definitely because of the advertising. i feel like people think cyber security is their ticket to retiring at 30 and working remotely from the bahamas.
100% advertising.
There is huge demand for competent cybersec but advertising makes it seem like all you need is this course and a cert and bam- you go from retail to making $150k overnight and anybody can do it.
>you go from retail to making $150k overnight and anybody can do it.
I've witnessed this happen to almost everyone that has worked in our cyber security department. I work at a university, our ITSEC staffers are typically straight from the help desk. They spend a couple of years learning the job and various tools, picking up certs, etc, and then go corporate and make bank, rinse and repeat. One guy went from PC tech to director of ITSEC, then left to go work in big finance, we're still trying to fill that position.
> you go from retail to making $150k overnight and anybody can do it.
>They spend a couple of years learning the job and various tools, picking up certs, etc, and then go corporate and make bank
There is a difference between going through a course and making $150k the day you graduate and working on a help desk before moving into a role that gets you on the job experience for 2-3 years. At that point you have 4-6 years in IT and can move on to bigger and better things.
What university was this? (Not actually wanting an answer unless in PM). I worked in a top R1/D1 university and they did a fantastic job at gate keeping from these kind of positions, and this isn't coming from a disgruntled employee. I was fantastic at my position and my bosses/peers were great. I am assuming this is because good help is hard to find and they do not want to lose you. But you know how it is in higher education lol.
Damn ... where am I missing this advertising? I'm on the track toward cybersecurity myself right now, and while I hope to eventually make 6 figures, I also understand that I'll have to put in at least 5 years of work in Help Desk, IT Support, and/or Systems Administrator types of jobs (not to mention ample studying for certifications and other fields) before I come close to sniffing that.
Then again, my source is some rando I talked to here on Reddit, so what do I know?
Er'body want to stop the hackers but don't nobody want to help Bill who can't print
>have to put in at least 5 years of work in Help Desk, IT Support, and/or Systems Administrator types of jobs (not to mention ample studying for certifications and other fields) before I come close to sniffing that.
Exactly what I had to do.
Hmm, no I think I’d much rather deal with the scanner.
Though in both cases it’s very much fuck around and find out, and then pass the buck if I can’t resolve.
Yep I put my 5 years in doing bs too, it payed off.
Help Desk -> Consulting -> Covid -> Data Center Tech (6 figs here).
MSP's are the McDonalds of the tech world, great to learn and for a 1st job, get one of the kids making $19.50/hr to help Bill.
There're many ways into Cyber. Yes, you may have a strong foundation in infrastructure with 5 years in help desk, but you could also get complacent and wind up going nowhere. And it's boring. And your salary will be pretty lame most likely.
I had 2 months in help desk, then an A.A.S. in Computer Systems when I landed a 3 month cybersecurity internship at an EDR vendor without any certs. That got me 1 year as a Security Analyst at a small MSP. Now 6 months as a Security Analyst II at a very large MSSP. Then I'm dropping back down to Tier 1 due to a nearly 6 figure offer. Only certs I have are A+ and 2 EDR "I know how antivirus works" certs.
If you can get the work experience, that's all you need.
And to get work experience, you really just need to network on LinkedIn or cybersecurity conventions and know how to keep your resume relevant to the position.
You could burn 5 years doing Help Desk stuff. Or you could get an internship or the trifecta or home projects. All you have to have is proof that you can do stuff and things.
Hell. If you want to go Red Team, just do Hack The Box for 6 months, and you'll likely be eligible. HTB is legit AF--put it on your resume. My coworker switched from SOC to Red Team this way.
Likewise, do tryhackme [if you're new this is the best place to start prior to HTB].
Or blue team projects like BTLO.
Set up your own home SIEM and monitor your own environment, then you could prolly get a SOC Tier I position making more than you make at help desk and also more interesting.
That said, SOC Tier I's will likely be fully automated quite soon, but it's still a great entrance into Cybersecurity prior to specialization.
Point is, do home projects via virtual labs or monitor your own network, and that's pretty much all you need. Intership would work, as would the CompTia Trifecta. Trifecta should only take roughly 50-100 hours per cert.
Not true on the help desk. I got a position as a security analyst right out of college without certifications. I was in a dual bachelors program for IST and Security Risk Analysis and that got my foot in the door at a large corp.
It happens but usually it's CS majors with electives that focus on encryption and security. Those stories are not uncommon at all.
Your average get a cert types on this sub- it's far more luck dependent.
Large corporations often like to recruit right out of school, as they can train and promote up the chain to maintain employees. In theory, this was the future I was promised in the '90s - go to college, use your degree to get hired at a company, work hard and get promoted, buy a house, retire. In reality, I graduated college in 2009 and I needed 2+ years of dishwashing experience just to get an interview to be a dishwasher.
I'm sounding more and more like a grandpa every day with these stories "It was a rough couple of years back in the great recession, sonny boy! I tell ya what!"
> that I'll have to put in at least 5 years of work in Help Desk, IT Support, and/or Systems Administrator types of jobs (not to mention ample studying for certifications and other fields) before I come close to sniffing that.
this isn't true anymore if you have any sort of formal education in or tangential to cyber (military background, college, etc.)
It's possible you spend 5 years working on non-security roles, but don't limit yourself to that right off the bat. Keep working and updating your LinkedIn, and if somebody wants to hire you for a security role don't be afraid to jump on it!
Cyber seems cool until your realize many areas involve a lot of rigid processes/frameworks, documentation, & bureaucracy. It feels like the Accounting version of IT.
I ended up going the DevOps route, because most people I knew in the cyber space.. their work environment had the energy of a nursing home. Also, there were far more remote jobs in DevOps.
I have been in IT for 25 years, mostly working for banks, and I have dabbled in cyber security at times... I'm so glad people like you exist to work those jobs so that I don't have to because the tedium would drive me insane. Thank you for taking one for the team, I hope you are well compensated.
Looking at the SOC2, it was literally developed by the same people that developed the SOC1 (surprising I know) and the SOC1 is all about finance control. Further a ton of CPA firms and auditors get into IT security as the controls are very similar to controls found in the finance department.
This speaks to my soul. I did cybersecurity early career. It wasn't what I thought it was. Honestly I don't even think it should be called cybersecurity, information security would be a better title. Less technical stuff and more implementing NIST controls.
I do SRE now and it's way better imo, actually get to do things instead of write angry emails all day about vulnerabilities not being addressed.
DevOps is really a culture/philosophy that has created work models & best practices for delivering code faster, more reliably, and with better feedback loops & automation. I definitely do that, dealing with CI/CD pipelines, building out application metrics/monitoring, & creating dashboards.
But since DevOps is an idea, and not a *thing to be,* there can be variance in what responsibilities a "DevOps Engineer" has. For me, those other tasks can look more like a Tools/Platform/Software Engineer. For example, I am often:
* Building ETL integrations to feed data between systems
* Writing CLI & Web tools to make life easier for people with repeatable processes
* Reviewing designs to make sure they're production ready
* Checking out tickets/stories & committing code
Basically, I spend most of my time in an IDE or terminal window.
