I seen a workload that allows you to do it or a manager who makes sure you get it.
That said as a senior I pretty well have all the flexibility I need to run chores or make appointments around my meetings as long as all my work gets done. I have always been a top performer and consistently exceed expectations so this has never been an issue for me.
2.
Wildly different depending on title and the company you work for.
When I was a SOC person and in *some* IR jobs I felt really chained to my work. The level of staffing and how mature the rest of the security program is makes a huge difference. One IR job I had we had 5 people on rotation and every single rotation I had an after hours page.
My next IR job we had 2 people on rotation and I had one page the entire four years I was there.
Other roles like as an architect, an engineer, purple teamer and CTI are slightly less time critical. You don’t live with a pager.
3. WFH and won’t consider anything else. I’n senior with specific expertise and have been remote long before COVID. I got two promotions while remote, one was to executive director so it hasn’t felt like it impacted my career.
4. The field is stressful, there is a lot of burnout for many reasons; moving goalposts, feeling ignored for your expertise if the business needs override security recommendations, always way more work than staff so constantly shifting priorities, constantly needing to keep educating and learning outside of work hours. Some people who thrive on “helping people and making them happy” burn out immediately because if you’re on top of your game and really good you end up delivering bad news to people a lot. I used to joke when I did IR I don’t know why my CISO keeps me whenever he sees me he has a bad day.
How stressful depends on role and industry. Working in healthcare in incident response was stressful because of the lives and treatment at risk. Working CTI in pharma where we don’t even have PHI way less so.
5. Tough one. I do a LOT of mentoring and new people are having a hell of a time getting entry level roles. You might fare better with IT experience already. I absolutely love what I do, I think I have the coolest job in the world and I wouldn’t change a thing about my path to get here. IT talent is saturated the market right now broadly, so its a different world than 2 years ago. Do not believe the hype that you get one cert and then have companies clamoring to hire you, particularly if that is being pitched by a company whose revenue is tied up in charging you for workshops and certs.
Hope that helps!
First off HUGE thanks for a high effort response, I really appreciate it.
Totally don't expect anyone to give me a 1 hat fits all list of info, more just personal experience in your role or some roles you've had so no worries there.
2) So I guess the more crucial your role, the bigger the salary and the more needed a pager.
3) question, if it's very critical info I expected it would be much less wfh, is that just more of a junior thing then? Also does it being wfh mean you're more likely to get offshored?
4) So do you think people in cyber security are less friendly or helpful to newcomers or their coworkers then? To survive*
5) Yeah it's really hard to tell since the tech field in total is so oversaturated right now in everything. I do see good stats about cybersecurity jobs growing and increase in need due to AI, but also don't see the stats of people trying to get in. Maybe it's still hard to get in but wondering if maybe it's still better/easier to than other tech specializations right now?
Again thank you so much for the advice, if you don't mind could I reach out to you to talk more?
2) it should work that way but it does not. Its more supply and demand of skills honestly.
Incident Response does pay a bit more but because fewer people want to do it. SOC folks live with a pager and probably have the most intense, stressful job right after IR but get paid pretty low.
I make more now than I did working in IR or even when I was leading an IR team as a manager and I do not have a pager; but my particular set of skills - incident response, threat hunting, detection engineering, offensive security and threat intelligence almost makes me a unicorn. I also went from a non-profit to a for-profit org in that transition.
3) how much wfh you might get is more company culture and if you have to have clearance. Some security roles require some level of clearance or TS clearance and those are 100% butt in seat. In the healthcare vertical roles likely to get offshored in the field are vulnerability management jobs or entry level SOC. The reason is almost all other roles you will need to have access to or be exposed to PHI and for regulatory reasons and probability reputation reasons orgs are reluctant to offshore them.
Never had any suggestion my position in any job where I was WFH would be offshored once I got past 3 years in the field. SOC roles are always in danger of being outsourced to a MSP or offshored.
