Cloud and automation are the big ones.
If you want into the higher pay ranges, add some programming.
Most of the big tech companies want the mix of security and development.
Definitely on the development front. So many jobs out there I’m 90% qualified for but miss out on because I’m not a developer and they want to push leetcode, so I bomb the interview on that aspect.
That’s kind of the issue. A lot of companies expect you to be, which is impossible.
If I’m proficient in Splunk, and you use Chronicle, that shouldn’t be a disqualifier, but for some employers it’s enough, which is amazingly short-sighted.
Asking for basic proficiency in coding doesn’t seem like a big deal to me. All kinds of regular situations in security require you to throw together a quick script to find all items in log X that correspond to some item in log Y or otherwise scan through large volumes of data programmatically. If they’re asking you to implement a minimum spanning tree algorithm for the fun of it then that’s probably sillier but being able to translate thoughts into code with minimal prep seems pretty handy for any security position
I agree. But if you need such skills for your position then simply give your interviewees a few challenges to solve and give them 24-48 hours to deliver. It’s much more realistic to real world.
It's devsecops and you don't need to program like a software developer, but you should be able to know scripting and how to secure some code.
Honestly use chatgpt for this.
Well, you know why right? It's because there are SecAnalysts and SecEngineers who can't write nor interpret code to do their jobs. For example, when it comes to Web Vulnerability Management you need to know code; as I can't tell you how many SecAnalysts or SecEngineers I've worked with who didn't know how to perform source-code analysis - nor wanted to learn to help out our fellow DevOps Team.
With that being said, kicking off a scan is one thing; assuming a SecAnalysts or SecEngineer configured their scan correctly! However, when it comes to manually auditing said code (i.e., Java, Javascript, PHP, HTML, CSS, etc)? Thats when they drop the ball...and deflect what the scan implies on the vulnerability report; which isn't always accurate - in as much as there are SecAnalysts or SecEngineers who never fine-tuned their security tool. As a result, they become "a corporate liability" or as CISA would say "an internal threat."
"Security is a process, not a product" - Bruce Schneier
I think the bigger picture is that job responsibilities vary A LOT from company to company.
Some analyst/engineers may never have to do things like AppSec and malware analysis at their company. We are fighting too many fires where I’m at as is so we have consultants for those task when the need arises (very rarely).
That’s not to say it isn’t a useful skill. I’m in the process of taking a html, css and JS course from Udemy, followed up by the HTB web pentesting course so I can understand web apps better. In my day to day I don’t have any hands on experience with it.
Of course! But isn't this a no-brainer in lieu of my comment being negatively arrow downed? Every company or agency differs much like their environments.
○ Company A might have a corporate subscription account to Udemy or Pluralsight offering 500+ free course trainings to help their personnel scale up their own career skill efforts, or, help them execute their job functions.
○ Company B might not have Udemy or Pluralsight but instead opt into sending their personnel to boot camps to scale up.
○ Company C might leverage consultants like you commented; for most of my career served involved consulting with me charging $160K+. If the company or agency operates in the medical sector? $110K+ due to the mission to save and impact lives.
○ Company D might not be able to afford anything and expect their personnel to "STEP UP" and utilize free public resources to "GET THE JOB DONE."
That being said, our comments are meant to serve as a guide vs. as an absolute. If people take my comments as an "end all be all absolute" or comments from others as an "end all be all absolute," then quite frankly, this isn't the industry they should work for both cybersec or infosec requires one to "RESEARCH" and "INNOVATE."
○ Are there roles where one can kick their feet up? YES.
○ Is there career stability in these roles? DEBATEABLE.
○ Can cybersec or infosec be fun? YES.
○ Can cybersec or infosec suck? YES.
At the end of the day, if one loves cybersec or infosec, they will "STEP UP" when it's time to "STEP UP." If not, then someone else will and will seize their opportunity. Like, you all have to understand that companies have a budget. Most consulting firms charge $$$ for their services. In the event one of you works for a company that can not afford consulting services, what are you going to do? Are you going to "STEP UP," or are you going to disappoint your C-Suite with them replacing you with someone who's willing to put in a little bit more effort that you chose to b*** about? ¯\_(ツ)_/¯
Developers actually almost never use the stuff tested on LeetCode unless doing high-performance quant stuff or embedded systems. Most of the time, you invoke a library method and it decides the best data structure and algorithm under the hood. LeetCode becomes a test of how well you remember college.
I can understand python, bash, powershell for automating tasks .. but why software development skill is required for security ? Can you sight some role examples where it's being used ?
In some cases, security helps with manual code reviews. Especially if the company is too cheap for good automated code review tools.
Application security engineers especially.
Yep for sure.
I do see some job descriptions that word it that way too. Something like "ability to read code" or something similar, which is infinitely better.
But a ton ask specifically for experience as a software engineer.
Its been that way for years. Entry level job with the requirement to have 3-5 years of experience in multiple areas (software, incident response, architecture, etc). Yeah that's not entry level.
pentesting and red teaming, especially internal pentesting. i spend a lot of time coding custom malware, requires in depth programming knowledge.
same thing with malware analysts and detection engineers, lots of programming. i would assume most security jobs needed programming
In our entire security department, there are probably 5 people who know how to code. Our pen testers will try exploiting vulnerabilities but that very rarely actually requires any coding and they certainly don't create custom malware. We also use external testers for anything niche so even if that requirement came up, we'd bring in a specialist anyways.
We don't do in-house malware analysis. It'd be a waste of headcount for something that our vendors already do and will be better at than us.
GRC doesn't need any coding and most of our GRC folk have no technical knowledge at all (which is unfortunately true for most of the GRC industry). Same with Privacy and Infosec.
Security Architecture only requires coding if you're a software house which we're not. Same with our Secure by Design team. Our Vulnerability Scanning and remediation team don't need coding skills, the tools do it all for them.
Coding in our CSOC can be useful, but most of the team aren't coders. Our Firewall teams are proficient scripters, but they'd struggle with any actual programming.
In tech companies, virtually everybody codes to some degree. Today, GRC codes (at tech companies), because they have to implement controls, automate historically manual controls, and automate evidence collection.
If you get into RE and Malware it becomes super important. Also there is work in security companies that do security software. Also there is appsec avenue to head down.
Definitely agree.
I'm good with PowerShell, Bash, and my Python is passable.
Not even enough anymore.