It's almost entirely backend support and project work. My end users are devs that I build tools or improve processes for. I work mostly in "code" using terraform and ansible. But I also have developed a few custom apps in python, ruby, and node. You might find yourself doing some SRE work depending on your company and team composition.
At the end of the day, I find it far more rewarding than when I was a sys admin or systems engineer. But your mileage may vary.
While the remote part may be true, I have a part time work from home gig. I go in the office once a week. However, your first point is true. I got in cyber 6 years ago. I managed hbss, acas and other auditing tools. Then i moved to RMF and oh my goodness it's dull. Not boring, but dull. However, it is the most important l section of cyber regarding the gvt. Emass is my like an person you get along with but they're a lil scitso so you don't know how it's going to ruin your day.
I decided on End User Support, personally, because I like the challenges that come about from it. No two days are exactly the same, since the issues that users encounter are always changing. I'll never get rich, but I make a good living.
What languages are known to be used in devops? and how does one get to be a devops? I know I can look this up, but I would like to also hear it from someone going through it at the moment. TIA if you respond.
It really depends on what platform you're using for CI/CD and what your stack is (what the app is written in and what it will be running on), but there are some good bets you can make. Typically you'll need to know how to read YAML/JSON, and know a popular language that can be used for scripting (Python, JS, Bash).
As for how to break into the DevOps space... the easiest is to move in from Software Engineering. Moving in from sysadmin type of work is another path, especially if you were able to be "dev adjacent" by dealing with the stack in some way, or automating tasks via scripting.
You can scroll to see my response to "qwesone" to get a feel for other things I do. There are pure DevOps jobs that deal with pipelines, but there are also many (like mine) that are a blend of positions & responsibilities. My day-to-day languages are: Go, TypeScript, & SQL.
Yeah, same. I did networking for a few years before moving to DevOps and as nice as people made Cyber Security sound it just wasn't as interesting to me as actually doing Ops work. Plus the pay is comparable if not better being in the DevOps world..
Im in security consulting right now. My day to day job is basically being done in almost exclusively word and excel as these roles are 95% governance and compliance. I hate it tho.
Writing reports on how you tested their one server dev environment and nothing to the publicly wide open cloud made me move out of pentesting real quick; pentester is either equal or just a tiny half step above cybersecurity analyst.
To be fair, I worked my entire career on site until covid hit. I've worked on every level of IT from Helpdesk to C-Suite. As Covid ended, I downgraded to a technical position in cybersecurity because it allowed me to work remotely at almost the same pay level.
Security is the only IT role you'll usually see in tv shows or movies. "Stop the hackers" by typing furiously and spouting technical nonsense is a thing. Nobody makes a movie about people implementing policy or doing tech support
Mr. Robot is the only show that’s done their research and portrayed hacking legit. Everything else is ridiculous hollywood nonsensical feverdream bullshit.
I think Limitless, the tv show, is the only tv program I've ever seen to accurately portray it.
"As it turns out, hacking is incredibly boring! So instead, here's some pictures of kittens."
Right now the meta for tech influencers is “Cyber Security jobs are in high demand and always I’ll be. Plus it’s easier! You don’t even need to know code”
When enough influencers repeat this on TikTok kids start to take it as gospel. Especially given the doom and gloom media of “tech layoffs”
It's automation/productivity gains. I wouldn't call it absolutely mandatory but certainly helpful. More at the engineer/analyst role than the architect/advisor/CIOs roles.
It's a bonus if you can write simple scripts to do stuff for you (IE: take a bunch of hostnames and translate to IPs or ping them to see if online/reachable or in the DMZ. Or communicate with a basic API that a security SaaS service offers that you use). Or take someone else's Github project who did the heavy lifting and make enough basic retrofits to do it's purpose in your environment (my most recent was use someone's project to take 3 GBs of small files and split them into 20 MBs max zip files)
Or write basic SQL SELECT statements, don't have to wait on a DBA. Joins get tougher, I'll usually ask DBAs to create a view for me or something like that.
I’ve never had to do anything beside some very basic scripting in my cyber roles, and make 200k +.
Granted I agree that coding is a very useful skill to have in the cybersecurity profession. You can definitely get by without knowing it.
Because there is a shortage of skilled InfoSec staff and as such the Federal government has been funnelling millions into cyber programs to encourage more people to enter information technology.
There’s many reasons including this, problem is, there needs to be more training/laws to get CEOs and executives to actual give cyber security/infosec employees the tools to help even the very asymmetric playing field.
But I’m probably asking for too much, most companies learn after being hacked.
Being on the engineering side of the house, I saw a marked change in Infosec policy, implementation, and integration from the changes due to larger compliance. My previous role was at a retail company, and there were big changes as PCI Compliance expanded, and auditing became standardized from the early 10s, to when I left in '20. Part of my work now is with Zero Trust Security integration, and I think that there has been a big shift over the last decade, but there is always pressure to balance it.
People see the role as the “hero” of the IT world. No one celebrates any other field of IT and people want high profile and high pay not realizing that no one hires someone with no IT experience in a high profile position.
Correct, id rather hire someone with a few years general IT knowledge than someone out of college with cyber degree. They’ve been in the trenches and understand the consequences of dumb moves in IT. I’d encourage people who want long term careers in cyber to start the hard way. In IT.
When I first heard about information security as a career decades ago, I was told that here's a huge demand and that you can make six figures right out of school. Now I see that little has changed, except that more schools and training programs have tried to cash in on the trend by promising a $70k+ salary to start just by taking a course or a bootcamp and getting a cert (after paying them to train you, of course).
The sales pitch is always the same - there's a severe shortage of security personnel, the average [insert security certification] holder makes $100k/year, etc. What they don't tell you is that the shortage is with experienced professionals, there's a surplus of beginners looking to break in, and nobody bases your pay scale on the certs that you have. And it's not nearly as exciting as you think it's going to be.
I honestly question the demand in of itself even for experienced people or at least question it on the same level as business critical jobs. Not saying cyber folks aren’t getting hired but just that companies are fine waiting longer or going without. Businesses/hiring folks know we need this dev to build this product, we need IT support, networking infrastructure to support those products and we need security to keep it safe (unless it’s a security product/company). I’ve seen the argument first hand where it was cuts need to be made, can’t cut dev because then no product, we can cut support a bit and infrastructure a bit but still need them. Cyber if we cut that then we are taking a risk but we can always write that down to fix later.
t’s also why I’ve aways thought cyber was a lot more unsafe on a job level. At the beginning of covid my company wasn’t looking great and said we need to layoff some folks. Cyber was disproportionately hit because everyone says cyber is essential and all that but ultimately the business can survive without it.