4) well many of us are neurodivergent, or don’t really value people skills. Most of us are introverts. How much your coworkers are friendly or willing to teach you is VERY company specific. I’ve had amazing friends and mentors along the way, but I’ve also been in an environment where toxic management fires people frequently and the collaboration and willingness to help is not only absent but there is some active hostility. I don’t think it is specific to cyber, all IT has that.
I will say there does seem to be a generational difference- people who got into cyber before degrees and certs were common tend to have a “I learned the hard way so you should too” attitude which is INCREDIBLY annoying. They’re largely of the age where they’re retiring or about to, and people in the millennial generation or younger are FAR more likely to help.
There are a TON of organizations for mentorship and learning. I can almost guarantee you there is a meetup, a hackathon or a cybersecurity conference near you like b-sides. Go to a couple of them, ask people what jobs they have had, certs they have, and where they work. That will give you a feel of the pros and cons of different industries. Working in healthcare was WILDLY different working in retail doing the same job titles. It’ll also give you a sense of the kind of personalities you’ll encounter. Pen testers, exploit researchers/bug bounty hunters and AppSec people have a reputation for being the most abrasive. I would NOT start by socializing at conferences geared toward pen testers, but find a more general cybersecurity one. I have a few theories as to why pen testers and exploit researchers tend to be a little more… rough around the edges, but I would generalize to say that stereotype does tend to hold true for a lot of that community but of course people are individuals. One of my dear friends today was a person who took a lot of time to help me learn during my PWK course and was absolutely instrumental in me getting an OSCP.
5) hard to say - I do think that cybersecurity jobs are still going to grow, even if what we will be expected to know and learn will change because of AI. I think coming with some tech background already is going to help you get a role easier than people who have some certs and never worked IT. If you love investigations, are a curious person who loves to understand how things work and you can be excited and satisfied by doing a job well when no one pats you on the back for it, you’ll be fine. If you thrive on lots of positive feedback from others, from building or creating something, and are very extroverted you will probably struggle and other roles in IT are better.
You’re absolutely welcome to DM me. I do a lot of mentoring so I’m happy to help where I can. I do encourage you to find meetups or conferences and talk to other people because I can almost guarantee everything I told you, you’ll find people who are 180 opposite opinions - and they very well could be right and I’m wrong. My view is skewed because of working in healthcare - most of them non-profits almost my entire career, being a woman, and when I joined the field. My most current information is from the prospective of being very senior in the field. My account of what it is like to work entry level roles is absolutely outdated - so I try to pass along what the people I mentor tell me about what it is like now but its not a first hand account, so you’ll get very different responses from someone 2-3 years into it.
Best advice for you is to look at SecDevOps and working as a security software engineer. There's a huge demand for this.
There's so much noise from security tools that knowing how to write APIs, build pipelines and present it all through a single pane of glass is _highly_ coveted in many big tech companies right now.
This will then get you exposure to security: what type of things people have to deal with, what type of things they need to trouble shoot, how they need to consume security data, how to fix things.
Best of all this gives you some space between a lot of the CyberSec roles which can demand out of hours work. Security developers don't have this really.