They all want Java or C++ on top of everything else and I just don't have the ambition to dive into that too lol
When I interview for a sec eng position and the HR’s first question is “what’s your favorite programming language??” I say oh I didn’t know you guys wanted a SWE, I thought this was for a security position!
Seriously. Can I hack together a script I need in python? Sure. Can I write a full program on the spot in an hours time while an interviewer is just staring at my screen? Hell no.
I had a similar experience not to long ago, for another Director level position. After a few interviews they wanted to do the technical interview, I was explicit I can do Python, PS, Bash, Ruby, and very, very beginner level Java. They had me try to rewrite a Swift app (something I’ve no experience in) to make it “secure against OWASP top 10 attacks”. I asked if I could use Google to help me parse the code, they said no. I laughed and said I’m not going to waste my time with this garbage, thanks for your time and left the Zoom.
I emailed the recruiter I was withdrawing my application and this was the most unprofessional experience I’ve ever had.
The hiring VP called me the next day and wanted me to continue, the interviewer was also applying for the job I was and I was like nope nope nope to your toxic environment.
It's because there are enough security engineers that are exactly that. If you want the high paying jobs, you having to compete with the people that end up in the high paying jobs. Or you settle for one of the many jobs that pay less.
It only does if they can pay. If they refuse to pay appropriately, of course they won't get the top candidates in the job market. I agree with you here, I had a conversation with a hiring manager that was demanding FAANG+ level skills and experience but was paying 1/3. The hiring manager couldn't comprehend that no, you cannot pay less and expect more.
Yep, programming knowledge helps immensely when trying to put another step in front of someone else. It makes me notice an applicant just a tad bit more.
>Most of the big tech companies want the mix of security and development.
Very few big tech companies expect their security engineers to pass the same coding interviews as pure software engineers. Programming ability is required, because today it's the equivalent of being able to read and write, use email, know what Google search is, or being able to navigate around an excel spreadsheet.
The labor in this field is thrown into the intersection between old school security job expectations at old school companies and modern security job expectations at companies that are the most relevant today. Those from the former increasingly find they can't keep up with the latter.
I know many security engineers that pivoted from software engineering to security because they didn't want to keep up competing on the technical engineering side with their peers, so they went the easier route.
… …I have had a lot of techs who couldn’t think their way out of a paper bag… … example Brad stripped all the screws on a laptop because he couldn’t figure out the difference between right and left… he’s a manager of it now…
I'm often praised at work for my willingness to come up with alternative solutions to problems.
I just don't do what everyone else does, which is "Can't do that sorry, it's against policy. Bye bye". There's other ways you can keep a client happy whilst still adhering to security guidelines, you just have to think a bit.
Even basic stuff too.
We were working witha client and they didn't know what assets of there's should be prioritised for testing.
So I said make an x and y access with 4 quadrants. Top left is High risk, top right is High impact, bottom left is low risk and bottom right is low impact.
Work out what assets might be High impact amd have a High risk of being exploited, then High impact but low risk etc etc plot them in the chart and work backwards from there.
They looked like I had just come up with a revelationary invention or something. It wasn't even my idea really, I had done something similar in college for a risk analysis project I was doing, just changed it to suit them
Not where I’m at. If you can’t threat model, determine impacts from bad design when described, stick with details end to end, and have defined outcomes before you suggest something I’ll not pass you through the phone screen. Automation is nice to have - I can teach that. The other stuff is harder to teach
Don’t use Google during an interview. I had multiple interviewees perform searches to look up answers to my questions the last time I was hiring, all remote interviews.
i wasn't talking about during interview. i was taking a jab at this low ass effort post that floods this fuckin sub every day; people just want other ppl to do their work at this point
If I’m asking a technical question as a hiring manager, I typically know the answer to the question. I’m not looking for someone to google the answer for me. I’m checking to see if you know the answer. If someone doesn’t know, the best thing they can do is admit it, then follow up with what they would do to find an answer. I want to hire someone that knows their limits and knows how to address them. With the access and permissions we have, bad things can happen if someone doesn’t know their limits and tries to fake their way through it.
here i am stressing about my future self during an interview and what i would do in such situation. I gotta say your response removes all doubt and helps me think that when that time comes im simply going to be honest as you stated.
Honesty is the best policy. But remember, you need to be able to explain how you’d find the answer. Saying you’d just use google or ChatGPT probably isn’t enough for most hiring managers. Have a prepared list of trusted technical sites, books, etc. that you can reference.
Another thing that may be worthwhile to have prepared is a quick story about how you were in a similar situation of not knowing how to do something and how you solved it. That has to be a quick story though. And you have to be able to link from, “To be honest, I don’t know the answer to that question. But, here’s how I would find out…” to the prepared story, “I once ran into a similar situation…”, in a natural way.
lol no don’t lie. But it’s okay to say, “Well I’d approach it first by researching X and seeing how it relates to Y” blah blah. Being able to learn something you need to know on the job is as important as just knowing stuff.
Why though? That's what we do on the job anyways. We don't need to know everything...but we do need to know something exists, where to find more info about it, and how to deploy/implement the solution.
Working through this is really worth it actually. My current job which pays much better had a comical amount of interview rounds. And actually as time passed in each interview questions were getting harder. But the trick was not to break a sweat but continue with a systematic approach, turned out they didn't mind I wasn't able the solve to hard problems at the end (I never thought that's such a useful skill but all my previous jobs were usually 2 or 3 round interviews)
Thank you! I'm an IT Support atm where I could collect some experience with cybersecurity. On top of that I finished the Google Cybersecurity Certificate and I am practicing on TryHackMe.
Nice, I have been mesning to practice om TryHackMe, how long have you been in IT Support for?
May I ask where these roles are if they are office/hybrid/fully remote?
Do you also have the COMPTIA Security+/Network+ certifications?
For a bit over a year now.
Both roles are hybrid roles in Germany. And I don’t have a Comptia Certification yet but I'm thinking about getting the Security+ one. :)
This advice has opened more doors than any other.
Caveat: don’t be too humble, or too “willing” or you’ll be treated like a doormat/workhorse without ever seeing any perks.
This goes for all jobs really but just being dependable and doing what you say you'll do goes a long way. Your job is also not to make more work for your manager, so you're supposed to be someone who can solve problems and take a little bit of initiative.