Although that place also had a lot of cyber fat to trim. It was someone brain child to advertise cyber capabilities but didn’t quite work out. Basically 4 departments of cyber created and all had 1 or 2 out of 10+ people actually decent and most of those left after event after event got their access and abilities taken away. They were initially in charge of firewall policy but had number cases of blocking critical traffic so that was taken away. Part of their mandate was IAM but were basically found to be giving anyone who complained admin access. Then to fix that they ran untested scripts that broke tons of things. They tried to be a part of design and other high level discussions but didn’t know the systems or business well enough. Eventually there were 30 or so people staring at logs all day creating tickets to other groups for things like can we block port 443 to these servers because we see a lot of traffic going to them. Or we see a lot of activities to these random high number ports but didn’t know/realize it was return traffic from things like web servers. Covid hit and 30ish people became 4 and security rolled back to under IT.
It really depends on your industry. Personally my team has been hiring nonstop since even I was hired in. I got a job almost a year ago with two other people then two people moved to higher positions and they started to build an entirely new team. Reason why? Government regs and the danger of bad publicity to our business relationship. If you’re in a software company say like sales force then you’re probably not in a hiring frenzy because major security breaches are less common and not as big of a deal. If you work in the medical or legal field then you’re probably desperate for more help.
Your story kind of punctuates the need for qualified cyber professionals doesn’t it. Hiring contractors or people with paper thin qualifications can burn a company to the ground. Almost as bad as being on the front page of the newspaper for exposing all your customer data.
Yes - I've heard that there are 700,000, 1.5 million, maybe 3.5 million open security positions in the US and there's no way they won't get a job. (insert eyeroll emoji here). Those numbers seem to be based on some idiots assuming that the demand for security professionals is going to just keep doubling every year for the foreseeable future.
The reality is that the [TOTAL employment of security professionals in the US is about 160k](https://www.bls.gov/oes/current/oes151212.htm), with a [very high growth rate](https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm) - but that growth rate is about 57k new jobs *over the next 10 years.*
Meanwhile, we're graduating people with cybersecurity degrees at the rate of about [28,000 per year](https://nces.ed.gov/programs/digest/current_tables.asp). So assuming a static enrollment for students, we're going to have 280,000 graduates available to fill 57,000 positions. Of course, there will be people retiring from that base of 160k, so we can add about 20% more from that pool, which is an additional 32,000 jobs. So we still have 280k people to fill about 89k jobs - and that's not even considering the people who are not getting a degree. That's very difficult to track so I doubt anyone has numbers on that, but at an absolute minimum, you can add another 100k to that number of job seekers. Tons of people with security degrees are never going to work in security.
It's very profitable for schools, certification centers, and even the US military to create this illusion that there are way more security roles than can possibly be filled.
In reality, it's saturated at entry level & it's becoming saturated at higher levels as well.
>It's very profitable for schools, certification centers, and even the US military to create this illusion that there are way more security roles than can possibly be filled.
Exactly!
In short, infosec/cybersecurity is popular because it has a higher than average pay compared to sys admin / net admin, can be done from anywhere. Doesn’t have any infrastructure to actually manage or maintain outside of splunk or other SIEM tools.
> Doesn’t have any infrastructure to actually manage or maintain outside of splunk or other SIEM tools.
Hell, I wish. Our security engineers are responsible for VPN gateways, WAFs, Drive encryption (servers only - helpdesk does endpoints), DLP, AV, vuln scanning (getting a scanner in each firewall'd tier and getting it to talk back to a centralized reporting server. Splunk/SIEM tools. And getting everything to talk as needed.
Sounds like your sec department does a lot. Most sec departments I’ve interacted with are in charge of policy, not configuration of the vpn/waf/firewalls etc.
DLP/AV/Vulnerability scanning falls under their responsibility, but systems has to set those those VMs up initially.
It's the same on the software side when people want to get into machine learning or ai. People have no idea what the day-to-day realities of the job are like; they just know the end results from a consumer perspective and think it's cool.
Oh my god especially right now. The programming side of reddit is a lot of "should I even learn to code since GPT will take my job" or "how do I learn to program and make things like GPT in 2 weeks"
For people that weren’t making the kinda money they dreamed of, nor had the schedule flexibility. The advertising of “there’s over 1 million unfilled cyber security jobs and growing” sounds like a silver bullet to a newcomer, Or someone looking to make a career pivot with job security.
Exactly. Plus whenever there’s a Reddit post that asks what people do and what they earn, “cybersecurity, $200k, easy job, millions of openings, hiring managers are desperate to hire anybody with a pulse” is a reeeeeeally common answer. I’ve seen it often for a few years now and honestly looked into possibly going into it at one time because of those types of glowing endorsements.
Most posts here recently are "I have 0 experience, 0 knowledge, what do i have to do that doesnt require much effort and time to have 6 figure salary asap! Thanks" and most people heard that cybersecurity pays that so they think its just 1 paper away for them to have 6 figures
This is true. I know people who have paid thousands of dollars to attend boot camps and are aghast that they have to continue to put in effort to land a job that pays close to/above 6 figures.
I have a degree in Networking and Cyber, whenever I tell people this the reaction is “Ohhhh Cyber! That’s really nice!”. Money. People associate cyber with 6 figures starting. Personally though…all of my cyber classes felt like beating my head against a wall - I want nothing to do with it beyond ‘cybersecurity is everyone’s responsibility in IT’.
Its got more areas than a lot of other IT domains (offensive, defensive, IR, analysis and research, management, GRC, general engineering, devsecops etc) and all but GRC are pretty interesting. Most IT positions are support focused and the idea of being a pentester or incident response lead is a heck of a lot more impactful when needed than your everyday sysadmin.
I dont know a single person in the domain making less than 85k-150k from admin/analyst to director.
The military hoards these people, makes pretty much every civilian working with them get training in it, has certification after regulation, after STIG you have to comply with so you need six ISSO's, an analyst, an infosec lead, training for everyone and a whole new program to manage it.
Cyber security has job security. John mcaffee the same guy who sold anti virus was the same guy who released viruses. You make the problem and then sell the solution.
The term "Cyber" 20 years ago was definitely more sexy than it is today. The term use to mean any form of texting/video chat sex.
https://www.urbandictionary.com/define.php?term=cyber
This is what it was for me.
Was in college for networking and just realized all i was doing was following a basic process to probably retire working equipment with new equipment, and maintaining updates at a msp or something similar.
Cyber has an unkown factor in it. Theres purpose outside of the technical requirements and way to actually make a meaningful positive impact in the world.
Cuz it sounds cool. And it brings images of conflict against hackers which is cool.
I do networking. Does networking sound cool as cool? The only conflict I have is arguing with Comcast
Yeah I hear a lot about Cybersecurity in my everyday life and a lot of people older than me who are in tech seem to be making bank from the field.
It sounds cool, but I personally think DevOps sounds cooler. That’s just me though and what I am personally interested in.