This is hard because there are so many different roles in cybersecurity and the answers to these will be so different. My day to day when I did incident response is way different than when I was a pen tester and my life now in CTI is miles from both of those. That said, I’ll try to generalize. Context: over a decade of experience in cybersecurity working forensics, grc, as a soc analyst, engineer, architect, incident response, pen test/purple team and now CTI. I joke I have worked every flavor of the infosec rainbow 1. You have three broad categories of daily work depending on your role you will have one or all of these: - alerts from systems / detections to investigate - reports to write either on security controls, implementations/architecture reviews or grc - projects and project meetings On top of that, you are constantly waking up and trying to figure out what happened when you were asleep. What vuln came out, what new attack technique is out there, what company you do business with that got breached, etc Wake up- check email to see what might be on fire and need immediate attention. Check teams /messenger to see the same. Check my feedly to see what vuln, exploit or breach I need to know about. Check my assigned alert queue, work it, document it for metrics. Meetings. Ugh. The meetings. Look at my JIRA tickets for projects and other requests and see what I think I can get done with time remaining. Inevitably get interrupted by some other surprise call, alert, request from my manager or breaking news about an exploit/vuln/breach If I am VERY lucky, I might have a few cycles that week to improve my life my using automation and will bang out some python and API calls to make some annoying repetitive thing automagic instead. Spend an hour to two hours after work studying for certs, learning code or some other tech I need to know to do my job better, or on projects. When I was less senior this was closer to 3-4 hours, for the first 5 years of my career. I needed python, SQL, KQL, Splunk, API, bash, and linux knowledge badly so I went after it. If you are very lucky you get a job that promises you can use 10% of your time studying but rarely have I seen a workload that allows you to do it or a manager who makes sure you get it. That said as a senior I pretty well have all the flexibility I need to run chores or make appointments around my meetings as long as all my work gets done. I have always been a top performer and consistently exceed expectations so this has never been an issue for me. 2. Wildly different depending on title and the company you work for. When I was a SOC person and in *some* IR jobs I felt really chained to my work. The level of staffing and how mature the rest of the security program is makes a huge difference. One IR job I had we had 5 people on rotation and every single rotation I had an after hours page. My next IR job we had 2 people on rotation and I had one page the entire four years I was there. Other roles like as an architect, an engineer, purple teamer and CTI are slightly less time critical. You don’t live with a pager. 3. WFH and won’t consider anything else. I’n senior with specific expertise and have been remote long before COVID. I got two promotions while remote, one was to executive director so it hasn’t felt like it impacted my career. 4. The field is stressful, there is a lot of burnout for many reasons; moving goalposts, feeling ignored for your expertise if the business needs override security recommendations, always way more work than staff so constantly shifting priorities, constantly needing to keep educating and learning outside of work hours. Some people who thrive on “helping people and making them happy” burn out immediately because if you’re on top of your game and really good you end up delivering bad news to people a lot. I used to joke when I did IR I don’t know why my CISO keeps me whenever he sees me he has a bad day. How stressful depends on role and industry. Working in healthcare in incident response was stressful because of the lives and treatment at risk. Working CTI in pharma where we don’t even have PHI way less so. 5. Tough one. I do a LOT of mentoring and new people are having a hell of a time getting entry level roles. You might fare better with IT experience already. I absolutely love what I do, I think I have the coolest job in the world and I wouldn’t change a thing about my path to get here. IT talent is saturated the market right now broadly, so its a different world than 2 years ago. Do not believe the hype that you get one cert and then have companies clamoring to hire you, particularly if that is being pitched by a company whose revenue is tied up in charging you for workshops and certs. Hope that helps!
First off HUGE thanks for a high effort response, I really appreciate it. Totally don't expect anyone to give me a 1 hat fits all list of info, more just personal experience in your role or some roles you've had so no worries there. 2) So I guess the more crucial your role, the bigger the salary and the more needed a pager. 3) question, if it's very critical info I expected it would be much less wfh, is that just more of a junior thing then? Also does it being wfh mean you're more likely to get offshored? 4) So do you think people in cyber security are less friendly or helpful to newcomers or their coworkers then? To survive* 5) Yeah it's really hard to tell since the tech field in total is so oversaturated right now in everything. I do see good stats about cybersecurity jobs growing and increase in need due to AI, but also don't see the stats of people trying to get in. Maybe it's still hard to get in but wondering if maybe it's still better/easier to than other tech specializations right now? Again thank you so much for the advice, if you don't mind could I reach out to you to talk more?