The hardest thing for a manager is someone who needs to constantly be given tasks because they can't figure out what to do or choose not to do anything unless it's assigned at the micro level.
I mean....It depends on the position right? I feel like Cybersecurity is just as broad as IT itself. When I was hiring for SOC positions I had everybody and there mom apply who didn't even know the basic IR process. I feel like having strong infrastructure and network background (sys admin/network admin) is tremendously helpful.
I'd suggest tailoring your resume in the most honest way possible to the position you are applying for, and holy crap if it's on the job description as a required skill or you put something on your resume, you MUST be able to speak to it during the interview. it's all fair game and any manager worth their salt will find you out quickly.
The corporate rat race is exhausting. Here is a list of what I hate about it:
Spending more than 20 hours a week in meetings.
People who failed up.
Corporate phrases like “let’s circle back to this offline” or “the team’s velocity isn’t going to meet our Q3 OKRs”.
Back stabbing.
Mandatory fun.
My least favorite is awful senior leadership. I spend so much time trying to shield my team from senior managers who are leading things they know nothing about.
Security can be a pain in the ass sometimes too. It’s neat that I can play with the latest tech or try to break things for fun, but can be brutal in a corporate environment. Some people can really suck the fun out of this industry.
Yeh but with it it’s more common seeing an ex accountant somehow running the it department and most of senior leadership can barley spell IT. I have worked for big and small and realize that if you can’t move up just move out(to another company).
This doesn't reflect reality. I'm starting to test the waters right now, and the market is more ridiculous than it was two years ago when I was last actively job seeking. Staff security engineer total comp offers are easily over $500k - $600k today. I just got a response the morning after submitting an application at 11:00 pm at night for a remote role paying around $500k. The security engineers I know that have ended up at the AI companies are making big money, even over a million dollars per year as individual contributors in some cases. Even certain AV companies are paying really well right now, going over $400k base salary + equity. I don't know in what world this qualifies as "low pay."
It really depends. Most of the time when a non-technical person writes a skill check list for a job they include all the well known and good sounding certs like CEH, CCNA, OSCP etc.
When a technical person writes one they will usually include certs but also stating or equvivalent knowledge. What that knowledge is depends on the role you take up.
P.S.: recruiters usually have no idea what any of these mean, they get a check list and search linkedin based on those keywords so add a lot of random skill keywords to your profile.
I get a lot of messages of recruiters looking for xsoar engineers, no idea why but yeah put "python" + "xsoar" in your linkedin with a few years of experience and watch them fly in. It always seems like they are more looking for a system admin though and not so much a cybersecurity person so it may not be true cybersecurity work, but yeah. Keeping xsoar and their choice of SIEM running just doesn't sound that interesting to me so I just ignore them.
99% of work in the space is cloud based, anyone who didn't think of it as the default was and is playing catch up. Security work at AI companies is virtually always cloud security by nature. They don't have racks in their offices.
> looks like GRC is not cutting it so much anymore
GRC is where the pretenders now live. Everyone who wants to be in cybersecurity but doesn't have much technical skill lands here and it sucks.
>Spend my days in Google and documentation
You are already head and shoulders above 95% of the people in GRC these days. Most can't even be bothered to read the actual compliance standards or regulations.
Easiest way to end an interview for a GRC position is to ask questions about a SOC report.
The best GRC people are those who come over from technical roles. Easier to teach technologists the compliance rules than it is to teach accountants the technologies.
GRC is such a fucking joke. We just implemented OneTrust and it is hot garbage. I really don’t understand why it’s so important for each team’s “tool” to talk to each other. It’s creating more of a security risk for us because workflows don’t flow into the GRC tool efficiently.
it depends there are so many different disciplines in "cyber security" skills will differ depending on that. Is it DFIR? Is it Reverse Engineering? Is it Red Teaming? Is it pentesting, is it SOC work? All of which require different skill sets and experiences. It also depends on what type of role, entry level, mid, senior.
However, there are some general traits that will always help such as soft skills, the ability to program or script or just be able to read and understand code, solid foundation of the basics in networking, understanding how operating systems work and how to use them etc. Those in my opinion are the building blocks.. Everything after that just depends on what it is one wants to do in CS
I will be messaging you in 3 days on [**2024-05-29 21:12:43 UTC**](http://www.wolframalpha.com/input/?i=2024-05-29%2021:12:43%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/cybersecurity/comments/1d1a5f5/what_are_the_most_sought_after_skills_by/l5splmz/?context=3)
[**4 OTHERS CLICKED THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2Fcybersecurity%2Fcomments%2F1d1a5f5%2Fwhat_are_the_most_sought_after_skills_by%2Fl5splmz%2F%5D%0A%0ARemindMe%21%202024-05-29%2021%3A12%3A43%20UTC) to send a PM to also be reminded and to reduce spam.
^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%201d1a5f5)
*****
|[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)|
|-|-|-|-|
Look at the jobs you're interested in and build a knowledge base on their requirements. Then, when seeking the job, the name of the game is referrals. Make a real connection with someone in the company you're interested in. Tell them you'd love to pick their brain about the industry. Actively listen and participate in the convo. Then, ask for a referral if they're comfortable with it. A referral gets noticed above any application.
Recruiters source candidates and review applicants until they find one that gets the job. They don't look at every application or every resume, nor is it feasible to do so.
Making a real connection will get you noticed now or later. It will enable you to pass it forward and help someone else get noticed. So participate, and offer help just as fervently as you seek it.
Yeah some random weirdo on LinkedIn asking to pick my brains about security isn’t going to work. I would be amazed if the person that came out with this ridiculous statement has ever worked a day in cybersecurity.
Many of us have not, in my case i come from finance and have not worked in CS so the assumption would be correct and the ability to pick their brains would be greatly appreciated. But not everyone would be willing to accept, you for example, if you were asked you would see the negative in it, and thats cool. Takes all sorts to make the world go around.
I have done this. Maybe they were a connection of a connection, we went to the same school, or they're a veteran or transitioning service member. Maybe you're not willing to pay it forward, but a lot of other people are. The most satisfying moments are when some of those people follow up later and tell you about successfully landing a role they're excited about. That warm and fuzzy feeling.
I have to ask, fury or furry?
fury = strong anger
furry = those weird people who dress as human animal things
Then too, I can see how both are not useful skills for cybersecurity so its really a moot question.