>Is it just a result of the marketing from schools and bootcamps? Is it the way it is portrayed in movies and TV?
Partly the former and partly the latter. Both have kind of a twisted relationship with each other in that your college wants to sell you a Cybersecurity degree as if it's even remotely useful with no technical experience. They also repeatedly fail to mention how hard the real work is and feed you worthless books on CEH that just does a surface level coverage of the tools involved.
Once I actually took the OSCP, I understood that I was a fish out of water.
I think I can comment here. I was in traditional IT for a decade then moved into Cyber for the last 5 years. There is definitely a sexiness factor on perception of the average person. What I mean by that is when I worked in IT, no matter how high I got…systems admin, network architect etc it felt like people viewed me as a guy who fixes printers and plugs in monitors. In cyber, now I get the wow factor when people ask what I do. It’s cool being a hacker, it’s not so cool being an IT nerd, even though they aren’t far apart. Then there is the money factor, it does pay insane amounts at the senior levels, which is obviously attractive to people.
I think it’s strange that IT and cyber are no longer the same thing.
Incident response teams do kinda need their own carve out, but everyone else in cyber is just doing traditional IT jobs. But sometimes cyber has less power to implement change.
IT implements everything, and myst always secure their implementations. This has always been and now that there are Cyber teams it’s still the case. IT still secures their implementations. Cybers value add is in being an external evaluator, a 2nd set of eyes after IT has secured it.
In my opinion, I believe this is incorrect. IT is simply based around making things work for the business. The reason IT security and cyber are so big right now is because of all the “traditional” IT people and poor support from the business. They shouldn’t be the same thing and it’s the reason all industries are so vulnerable/behind the times when it comes to handling good IT hygiene. I’ve talked to many traditional IT/only IT people and they are normally not the people you want securing your systems. However, that’s not to blame or shame them because a lot of times they are pushed into tough situations such as bad company culture towards IT and/or under staffed and pressured to “just make it work”. It’s just the nature of the way they think and their job. Again, it’s to support the business and make things work. Security steps in and is able to work with IT and the business (sometimes not always successfully) but no, IT, IT security and cyber security are not all the same job and honestly shouldn’t be.
The fact that you think IT secures their implementations by default is very naive, at least from my experience. IT is focused on the operations side and does what is necessary to support the business. That includes misconfigurations, unnecessary exceptions, and numerous other insecure practices.
I've been in the field for a long time. There's always been some hot new trend that avoids just getting a CS degree.
It was get a CCNA for a while. Then it was be a network design guru. For a while it was do a programming boot camp and do dev ops. Right now it's go into security. For a hot minute it was clouds clouds OMG do things with clouds.
Whatever recruiters are saying is so hot and easy always means it was over saturated by the time a recruiter learned how to pronounce it.
I don't get it, honestly.
By all means, cybersecurity is a great field. If that's what you want to do, and that's where you want to go, by all means, go do great things. Additionally, we all need to *understand* security whether we're actually in those jobs or not. I wouldn't be much of a sysadmin if I was just leaving my servers open to the world. So it's as important a fundamental for everyone as something like networking is.
I think a lot of people imagine a cybersecurity career as sitting in a basement hunched over a keyboard wearing a hoodie and taking down Russian communications systems or shady banks or something. In reality, even pentesters spend most of their time reviewing and updating documentation. Not much different from guys joining a combat arms branch of the military thinking it's going to be like the movie Platoon, and instead they end up mopping floors in Kansas.
Personally, I prefer networking and cloud. Connecting things. Offering information to the world. That's cool to *me*. If a newcomer really wants to get into security and is willing to commit and learn, I'll give them the best advice I have and really wish them the best. Just not my personal ambition.
Also, some have mentioned money. If you do well in this field, *anything* will end up paying well. I worked with a guy who insisted that if I wanted to get paid well, I had to shift towards security. I'm pretty close to someone who's done well in IT but isn't in security, and I mentioned their total comp to this guy one day, and he was shocked. If you want money, as I suspect a lot of us do, put your head down, never stop learning, and you'll get there, no matter the specialty.
I do see alot of answers of advertising or it's the "cool" thing, which may be the case for alot of people, for me personally the drive comes from growing up constantly reminded of threats in my environment, phishing and don't click links there may be a virus, and knowing that everyone is trying to get my data and sell it, so I have started down this path to be knowledgeable and secure in my personal life and for others that don't have the want or skills to obtain the knowledge, they should feel safe too.
I feel the same as OP. I don't get it.
I've been a senior security engineer for eight years and it's really the most thankless job. If you're making security products or consulting and bringing home the bacon for your organization then you're a rock star. Great. That's maybe twenty percent of the industry.
The other eighty percent of the industry costs companies a lot of money that they'd rather spend somewhere else. And if you have a great year and do everything perfect, nothing happens. No data breaches, no ransomware, just calm orderly business for which no one says, "thank you". If you actually have an incident because some numbnuts got their new unencrypted laptop swiped from the front seat of their car then there's hell to pay.
Yes, the jobs pay well but that's because the vast majority of people actually qualified to do even entry level infosec have no less than three years of experience and four to five years is a lot more common. But devops pays just as well and SWE probably pays better overall for comparable or perhaps even less effort.
And it's exhausting. Every new zero day, every supply chain attack like 3CX, every new exploit is something you're expected to know and might be asked about at the next job interview or by a coworker. You constantly have to prove yourself. The only reason I'm not doing something else is that I'm too stubborn to quit. So I don't get the fascination.
Also I hate the term "*cyber*security", it's silly and pointless. There are no cyborgs, nor are we keeping them safe. Securing information about business and people is what professional information technology security workers do.
Talking about cyber security is great fun; doing cybersecurity is often incredibly tedious repetitive work.
Or
“Everyone wants to be a millionaire physical security penetration tester, until you tell them to hide in the dumpster for 12 hours”
Agreed with advertising - unless you work in ethical hacking (and even then probably not), cybersecurity is anything but sexy
Loads of paperwork; loads of looking for a needle in a haystack; loads of existential crises because when you're not catching bad guys you question you purpose at the company, coupled with trying to justify your existence to people who also think your role is unnecessary
I personally have found much more fulfillment in DevOps with security architecture - it's fun shadow-boxing the bad guys and trying to build fences. It's not so fun having to watch the fences daily
may i ask what's so bad about it? i am trying to break into IT and have researched tons of careers in the industry but cybersecurity definitely caught my attention the most as it seemed very interesting-- not just the name but the job description itself
There isn't anything bad about cyber security at all. There is however a lot of incorrect information and misconceptions about it, largely thanks to college and training advertising.
(Which has largely been addressed in other comments.)
I see, thanks for clarifying. I do see a lot of people advertising it as a one-way ticket to being rich lol and also grabbing people’s money for their programs that are bogus and same contents that could easily be accessible through little research which is free.