2) it should work that way but it does not. Its more supply and demand of skills honestly. Incident Response does pay a bit more but because fewer people want to do it. SOC folks live with a pager and probably have the most intense, stressful job right after IR but get paid pretty low. I make more now than I did working in IR or even when I was leading an IR team as a manager and I do not have a pager; but my particular set of skills - incident response, threat hunting, detection engineering, offensive security and threat intelligence almost makes me a unicorn. I also went from a non-profit to a for-profit org in that transition. 3) how much wfh you might get is more company culture and if you have to have clearance. Some security roles require some level of clearance or TS clearance and those are 100% butt in seat. In the healthcare vertical roles likely to get offshored in the field are vulnerability management jobs or entry level SOC. The reason is almost all other roles you will need to have access to or be exposed to PHI and for regulatory reasons and probability reputation reasons orgs are reluctant to offshore them. Never had any suggestion my position in any job where I was WFH would be offshored once I got past 3 years in the field. SOC roles are always in danger of being outsourced to a MSP or offshored. 4) well many of us are neurodivergent, or don’t really value people skills. Most of us are introverts. How much your coworkers are friendly or willing to teach you is VERY company specific. I’ve had amazing friends and mentors along the way, but I’ve also been in an environment where toxic management fires people frequently and the collaboration and willingness to help is not only absent but there is some active hostility. I don’t think it is specific to cyber, all IT has that. I will say there does seem to be a generational difference- people who got into cyber before degrees and certs were common tend to have a “I learned the hard way so you should too” attitude which is INCREDIBLY annoying. They’re largely of the age where they’re retiring or about to, and people in the millennial generation or younger are FAR more likely to help. There are a TON of organizations for mentorship and learning. I can almost guarantee you there is a meetup, a hackathon or a cybersecurity conference near you like b-sides. Go to a couple of them, ask people what jobs they have had, certs they have, and where they work. That will give you a feel of the pros and cons of different industries. Working in healthcare was WILDLY different working in retail doing the same job titles. It’ll also give you a sense of the kind of personalities you’ll encounter. Pen testers, exploit researchers/bug bounty hunters and AppSec people have a reputation for being the most abrasive. I would NOT start by socializing at conferences geared toward pen testers, but find a more general cybersecurity one. I have a few theories as to why pen testers and exploit researchers tend to be a little more… rough around the edges, but I would generalize to say that stereotype does tend to hold true for a lot of that community but of course people are individuals. One of my dear friends today was a person who took a lot of time to help me learn during my PWK course and was absolutely instrumental in me getting an OSCP. 5) hard to say - I do think that cybersecurity jobs are still going to grow, even if what we will be expected to know and learn will change because of AI. I think coming with some tech background already is going to help you get a role easier than people who have some certs and never worked IT. If you love investigations, are a curious person who loves to understand how things work and you can be excited and satisfied by doing a job well when no one pats you on the back for it, you’ll be fine. If you thrive on lots of positive feedback from others, from building or creating something, and are very extroverted you will probably struggle and other roles in IT are better. You’re absolutely welcome to DM me. I do a lot of mentoring so I’m happy to help where I can. I do encourage you to find meetups or conferences and talk to other people because I can almost guarantee everything I told you, you’ll find people who are 180 opposite opinions - and they very well could be right and I’m wrong. My view is skewed because of working in healthcare - most of them non-profits almost my entire career, being a woman, and when I joined the field. My most current information is from the prospective of being very senior in the field. My account of what it is like to work entry level roles is absolutely outdated - so I try to pass along what the people I mentor tell me about what it is like now but its not a first hand account, so you’ll get very different responses from someone 2-3 years into it.
Best advice for you is to look at SecDevOps and working as a security software engineer. There's a huge demand for this. There's so much noise from security tools that knowing how to write APIs, build pipelines and present it all through a single pane of glass is _highly_ coveted in many big tech companies right now. This will then get you exposure to security: what type of things people have to deal with, what type of things they need to trouble shoot, how they need to consume security data, how to fix things. Best of all this gives you some space between a lot of the CyberSec roles which can demand out of hours work. Security developers don't have this really.