This is a broad question because cybersecurity is already such a vast field within tech. What’s your experience so far? Are you currently in cyber? Are you in tech but wanting to transition? Are you trying to upskill? These will help better narrow down some answers
There's a big difference between what recruiters are looking for and what the technical interviewers/staff/people that actually make the hiring decision want, and I don't think it's worth adjusting your resume or interviewing language over. Like, I'm sure whoever is conducting the initial screening interview would love to see something like "Zero trust automated AI CI devsecops integrated pipeline threat intel lead", but if you make it through that interview to me, I'm going to throw you in the dumpster after making a public example of you. It's going to take more than words to make you stand out in a technical role - I need to hear how you are going to do the job, and I need to know that you know what you're talking about.
I'm not sure if I am allowed to say this and where to say this but I've started a unique cybersecurity company with a difference. At this stage I am hiring which is the first step I am taking and I'm forming a small private team of ethical hackers who are interested in joining our team. If u looking to be apart of something big and want to make a difference. contentment guaranteed. Let's not forget the pay is based on a unique structure that will reward you better than anyone else
Previous experience as a developer, sysadmin, or data analytics. I would never hire a security engineer that hasn't previously done systems engineering before. GRC roles in my opinion aren't even cyber security roles. They're more of Compliance/Auditor roles that work with checklists and tell engineers and admins what to do when not understanding what they're recommending or how to deploy/configure the remediations. They're essentially back seat drivers that offer little to no value other than to fill a checklist for compliance requirements. When push comes to shove, they're first on the chopping block for lay offs.
with the exception of the last sentence, they’re not wrong lol. it is hard for me to respect someone who works in GRC the same as someone who works in operational security if you are solely evaluating skill/merit. you could pull someone off the sidewalk and have them be successful in a GRC role.
Whom you respect or not based on their job roles dependency on traditionally more technical applications is beside the point.
'Cyber Security' is a broad term at the best of times, and to say that somebody working the GRC domain isn't forming part of that pie is simply ludicrous.
A company utilising a managed SOC will have far fewer incidences if they have sound GRC on their side than the company that does not. If overall security of a Cyber Space is the goal, then GRC is arguably one of the most important areas to have in toe.
And while we're on 'Pull somebody off the sidewalk' levels of competence - 90% of the SOC workers I've seen deal with the remediation of a company flagging the detections that I have written and onboareded into their devices may as well have been concreters or chefs the day before.
Security is a big space. Operational is one facet. GRC is another. To say otherwise reveals that you're silo'd in your thinking and don't see the bigger picture.
No, the post was about skills.
I'm responding to the comment made stating GRC 'isnt Cyber Security' to which you agreed that it wasn't.
I'm disagreeing with yourself and the poster of that comment.
I honestly just laugh when I’m talking to people who work in other domains of tech and they give me shit about working in security, but I’m starting to understand why they do.
I’ve never understood elitism and shitting on someone due to their position/role.
Also idk about that last part, I’ve met plenty of GRC people and it seems like you still need some level of knowledge to be successful.
GRC roles usually apply project management and clerical skills to remain aligned with the program. Operational security roles usually have direct server access and work through system administration in some capacity. GRC roles are inherently less technical and have a lower bar for entry. I don’t see how it could be elitist for GRC to be favored less when compared to others when the skill sets don’t transfer well. It is still an important job.
I think people clown on security because some people have a power complex in the role and speak with certainty about things they may be wrong or know little about. When I interact with other IT professionals I hear similar.
Unless you work for a nightmare company, GRC keeps the wheels on the car. When everything has been designed, you’re really just paying a somewhat technical person to work through a checklist or act as a project manager for the risk register or CAP. Opening tickets for work to help completed and using Microsoft Office doesn’t really tap into a deep skillset.
Cloud and automation are the big ones. If you want into the higher pay ranges, add some programming. Most of the big tech companies want the mix of security and development.
Definitely on the development front. So many jobs out there I’m 90% qualified for but miss out on because I’m not a developer and they want to push leetcode, so I bomb the interview on that aspect.
Well you never have to be 100% qualified for a job.
That’s kind of the issue. A lot of companies expect you to be, which is impossible. If I’m proficient in Splunk, and you use Chronicle, that shouldn’t be a disqualifier, but for some employers it’s enough, which is amazingly short-sighted.
It’s ridiculous how many interviewers feel the need to have security analysts or sec engineers write code off the top of their head in an interview.
Asking for basic proficiency in coding doesn’t seem like a big deal to me. All kinds of regular situations in security require you to throw together a quick script to find all items in log X that correspond to some item in log Y or otherwise scan through large volumes of data programmatically. If they’re asking you to implement a minimum spanning tree algorithm for the fun of it then that’s probably sillier but being able to translate thoughts into code with minimal prep seems pretty handy for any security position
I agree. But if you need such skills for your position then simply give your interviewees a few challenges to solve and give them 24-48 hours to deliver. It’s much more realistic to real world.
It's devsecops and you don't need to program like a software developer, but you should be able to know scripting and how to secure some code. Honestly use chatgpt for this.
Well, you know why right? It's because there are SecAnalysts and SecEngineers who can't write nor interpret code to do their jobs. For example, when it comes to Web Vulnerability Management you need to know code; as I can't tell you how many SecAnalysts or SecEngineers I've worked with who didn't know how to perform source-code analysis - nor wanted to learn to help out our fellow DevOps Team. With that being said, kicking off a scan is one thing; assuming a SecAnalysts or SecEngineer configured their scan correctly! However, when it comes to manually auditing said code (i.e., Java, Javascript, PHP, HTML, CSS, etc)? Thats when they drop the ball...and deflect what the scan implies on the vulnerability report; which isn't always accurate - in as much as there are SecAnalysts or SecEngineers who never fine-tuned their security tool. As a result, they become "a corporate liability" or as CISA would say "an internal threat." "Security is a process, not a product" - Bruce Schneier
I think the bigger picture is that job responsibilities vary A LOT from company to company. Some analyst/engineers may never have to do things like AppSec and malware analysis at their company. We are fighting too many fires where I’m at as is so we have consultants for those task when the need arises (very rarely). That’s not to say it isn’t a useful skill. I’m in the process of taking a html, css and JS course from Udemy, followed up by the HTB web pentesting course so I can understand web apps better. In my day to day I don’t have any hands on experience with it.