Cybersecurity is part of being responsible for any computer system. They are just trying to get some benefit for going down the cybersecurity rabbit hole sold to them by their local college that targets adult students.
It promises high income right off the bat so people are drawn to it. Many fail to realize it’s hard to secure what you don’t know, that’s why it’s hard to directly start in infosec, usually you work as admin for a while and then move towards infosec
As someone who is currently getting their major in Cyber Security. I got into it because I wanted to get into IT, found I was too stupid for a computer science, so I switched to Cyber Security. I know taking classes are different than actually having a career, but I'm actually really enjoying the classes. I can't code for shit but I'm working on it.
I also wanted a job that has flexibility and is in demand anywhere I go. I want to live and work abroad, so that's mainly what steered me towards cyber security in the first place. This may not answer your question, but that's at least why I'm doing it.
Sounds good.
I will say, as far as jobs that are in demand anywhere/everywhere IT and CS always top that list. I don't know many places that don't rely on IT infrastructure. They are as critical as electricity and plumbing in the modern world.
I’m right here with you man, same age, about to pay off my house, bought a new ScatPack in cash, looking at enough in 401k to retire happy and thinking why do I need to work anymore. 20yrs in cyber and ahead of the curve. All the BS in this thread about paperwork and fake tv expectations. You’re all doing it wrong lol.
It’s an advanced role that you usually need years of experience for, hence why it pays well, but you’re not gonna get in with just a cyber security degree that these colleges are offering. A lot of people have to pivot from net admin/sys admin jobs into cyber and then work from there (2-4 years total).
Beyond that cyber security is a TON of paperwork and bureaucracy. If you like dotting your i’s and crossing your t’s on a thousand papers, that’s cyber for you lol.
I don’t know exactly why colleges are pushing it so hard, but what I do know, is all of my friends in college who went for cyber either didn’t get into IT or pivoted to systems/networking.
Hell there’s even some cyber guys in my current office who had to pivot from cyber into networking. I feel like im the only guy who actually enjoys restoring internet to people lol
Advertising and trying to fill jobs. Schools are jumping in the bandwagon creating cyber programs that offer 0 job placement and most don’t even start in cyber upon graduation because they have 0 experience
I honestly feel like IT and CS or even STEM to some extent are fetishized at this point. I think that people think that it's a job with minimal work and maximum pay and that's what's attracting people. Cyber Sec has been hot in the media but the IT and CS fields have been hot for a long time.
dude... my company just had a major cyber security attack. we lost 2 weeks of data from a global manufacturing company with a global supply chain. its still a mess. dont shit on cyber security till you have lived through an attack like this and know that your passwords and data are vulnerable.
There are a lot of reasons, but to name a few;
* It's sexy. People who want to enter the IT industry through Cyber typically have seen shows like NCIS or Criminal Minds and want to "bypass the firewall and clone the subnet mac". They think they're going to get a couple certifications and immediately start doing all the fun looking work like going after hackers and finding exploits. Their interest is born of ignorance and once they realize cyber is mostly really REALLY boring paperwork, they bail.
* It's easy. Lower level cyber jobs don't get a whole lot of access, are relegated to writing RMF documentation, and are paid fairly well for what they do. After a bit, you can move on to policy enforcement, STIG implementation, scanning, etc. Remediation is typically handled by a sysadmin team but it's not entirely unheard of for security to have a hand in it, depending on the environment. Personally, I've never been paid so much to do so little in my life.
* It's in demand. Tech boomed faster than we realized what could be done with it and its implementation outpaced its security. We quickly realized what kind of catastrophic damage could be done with computers and computer systems and security has been playing catch up ever since. We're in a decent place now, but it's a constant cat and mouse game. We patch one vulnerability and the attackers find another. Then some new firmware or operating system is released, a zero day threat is realized, and we start the dance all over again.
It is media hype, get rich quick campaign marketing. Reminds me of MCSE boot camps for Server 2000.
There is too many Cyber Warriors, pun from DOD that are glorified IA pencil policy pushers.
Im half joking but half serious, but it's a nice phrase to say; just say it out loud, slowly.
On a more serious note (I'm non IT looking to get into) I think the appeal for me is that it's a growing need, there's a talent gap and I'd prefer that over help desk work. Of course, there's much more to IT than those 2 sectors. Also, I live near DC and have a close friend in Cyber, so exposure is there.
I'd say in general, it's due to a new tech bootcamp wave, and it's being marketed heavily and being lumped in with "sexy" careers like Data Analytics and Web/Software Develo0ment.
Ads promising six figures. Little do they realize once market gets saturated. They will be fighting themselves. The IT department needs more than just a security team.
The cybersecurity guy at my job said he would’ve picked a different route if he’d known the reality of the job. He’s always knee deep in excel spreadsheets and all he does is read and implement policies. He said it’s boring af
I've noticed this too. I think it has to do with the amount of traction cyber security had over the past few years, coupled with the rumors of how much they make (which is true to a certain extent), and the recent cyber attacks we had. Also, I think it's also because people in general forget or don't know about the other roles in IT
I am also so annoyed with people who come here and are like..... " How do I get into cyber security within 2 years. I've never worked a day in IT."
I think part of it is the glorification in culture. Especially after Snowden. They think it's cool and sexy but don't really understand what that area of IT actually is like
I know 3 friends who finished their cyber security training but ends up working as Help Desk Tier 1. It has been a few years and they've not gotten any closer to their dream job in the cyber security industry. Not to give up hope but, it is a hype more than anything.
In my personal opinion, you'll need more than just a degree or a certificate in cyber security. You'll need more than just basic IT and some administration as well as networking background to fully grasp the role of cyber security. While some may get lucky and land a cyber security job, but the proper way is gaining some IT skills before elevating to cyber security.
I think the "for-profit" IT schools have picked that term to basically maximize enrollment. It seems to really appeal to folks thinking of jumping into the IT field and these schools are using social media to constantly bombard these folks to the point it is like using the term kleenex.
Entry level cybersecurity = keeping your systems patched and performing basic change control and access minimization. It's what we use to call "sysadmin" work or "network hygiene."
That's the crux... entry level cyber security is just old fashion IT work, and newbs often don't understand that and are confused why they can'y just jump into cuber security roles.
I mean my buddy got his undergrad and masters payed for and started making over 100k. People see that kind of stuff and think it happens to everyone who goes into that field. Reality is he is just way better at it than most and the right people noticed
Personally, it’s the job I wish I had been assigned in the military and when I went up for re-enlistment I tried to switch into it but there were almost no spots open. I worked with a bunch of IT/network/Intel guys and I’m aware it’s not super glorious or what it looks like on tv but to me it’s always been something of interest. So now I’m waiting for school to start so I can finish my CompSci degree and hopefully do something interesting in the field
They sell it hard to seem cool! Red Team, Blue Team, Zero Day Vulnerabilities, Attack Vectors, HUZZAH! It sounds so fucking cool for a nerd industry. In reality, it's writing a shit ton of reports and dealing with shitty SASE products, and/or sifting through logs. There is a ton of shit out there being probed and attacked. A lot of this stuff hasn't changed as much in 20 years as the media around it all would have you believe. The rootkits and trojans I was clearing with sketchy Russian tools and Sysinternals tools in the early 2000s share a lot of similarities with the current attacks. It's 90% marketing, and marketing works. The security teams also feed into it, who wouldn't propagate their own coolness?
At the tippy top of it all when you look at pen-testing and actual research it IS kind of exciting, but that's not most of what is actually out there for career paths. Some of the tech out there is really cool, that's what they want to sell so that's what is shown off when you look up Cyber Security. You look at blogs from lead Cyber Security firms and see more exciting stuff that sounds super fun to work with. Getting paid to try to infiltrate a corporation's infrastructure sounds like a dream job. Those are not typically what most security guys do day to day but it's the most publicized. Nobody wants to read a blog about the long standardized report you filled out about Mary in accounting finding a dodgy VPN to download on her BYOD device that wasn't properly enrolled in MAM and how she got some random trojan from the software, lied to you about how she got it, and the steps you took to find the source and have the network team block it.
Then again, people on the outside of IT typically have the opinion that we do cool shit because of movies, or we do some kind of magic that they don't understand.
I am a cybersecurity student and I chose it just because I wanted something in tech seemed to mesh well with my personality. After i started the degree, I started to get nonstop advertisements about it. I didn’t realize how popular it really is for newcomers. I tell people I decided on cybersecurity because of the show Mr. Robot tho lol.
But yeah, it probably is the incessant advertisement mixed with the “get rich quick” aura surrounding it.
As for the “sexiness,” I do think a lot of people come to the erroneous conclusion that it’s all Pentesting and you get to be hacekrman.
I went straight into Cloud Engineering then moved to security within 2 years. Completely skipped help desk, not sure why everyone thinks that’s the only way in
IMO there is a rush into IT for the money. But there are only a few areas of IT that are truly 'safe' and profitable. Cyber brings in big paychecks and no company is every going to say we are safe enough lets get rid of our cyber team. So people see it as a way to a fat payday that lasts.
They don't understand the reality of what Cyber is or how to actually get into it. And as a result there are literally hundreds of thousands of people clamoring to get into IT because they want to cyber.
We are already seeing some of it but there is yet to be that whiplash reckoning that shakes out all the rookies that rushed in and or lied on their resumes etc. like there was back in 2000-2004.
It will happen and when it does there will be bodies everywhere but for now the goldrush continues.
Im pretty sure it is because of tech influencers. "IT JOBS ARE IN HIGH DEMAND" " COMPANIES ARE WILLING TO PAY YOU TO TRAIN IN CYBERSECURITY" or "GET A CAREER THAT IS RECESSION PROOF" and then many get highly interested when they see the pay. Once they start figuring out that cybersecurity roles are more like mid - senior level roles and see that you don't just easily get hired on for those they start to get demotivated. Which is true most IT jobs are either helpdesk or desktop support before they even transition into a cybersecurity role.
Many believe they will easily get their foot in the door by nabbing certifications and go into a mid level role without IT experience.
I agree. I think it's becoming oversaturated at this point as everyone and their cousin is trying to get in to some kind of cyber security gig.
I'm getting in to cyber security because while getting my degree in network management, the security aspects were the subjects that really grabbed my attention and made me actually WANT to learn more. I enjoy networking and find it a little fun and challenging, but cyber security just really does it for me. But yeah, some people saw some hollywood bullshit and a decent salary and went for it
Also most "cybersecurity" jobs are just project manager jobs that people think they can slide into, rattle off a bunch of buzzwords and be good. I am seriously considering quitting my job because the people at my company who are in "cybersecurity" don't even know how to query our log system.
Newcomer to IT here: I’ve been obsessed with cyberattacks and malware for years. I’m subscribed to many Cyber news sites and like to watch many videos with experts talking about them. However, Cybersecurity isn’t the only long-term IT career that I’m interested in. I also like Cloud Computing and System Administration.
System Administration is interesting to me too. I think it's cool having the keys to the castle so to speak, but you also have to worry about the sword of damocles falling.
Because it’s a snake oil goldmine.
Fear + shit to sell + sounding smart = business owners throwing money away.
There are legitimate people and solutions in the field, but there’s a loooooooooooooot of bullshit.
At least from my experience, it was all the advertising from my college. They had about 4 IT degrees, but the one that was pushed the most & was the most popular was the Cybersecurity option. I don’t know what it is but people that were in my classes thought that the word “Cyber” had some sort of exclusivity to it? It also didn’t help that a lot of my professors would fail to mention that IT doesn’t start at Cybersecurity, it was never mentioned that Help desk is the beginning steps to a career in IT.
So I'm just starting out but I've considered staying away from Cyber Security because it seems to be all the rage.If the job market gets flooded with qualified applicants then the compesation will go down. Which is why I'm heavily leaning towards eventually becoming a Linux admin. I think a lot of even IT people are scared off by Linux, yet Linux runs like 90% of the web.
Cyber Security is a buzz word for what somebody who has been in IT for over a decade would call "doing a good job". It's generally used by those who have never actually logged into a firewall themselves.
definitely because of the advertising. i feel like people think cyber security is their ticket to retiring at 30 and working remotely from the bahamas.
100% advertising. There is huge demand for competent cybersec but advertising makes it seem like all you need is this course and a cert and bam- you go from retail to making $150k overnight and anybody can do it.
>you go from retail to making $150k overnight and anybody can do it. I've witnessed this happen to almost everyone that has worked in our cyber security department. I work at a university, our ITSEC staffers are typically straight from the help desk. They spend a couple of years learning the job and various tools, picking up certs, etc, and then go corporate and make bank, rinse and repeat. One guy went from PC tech to director of ITSEC, then left to go work in big finance, we're still trying to fill that position.
> you go from retail to making $150k overnight and anybody can do it. >They spend a couple of years learning the job and various tools, picking up certs, etc, and then go corporate and make bank There is a difference between going through a course and making $150k the day you graduate and working on a help desk before moving into a role that gets you on the job experience for 2-3 years. At that point you have 4-6 years in IT and can move on to bigger and better things.
What university was this? (Not actually wanting an answer unless in PM). I worked in a top R1/D1 university and they did a fantastic job at gate keeping from these kind of positions, and this isn't coming from a disgruntled employee. I was fantastic at my position and my bosses/peers were great. I am assuming this is because good help is hard to find and they do not want to lose you. But you know how it is in higher education lol.
Damn ... where am I missing this advertising? I'm on the track toward cybersecurity myself right now, and while I hope to eventually make 6 figures, I also understand that I'll have to put in at least 5 years of work in Help Desk, IT Support, and/or Systems Administrator types of jobs (not to mention ample studying for certifications and other fields) before I come close to sniffing that. Then again, my source is some rando I talked to here on Reddit, so what do I know?