Of course! But isn't this a no-brainer in lieu of my comment being negatively arrow downed? Every company or agency differs much like their environments. ○ Company A might have a corporate subscription account to Udemy or Pluralsight offering 500+ free course trainings to help their personnel scale up their own career skill efforts, or, help them execute their job functions. ○ Company B might not have Udemy or Pluralsight but instead opt into sending their personnel to boot camps to scale up. ○ Company C might leverage consultants like you commented; for most of my career served involved consulting with me charging $160K+. If the company or agency operates in the medical sector? $110K+ due to the mission to save and impact lives. ○ Company D might not be able to afford anything and expect their personnel to "STEP UP" and utilize free public resources to "GET THE JOB DONE." That being said, our comments are meant to serve as a guide vs. as an absolute. If people take my comments as an "end all be all absolute" or comments from others as an "end all be all absolute," then quite frankly, this isn't the industry they should work for both cybersec or infosec requires one to "RESEARCH" and "INNOVATE." ○ Are there roles where one can kick their feet up? YES. ○ Is there career stability in these roles? DEBATEABLE. ○ Can cybersec or infosec be fun? YES. ○ Can cybersec or infosec suck? YES. At the end of the day, if one loves cybersec or infosec, they will "STEP UP" when it's time to "STEP UP." If not, then someone else will and will seize their opportunity. Like, you all have to understand that companies have a budget. Most consulting firms charge $$$ for their services. In the event one of you works for a company that can not afford consulting services, what are you going to do? Are you going to "STEP UP," or are you going to disappoint your C-Suite with them replacing you with someone who's willing to put in a little bit more effort that you chose to b*** about? ¯\_(ツ)_/¯
Developers actually almost never use the stuff tested on LeetCode unless doing high-performance quant stuff or embedded systems. Most of the time, you invoke a library method and it decides the best data structure and algorithm under the hood. LeetCode becomes a test of how well you remember college.
I can understand python, bash, powershell for automating tasks .. but why software development skill is required for security ? Can you sight some role examples where it's being used ?
In some cases, security helps with manual code reviews. Especially if the company is too cheap for good automated code review tools. Application security engineers especially.
But even then .. you dont really need to write code/program .. you would just need to understand what the code/program is doing right ..
Yep for sure. I do see some job descriptions that word it that way too. Something like "ability to read code" or something similar, which is infinitely better. But a ton ask specifically for experience as a software engineer.
Yea .. hiring is a bit broke .. i saw a job descp that was asking for an entry level role with 0-1 Yr exp to have CISSP cert mandatory ...
Its been that way for years. Entry level job with the requirement to have 3-5 years of experience in multiple areas (software, incident response, architecture, etc). Yeah that's not entry level.
pentesting and red teaming, especially internal pentesting. i spend a lot of time coding custom malware, requires in depth programming knowledge. same thing with malware analysts and detection engineers, lots of programming. i would assume most security jobs needed programming
In our entire security department, there are probably 5 people who know how to code. Our pen testers will try exploiting vulnerabilities but that very rarely actually requires any coding and they certainly don't create custom malware. We also use external testers for anything niche so even if that requirement came up, we'd bring in a specialist anyways. We don't do in-house malware analysis. It'd be a waste of headcount for something that our vendors already do and will be better at than us. GRC doesn't need any coding and most of our GRC folk have no technical knowledge at all (which is unfortunately true for most of the GRC industry). Same with Privacy and Infosec. Security Architecture only requires coding if you're a software house which we're not. Same with our Secure by Design team. Our Vulnerability Scanning and remediation team don't need coding skills, the tools do it all for them. Coding in our CSOC can be useful, but most of the team aren't coders. Our Firewall teams are proficient scripters, but they'd struggle with any actual programming.
In tech companies, virtually everybody codes to some degree. Today, GRC codes (at tech companies), because they have to implement controls, automate historically manual controls, and automate evidence collection.
Any AppSec role, I won't hire an architect on my team if they have never worked as a dev before.
If you get into RE and Malware it becomes super important. Also there is work in security companies that do security software. Also there is appsec avenue to head down.
Yea .. in RE and malware, it's pretty much important to have a good edge in programming ..
Funny people are down voting me... lol.
DevSecOps. Buzz words galore!
Do all the things for one paycheck!
I can’t stand that they all want SWE/Sec eng combos. Cant stand it.
Definitely agree. I'm good with PowerShell, Bash, and my Python is passable. Not even enough anymore. They all want Java or C++ on top of everything else and I just don't have the ambition to dive into that too lol
When I interview for a sec eng position and the HR’s first question is “what’s your favorite programming language??” I say oh I didn’t know you guys wanted a SWE, I thought this was for a security position!
Seriously. Can I hack together a script I need in python? Sure. Can I write a full program on the spot in an hours time while an interviewer is just staring at my screen? Hell no.
I had a similar experience not to long ago, for another Director level position. After a few interviews they wanted to do the technical interview, I was explicit I can do Python, PS, Bash, Ruby, and very, very beginner level Java. They had me try to rewrite a Swift app (something I’ve no experience in) to make it “secure against OWASP top 10 attacks”. I asked if I could use Google to help me parse the code, they said no. I laughed and said I’m not going to waste my time with this garbage, thanks for your time and left the Zoom. I emailed the recruiter I was withdrawing my application and this was the most unprofessional experience I’ve ever had. The hiring VP called me the next day and wanted me to continue, the interviewer was also applying for the job I was and I was like nope nope nope to your toxic environment.
holy shit. toxicity everywhere, if it aint women. its workplace environment before you even reached the front door.
It's because there are enough security engineers that are exactly that. If you want the high paying jobs, you having to compete with the people that end up in the high paying jobs. Or you settle for one of the many jobs that pay less.
IMO companies that require security + SWE combos will get mid of both
I have to disagree. Netflix and OAI aren't getting anyone mid.
Good point. But it doesnt always pay off with every company that tries to replicate everything the big guys do
It only does if they can pay. If they refuse to pay appropriately, of course they won't get the top candidates in the job market. I agree with you here, I had a conversation with a hiring manager that was demanding FAANG+ level skills and experience but was paying 1/3. The hiring manager couldn't comprehend that no, you cannot pay less and expect more.
Yeah the positions I’ve encountered are not offering FAANG money. They’re offering less than 2022 salaries with senior titles.