Er'body want to stop the hackers but don't nobody want to help Bill who can't print >have to put in at least 5 years of work in Help Desk, IT Support, and/or Systems Administrator types of jobs (not to mention ample studying for certifications and other fields) before I come close to sniffing that. Exactly what I had to do.
Working on a printer issue at this very moment and can confirm that I don’t blame anyone for desiring this.
Ugh, printers are like my least favorite thing to deal with.
The 5th circle of I.T. hell is just printers.
I think you mean scanners.. or even worse an all-in-one
Hmm, no I think I’d much rather deal with the scanner. Though in both cases it’s very much fuck around and find out, and then pass the buck if I can’t resolve.
Yep I put my 5 years in doing bs too, it payed off. Help Desk -> Consulting -> Covid -> Data Center Tech (6 figs here). MSP's are the McDonalds of the tech world, great to learn and for a 1st job, get one of the kids making $19.50/hr to help Bill.
Same, five years in networking/telecommunications. Moved to security last year. Absolutely love this job, and the pay is really good.
Your source, the rando, is mostly correct. Skip the line if you can, but be prepared to put in the time.
There're many ways into Cyber. Yes, you may have a strong foundation in infrastructure with 5 years in help desk, but you could also get complacent and wind up going nowhere. And it's boring. And your salary will be pretty lame most likely. I had 2 months in help desk, then an A.A.S. in Computer Systems when I landed a 3 month cybersecurity internship at an EDR vendor without any certs. That got me 1 year as a Security Analyst at a small MSP. Now 6 months as a Security Analyst II at a very large MSSP. Then I'm dropping back down to Tier 1 due to a nearly 6 figure offer. Only certs I have are A+ and 2 EDR "I know how antivirus works" certs. If you can get the work experience, that's all you need. And to get work experience, you really just need to network on LinkedIn or cybersecurity conventions and know how to keep your resume relevant to the position. You could burn 5 years doing Help Desk stuff. Or you could get an internship or the trifecta or home projects. All you have to have is proof that you can do stuff and things. Hell. If you want to go Red Team, just do Hack The Box for 6 months, and you'll likely be eligible. HTB is legit AF--put it on your resume. My coworker switched from SOC to Red Team this way. Likewise, do tryhackme [if you're new this is the best place to start prior to HTB]. Or blue team projects like BTLO. Set up your own home SIEM and monitor your own environment, then you could prolly get a SOC Tier I position making more than you make at help desk and also more interesting. That said, SOC Tier I's will likely be fully automated quite soon, but it's still a great entrance into Cybersecurity prior to specialization. Point is, do home projects via virtual labs or monitor your own network, and that's pretty much all you need. Intership would work, as would the CompTia Trifecta. Trifecta should only take roughly 50-100 hours per cert.
Not true on the help desk. I got a position as a security analyst right out of college without certifications. I was in a dual bachelors program for IST and Security Risk Analysis and that got my foot in the door at a large corp.
[удалено]
[удалено]
[удалено]
On the note of WGU, I've heard a lot of good and bad about it. What was your experience like? How has it impacted you?
It happens but usually it's CS majors with electives that focus on encryption and security. Those stories are not uncommon at all. Your average get a cert types on this sub- it's far more luck dependent.
Same here. Straight out of college with only a 4 year degree and a couple published research papers and first full time job was security analyst.
Large corporations often like to recruit right out of school, as they can train and promote up the chain to maintain employees. In theory, this was the future I was promised in the '90s - go to college, use your degree to get hired at a company, work hard and get promoted, buy a house, retire. In reality, I graduated college in 2009 and I needed 2+ years of dishwashing experience just to get an interview to be a dishwasher. I'm sounding more and more like a grandpa every day with these stories "It was a rough couple of years back in the great recession, sonny boy! I tell ya what!"
> that I'll have to put in at least 5 years of work in Help Desk, IT Support, and/or Systems Administrator types of jobs (not to mention ample studying for certifications and other fields) before I come close to sniffing that. this isn't true anymore if you have any sort of formal education in or tangential to cyber (military background, college, etc.)
It's possible you spend 5 years working on non-security roles, but don't limit yourself to that right off the bat. Keep working and updating your LinkedIn, and if somebody wants to hire you for a security role don't be afraid to jump on it!
Cyber seems cool until your realize many areas involve a lot of rigid processes/frameworks, documentation, & bureaucracy. It feels like the Accounting version of IT. I ended up going the DevOps route, because most people I knew in the cyber space.. their work environment had the energy of a nursing home. Also, there were far more remote jobs in DevOps.
I work in Governance & Cyber Security and “accounting version of IT” is the most accurate description I have ever heard.
I have been in IT for 25 years, mostly working for banks, and I have dabbled in cyber security at times... I'm so glad people like you exist to work those jobs so that I don't have to because the tedium would drive me insane. Thank you for taking one for the team, I hope you are well compensated.
Looking at the SOC2, it was literally developed by the same people that developed the SOC1 (surprising I know) and the SOC1 is all about finance control. Further a ton of CPA firms and auditors get into IT security as the controls are very similar to controls found in the finance department.
This speaks to my soul. I did cybersecurity early career. It wasn't what I thought it was. Honestly I don't even think it should be called cybersecurity, information security would be a better title. Less technical stuff and more implementing NIST controls. I do SRE now and it's way better imo, actually get to do things instead of write angry emails all day about vulnerabilities not being addressed.
[удалено]
Oh I do this and RMF. Your last sentence could not be more accurate
Kindly inform me of what your day to day is with DevOps?
DevOps is really a culture/philosophy that has created work models & best practices for delivering code faster, more reliably, and with better feedback loops & automation. I definitely do that, dealing with CI/CD pipelines, building out application metrics/monitoring, & creating dashboards. But since DevOps is an idea, and not a *thing to be,* there can be variance in what responsibilities a "DevOps Engineer" has. For me, those other tasks can look more like a Tools/Platform/Software Engineer. For example, I am often: * Building ETL integrations to feed data between systems * Writing CLI & Web tools to make life easier for people with repeatable processes * Reviewing designs to make sure they're production ready * Checking out tickets/stories & committing code Basically, I spend most of my time in an IDE or terminal window.
Half development, half operations
With the occasional slash when I need one.
Hey I like your flair haha
Terraform, documentation and meetings.
Lots of yaml and json.
It's almost entirely backend support and project work. My end users are devs that I build tools or improve processes for. I work mostly in "code" using terraform and ansible. But I also have developed a few custom apps in python, ruby, and node. You might find yourself doing some SRE work depending on your company and team composition. At the end of the day, I find it far more rewarding than when I was a sys admin or systems engineer. But your mileage may vary.
Use youtube to understand what we do, when I was looking into it there were a lot of good videos along the lines of "the day of a devops engineer"
Cringes in Compliance
The 12 rings of audit hell.