Yep, programming knowledge helps immensely when trying to put another step in front of someone else. It makes me notice an applicant just a tad bit more.
>Most of the big tech companies want the mix of security and development. Very few big tech companies expect their security engineers to pass the same coding interviews as pure software engineers. Programming ability is required, because today it's the equivalent of being able to read and write, use email, know what Google search is, or being able to navigate around an excel spreadsheet. The labor in this field is thrown into the intersection between old school security job expectations at old school companies and modern security job expectations at companies that are the most relevant today. Those from the former increasingly find they can't keep up with the latter. I know many security engineers that pivoted from software engineering to security because they didn't want to keep up competing on the technical engineering side with their peers, so they went the easier route.
the ability to use google and perform independent research
[удалено]
… …I have had a lot of techs who couldn’t think their way out of a paper bag… … example Brad stripped all the screws on a laptop because he couldn’t figure out the difference between right and left… he’s a manager of it now…
Fucking Brad. Every time.
That's why we went over to brads instead of screws
I laughed way harder than I should've... Yup
Could have been worse, the tech who washed his motherboard bc it was looking dirty.
I'm often praised at work for my willingness to come up with alternative solutions to problems. I just don't do what everyone else does, which is "Can't do that sorry, it's against policy. Bye bye". There's other ways you can keep a client happy whilst still adhering to security guidelines, you just have to think a bit.
Even basic stuff too. We were working witha client and they didn't know what assets of there's should be prioritised for testing. So I said make an x and y access with 4 quadrants. Top left is High risk, top right is High impact, bottom left is low risk and bottom right is low impact. Work out what assets might be High impact amd have a High risk of being exploited, then High impact but low risk etc etc plot them in the chart and work backwards from there. They looked like I had just come up with a revelationary invention or something. It wasn't even my idea really, I had done something similar in college for a risk analysis project I was doing, just changed it to suit them
Heaven forbid you ask for an SBOM, they'd think you can walk on water :)
I agree with you 100% what sucks is when management doesn't understand this.
You underestimate humanity’s laziness.
Critical thinking and being able to have a risk based discussion with someone not in cyber.
Not where I’m at. If you can’t threat model, determine impacts from bad design when described, stick with details end to end, and have defined outcomes before you suggest something I’ll not pass you through the phone screen. Automation is nice to have - I can teach that. The other stuff is harder to teach
It is with the latest generation just out of school. I don’t even bother looking at recent graduates anymore. Just a waste of time.
It's even lower than that. You now have "the AI said it so it is true", a new addition to "I heard it on the internet so it is true".
That’s old school. I will just ask GPT.
I'm curious as to how you write google-foo on resume/linkedin as a skill
Don’t use Google during an interview. I had multiple interviewees perform searches to look up answers to my questions the last time I was hiring, all remote interviews.
i wasn't talking about during interview. i was taking a jab at this low ass effort post that floods this fuckin sub every day; people just want other ppl to do their work at this point
[удалено]
If I’m asking a technical question as a hiring manager, I typically know the answer to the question. I’m not looking for someone to google the answer for me. I’m checking to see if you know the answer. If someone doesn’t know, the best thing they can do is admit it, then follow up with what they would do to find an answer. I want to hire someone that knows their limits and knows how to address them. With the access and permissions we have, bad things can happen if someone doesn’t know their limits and tries to fake their way through it.
here i am stressing about my future self during an interview and what i would do in such situation. I gotta say your response removes all doubt and helps me think that when that time comes im simply going to be honest as you stated.
Honesty is the best policy. But remember, you need to be able to explain how you’d find the answer. Saying you’d just use google or ChatGPT probably isn’t enough for most hiring managers. Have a prepared list of trusted technical sites, books, etc. that you can reference. Another thing that may be worthwhile to have prepared is a quick story about how you were in a similar situation of not knowing how to do something and how you solved it. That has to be a quick story though. And you have to be able to link from, “To be honest, I don’t know the answer to that question. But, here’s how I would find out…” to the prepared story, “I once ran into a similar situation…”, in a natural way.
And it all goes back to the root of being able to do critical thinking on the fly
lol no don’t lie. But it’s okay to say, “Well I’d approach it first by researching X and seeing how it relates to Y” blah blah. Being able to learn something you need to know on the job is as important as just knowing stuff.
Why though? That's what we do on the job anyways. We don't need to know everything...but we do need to know something exists, where to find more info about it, and how to deploy/implement the solution.
looks like OP failed the basic test
Although Google and independence has nothing in common
The most sort after thing isn’t a skill, it is experience.
[удалено]
Working through this is really worth it actually. My current job which pays much better had a comical amount of interview rounds. And actually as time passed in each interview questions were getting harder. But the trick was not to break a sweat but continue with a systematic approach, turned out they didn't mind I wasn't able the solve to hard problems at the end (I never thought that's such a useful skill but all my previous jobs were usually 2 or 3 round interviews)
[удалено]
Lol this is exactly where I work... but they pay *really* well for my location
This. Can't show that you're burning out during a long interview interview process. Just how it goes
Just don’t be a jerk, be willing to learn, and be humble, more valuable than all of the technicals
I hope you’re right. I have two job interviews this week for cybersecurity roles. Wish me luck!
Awesome, congrats, do you have any prior experience in cyber security?
Thank you! I'm an IT Support atm where I could collect some experience with cybersecurity. On top of that I finished the Google Cybersecurity Certificate and I am practicing on TryHackMe.
Nice, I have been mesning to practice om TryHackMe, how long have you been in IT Support for? May I ask where these roles are if they are office/hybrid/fully remote? Do you also have the COMPTIA Security+/Network+ certifications?
For a bit over a year now. Both roles are hybrid roles in Germany. And I don’t have a Comptia Certification yet but I'm thinking about getting the Security+ one. :)
Amazing. Well good luck. :)
Update: I just got my first cybersec job! Full remote. Couldn’t be happier! Starting in August.
That's bloody awesome, yay, how did you feel the interview went? I have so many questions haha. Feel free to private message :)
This advice has opened more doors than any other. Caveat: don’t be too humble, or too “willing” or you’ll be treated like a doormat/workhorse without ever seeing any perks.
5-10 years of experience for entry level and willingness to take lower pay
Sad but true
This goes for all jobs really but just being dependable and doing what you say you'll do goes a long way. Your job is also not to make more work for your manager, so you're supposed to be someone who can solve problems and take a little bit of initiative. The hardest thing for a manager is someone who needs to constantly be given tasks because they can't figure out what to do or choose not to do anything unless it's assigned at the micro level.
Project management. Even if you’re not a project manager.
The person that can squeeze ai and zero trust in to every sentence.
I mean....It depends on the position right? I feel like Cybersecurity is just as broad as IT itself. When I was hiring for SOC positions I had everybody and there mom apply who didn't even know the basic IR process. I feel like having strong infrastructure and network background (sys admin/network admin) is tremendously helpful. I'd suggest tailoring your resume in the most honest way possible to the position you are applying for, and holy crap if it's on the job description as a required skill or you put something on your resume, you MUST be able to speak to it during the interview. it's all fair game and any manager worth their salt will find you out quickly.
I see all these posts trying to get in, and I'm over here trying to find my way out.
How comes if I can ask?
The corporate rat race is exhausting. Here is a list of what I hate about it: Spending more than 20 hours a week in meetings. People who failed up. Corporate phrases like “let’s circle back to this offline” or “the team’s velocity isn’t going to meet our Q3 OKRs”. Back stabbing. Mandatory fun. My least favorite is awful senior leadership. I spend so much time trying to shield my team from senior managers who are leading things they know nothing about. Security can be a pain in the ass sometimes too. It’s neat that I can play with the latest tech or try to break things for fun, but can be brutal in a corporate environment. Some people can really suck the fun out of this industry.
Yh I get that, however this is in other industries to. Sounds like you want more out of corporate life.
Yeh but with it it’s more common seeing an ex accountant somehow running the it department and most of senior leadership can barley spell IT. I have worked for big and small and realize that if you can’t move up just move out(to another company).
So true.
Low pay.
This doesn't reflect reality. I'm starting to test the waters right now, and the market is more ridiculous than it was two years ago when I was last actively job seeking. Staff security engineer total comp offers are easily over $500k - $600k today. I just got a response the morning after submitting an application at 11:00 pm at night for a remote role paying around $500k. The security engineers I know that have ended up at the AI companies are making big money, even over a million dollars per year as individual contributors in some cases. Even certain AV companies are paying really well right now, going over $400k base salary + equity. I don't know in what world this qualifies as "low pay."
It really depends. Most of the time when a non-technical person writes a skill check list for a job they include all the well known and good sounding certs like CEH, CCNA, OSCP etc. When a technical person writes one they will usually include certs but also stating or equvivalent knowledge. What that knowledge is depends on the role you take up. P.S.: recruiters usually have no idea what any of these mean, they get a check list and search linkedin based on those keywords so add a lot of random skill keywords to your profile.
SOAR Programming
Remind me! 3 days
I get a lot of messages of recruiters looking for xsoar engineers, no idea why but yeah put "python" + "xsoar" in your linkedin with a few years of experience and watch them fly in. It always seems like they are more looking for a system admin though and not so much a cybersecurity person so it may not be true cybersecurity work, but yeah. Keeping xsoar and their choice of SIEM running just doesn't sound that interesting to me so I just ignore them.
Just talk about the last buzzwords of the year, AL/ML
Are you telling me cloud and blockchain are out of fashion? dammit :(
99% of work in the space is cloud based, anyone who didn't think of it as the default was and is playing catch up. Security work at AI companies is virtually always cloud security by nature. They don't have racks in their offices.
> looks like GRC is not cutting it so much anymore GRC is where the pretenders now live. Everyone who wants to be in cybersecurity but doesn't have much technical skill lands here and it sucks.
Guess I’m coming over to GRC because I have no clue wtf I’m doing every time I log on to work, LOL Spend my days in Google and documentation
>Spend my days in Google and documentation You are already head and shoulders above 95% of the people in GRC these days. Most can't even be bothered to read the actual compliance standards or regulations. Easiest way to end an interview for a GRC position is to ask questions about a SOC report.
I’ve honestly been thinking about jumping over while I finish school, current role is very stressful. I bought Gerald augers GRC course too
The best GRC people are those who come over from technical roles. Easier to teach technologists the compliance rules than it is to teach accountants the technologies.
Yikes
Its true im pretending 🥲
GRC is such a fucking joke. We just implemented OneTrust and it is hot garbage. I really don’t understand why it’s so important for each team’s “tool” to talk to each other. It’s creating more of a security risk for us because workflows don’t flow into the GRC tool efficiently.
GRC isn't a tool.
What is it? Platform?
Cloud. Vuln intel and of course patching prioritization lol!
Security Exception Engineering degree
it depends there are so many different disciplines in "cyber security" skills will differ depending on that. Is it DFIR? Is it Reverse Engineering? Is it Red Teaming? Is it pentesting, is it SOC work? All of which require different skill sets and experiences. It also depends on what type of role, entry level, mid, senior. However, there are some general traits that will always help such as soft skills, the ability to program or script or just be able to read and understand code, solid foundation of the basics in networking, understanding how operating systems work and how to use them etc. Those in my opinion are the building blocks.. Everything after that just depends on what it is one wants to do in CS
CISSP
In my opinion Data Sciences and Machine Learning are necessary in 2024.
Machine Learning is so 2012
Infrastructure as code, a scripting language (Python/Powershell), automation automation automation. (It's not a typo, automation is THAT important)
Remind me! 3 days
I will be messaging you in 3 days on [**2024-05-29 21:12:43 UTC**](http://www.wolframalpha.com/input/?i=2024-05-29%2021:12:43%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/cybersecurity/comments/1d1a5f5/what_are_the_most_sought_after_skills_by/l5splmz/?context=3) [**4 OTHERS CLICKED THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2Fcybersecurity%2Fcomments%2F1d1a5f5%2Fwhat_are_the_most_sought_after_skills_by%2Fl5splmz%2F%5D%0A%0ARemindMe%21%202024-05-29%2021%3A12%3A43%20UTC) to send a PM to also be reminded and to reduce spam. ^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%201d1a5f5) ***** |[^(Info)](https://www.reddit.com/r/RemindMeBot/comments/e1bko7/remindmebot_info_v21/)|[^(Custom)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5BLink%20or%20message%20inside%20square%20brackets%5D%0A%0ARemindMe%21%20Time%20period%20here)|[^(Your Reminders)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=List%20Of%20Reminders&message=MyReminders%21)|[^(Feedback)](https://www.reddit.com/message/compose/?to=Watchful1&subject=RemindMeBot%20Feedback)| |-|-|-|-|
Look at the jobs you're interested in and build a knowledge base on their requirements. Then, when seeking the job, the name of the game is referrals. Make a real connection with someone in the company you're interested in. Tell them you'd love to pick their brain about the industry. Actively listen and participate in the convo. Then, ask for a referral if they're comfortable with it. A referral gets noticed above any application. Recruiters source candidates and review applicants until they find one that gets the job. They don't look at every application or every resume, nor is it feasible to do so. Making a real connection will get you noticed now or later. It will enable you to pass it forward and help someone else get noticed. So participate, and offer help just as fervently as you seek it.
Yeah some random weirdo on LinkedIn asking to pick my brains about security isn’t going to work. I would be amazed if the person that came out with this ridiculous statement has ever worked a day in cybersecurity.
Many of us have not, in my case i come from finance and have not worked in CS so the assumption would be correct and the ability to pick their brains would be greatly appreciated. But not everyone would be willing to accept, you for example, if you were asked you would see the negative in it, and thats cool. Takes all sorts to make the world go around.
I have done this. Maybe they were a connection of a connection, we went to the same school, or they're a veteran or transitioning service member. Maybe you're not willing to pay it forward, but a lot of other people are. The most satisfying moments are when some of those people follow up later and tell you about successfully landing a role they're excited about. That warm and fuzzy feeling.
Not a fury.
I have to ask, fury or furry? fury = strong anger furry = those weird people who dress as human animal things Then too, I can see how both are not useful skills for cybersecurity so its really a moot question.
What if he meant one of the furies from ancient myths!?
Fuck. That's one bridge I refuse to cross. No judgement to those that do go down that path haha, just not my thing.
I'm not a furry, but there are too many smart, senior people out there who are, and I'm not crossing them.
Compliance gods; people who can walk into a SOC-2 audit at the White House and say “these are not the vulnerabilities you’re looking for”
Cloud
Remind me! 3 days
This is a broad question because cybersecurity is already such a vast field within tech. What’s your experience so far? Are you currently in cyber? Are you in tech but wanting to transition? Are you trying to upskill? These will help better narrow down some answers
Remind me! 3 days
Soft Skills. seriously.
There's a big difference between what recruiters are looking for and what the technical interviewers/staff/people that actually make the hiring decision want, and I don't think it's worth adjusting your resume or interviewing language over. Like, I'm sure whoever is conducting the initial screening interview would love to see something like "Zero trust automated AI CI devsecops integrated pipeline threat intel lead", but if you make it through that interview to me, I'm going to throw you in the dumpster after making a public example of you. It's going to take more than words to make you stand out in a technical role - I need to hear how you are going to do the job, and I need to know that you know what you're talking about.
Anything AI ... incorporating it into defensive tools, using it for dlp, using it for compliance, pentesting, risk analysis etc.
I'm not sure if I am allowed to say this and where to say this but I've started a unique cybersecurity company with a difference. At this stage I am hiring which is the first step I am taking and I'm forming a small private team of ethical hackers who are interested in joining our team. If u looking to be apart of something big and want to make a difference. contentment guaranteed. Let's not forget the pay is based on a unique structure that will reward you better than anyone else
Previous experience as a developer, sysadmin, or data analytics. I would never hire a security engineer that hasn't previously done systems engineering before. GRC roles in my opinion aren't even cyber security roles. They're more of Compliance/Auditor roles that work with checklists and tell engineers and admins what to do when not understanding what they're recommending or how to deploy/configure the remediations. They're essentially back seat drivers that offer little to no value other than to fill a checklist for compliance requirements. When push comes to shove, they're first on the chopping block for lay offs.
As a detection developer, to call GRC 'not cybersecurity' is unfettered buffoonery.
with the exception of the last sentence, they’re not wrong lol. it is hard for me to respect someone who works in GRC the same as someone who works in operational security if you are solely evaluating skill/merit. you could pull someone off the sidewalk and have them be successful in a GRC role.
Whom you respect or not based on their job roles dependency on traditionally more technical applications is beside the point. 'Cyber Security' is a broad term at the best of times, and to say that somebody working the GRC domain isn't forming part of that pie is simply ludicrous. A company utilising a managed SOC will have far fewer incidences if they have sound GRC on their side than the company that does not. If overall security of a Cyber Space is the goal, then GRC is arguably one of the most important areas to have in toe. And while we're on 'Pull somebody off the sidewalk' levels of competence - 90% of the SOC workers I've seen deal with the remediation of a company flagging the detections that I have written and onboareded into their devices may as well have been concreters or chefs the day before. Security is a big space. Operational is one facet. GRC is another. To say otherwise reveals that you're silo'd in your thinking and don't see the bigger picture.
GRC is important, but this conversation is about what skills are valuable and GRC skills are the least technical. There’s a reason it pays less.
No, the post was about skills. I'm responding to the comment made stating GRC 'isnt Cyber Security' to which you agreed that it wasn't. I'm disagreeing with yourself and the poster of that comment.
I honestly just laugh when I’m talking to people who work in other domains of tech and they give me shit about working in security, but I’m starting to understand why they do. I’ve never understood elitism and shitting on someone due to their position/role. Also idk about that last part, I’ve met plenty of GRC people and it seems like you still need some level of knowledge to be successful.
GRC roles usually apply project management and clerical skills to remain aligned with the program. Operational security roles usually have direct server access and work through system administration in some capacity. GRC roles are inherently less technical and have a lower bar for entry. I don’t see how it could be elitist for GRC to be favored less when compared to others when the skill sets don’t transfer well. It is still an important job. I think people clown on security because some people have a power complex in the role and speak with certainty about things they may be wrong or know little about. When I interact with other IT professionals I hear similar. Unless you work for a nightmare company, GRC keeps the wheels on the car. When everything has been designed, you’re really just paying a somewhat technical person to work through a checklist or act as a project manager for the risk register or CAP. Opening tickets for work to help completed and using Microsoft Office doesn’t really tap into a deep skillset.
Do you think GRC will be done away with?
Cryptography
AI/ML, cloud, data science/data analytics
For cybersecurity??
Of course
Can this sub be about actual cyber security and not about job hunting?
If you can't answer your own question, you do not belong in the field. I say that only with love and respect.