While the remote part may be true, I have a part time work from home gig. I go in the office once a week. However, your first point is true. I got in cyber 6 years ago. I managed hbss, acas and other auditing tools. Then i moved to RMF and oh my goodness it's dull. Not boring, but dull. However, it is the most important l section of cyber regarding the gvt. Emass is my like an person you get along with but they're a lil scitso so you don't know how it's going to ruin your day.
I decided on End User Support, personally, because I like the challenges that come about from it. No two days are exactly the same, since the issues that users encounter are always changing. I'll never get rich, but I make a good living.
What languages are known to be used in devops? and how does one get to be a devops? I know I can look this up, but I would like to also hear it from someone going through it at the moment. TIA if you respond.
It really depends on what platform you're using for CI/CD and what your stack is (what the app is written in and what it will be running on), but there are some good bets you can make. Typically you'll need to know how to read YAML/JSON, and know a popular language that can be used for scripting (Python, JS, Bash). As for how to break into the DevOps space... the easiest is to move in from Software Engineering. Moving in from sysadmin type of work is another path, especially if you were able to be "dev adjacent" by dealing with the stack in some way, or automating tasks via scripting. You can scroll to see my response to "qwesone" to get a feel for other things I do. There are pure DevOps jobs that deal with pipelines, but there are also many (like mine) that are a blend of positions & responsibilities. My day-to-day languages are: Go, TypeScript, & SQL.
Yeah, same. I did networking for a few years before moving to DevOps and as nice as people made Cyber Security sound it just wasn't as interesting to me as actually doing Ops work. Plus the pay is comparable if not better being in the DevOps world..
DevOps is OP when it comes to pay & remote opportunity; it has reached the point that it's comparable to being a SWE.
Im in security consulting right now. My day to day job is basically being done in almost exclusively word and excel as these roles are 95% governance and compliance. I hate it tho.
Reddit is violating GDPR and CCPA. Source: https://www.youtube.com/watch?v=1B0GGsDdyHI -- mass edited with redact.dev
Writing reports on how you tested their one server dev environment and nothing to the publicly wide open cloud made me move out of pentesting real quick; pentester is either equal or just a tiny half step above cybersecurity analyst.
To be fair, I worked my entire career on site until covid hit. I've worked on every level of IT from Helpdesk to C-Suite. As Covid ended, I downgraded to a technical position in cybersecurity because it allowed me to work remotely at almost the same pay level.
I’m in security and it’s definitely a ticket to being done by 55, maybe 50 if you sacrifice lifestyle a bit.
Keyword. THINK.
Security is the only IT role you'll usually see in tv shows or movies. "Stop the hackers" by typing furiously and spouting technical nonsense is a thing. Nobody makes a movie about people implementing policy or doing tech support
Ya but The IT Crowd is brilliant TV...
Kinda the exception to the rule, but yeah it's a good show
Best TV show ever!!!
Yes absolutely best show ever
Mr. Robot is the only show that’s done their research and portrayed hacking legit. Everything else is ridiculous hollywood nonsensical feverdream bullshit.
If you are old enough and had the misfortune of watching the movie Swordfish you will feel this comment in your soul.
Silicon Valley wasn't security and was mostly programming
it was novel for doing so
Yes - most people think IT consists of Security and Helpdesk, and no one wants to do Helpdesk, soooo Security it is!
I think Limitless, the tv show, is the only tv program I've ever seen to accurately portray it. "As it turns out, hacking is incredibly boring! So instead, here's some pictures of kittens."
That show was cancelled too soon.
Right now the meta for tech influencers is “Cyber Security jobs are in high demand and always I’ll be. Plus it’s easier! You don’t even need to know code” When enough influencers repeat this on TikTok kids start to take it as gospel. Especially given the doom and gloom media of “tech layoffs”
So how true are those claims?
Honestly scripting is a must have these days, all my roles have required it or preferred it.
What do you do? Only like 25% of my roles have asked to know some scripting.
It's automation/productivity gains. I wouldn't call it absolutely mandatory but certainly helpful. More at the engineer/analyst role than the architect/advisor/CIOs roles. It's a bonus if you can write simple scripts to do stuff for you (IE: take a bunch of hostnames and translate to IPs or ping them to see if online/reachable or in the DMZ. Or communicate with a basic API that a security SaaS service offers that you use). Or take someone else's Github project who did the heavy lifting and make enough basic retrofits to do it's purpose in your environment (my most recent was use someone's project to take 3 GBs of small files and split them into 20 MBs max zip files) Or write basic SQL SELECT statements, don't have to wait on a DBA. Joins get tougher, I'll usually ask DBAs to create a view for me or something like that.
If you don’t know how to code at even a rudimentary level i’m passing on your resume unless i need a button pusher which get paid dirt.
I’ve never had to do anything beside some very basic scripting in my cyber roles, and make 200k +. Granted I agree that coding is a very useful skill to have in the cybersecurity profession. You can definitely get by without knowing it.
Because there is a shortage of skilled InfoSec staff and as such the Federal government has been funnelling millions into cyber programs to encourage more people to enter information technology.
There’s many reasons including this, problem is, there needs to be more training/laws to get CEOs and executives to actual give cyber security/infosec employees the tools to help even the very asymmetric playing field. But I’m probably asking for too much, most companies learn after being hacked.
[удалено]
Being on the engineering side of the house, I saw a marked change in Infosec policy, implementation, and integration from the changes due to larger compliance. My previous role was at a retail company, and there were big changes as PCI Compliance expanded, and auditing became standardized from the early 10s, to when I left in '20. Part of my work now is with Zero Trust Security integration, and I think that there has been a big shift over the last decade, but there is always pressure to balance it.
People see the role as the “hero” of the IT world. No one celebrates any other field of IT and people want high profile and high pay not realizing that no one hires someone with no IT experience in a high profile position.
Correct, id rather hire someone with a few years general IT knowledge than someone out of college with cyber degree. They’ve been in the trenches and understand the consequences of dumb moves in IT. I’d encourage people who want long term careers in cyber to start the hard way. In IT.
When I first heard about information security as a career decades ago, I was told that here's a huge demand and that you can make six figures right out of school. Now I see that little has changed, except that more schools and training programs have tried to cash in on the trend by promising a $70k+ salary to start just by taking a course or a bootcamp and getting a cert (after paying them to train you, of course). The sales pitch is always the same - there's a severe shortage of security personnel, the average [insert security certification] holder makes $100k/year, etc. What they don't tell you is that the shortage is with experienced professionals, there's a surplus of beginners looking to break in, and nobody bases your pay scale on the certs that you have. And it's not nearly as exciting as you think it's going to be.
I honestly question the demand in of itself even for experienced people or at least question it on the same level as business critical jobs. Not saying cyber folks aren’t getting hired but just that companies are fine waiting longer or going without. Businesses/hiring folks know we need this dev to build this product, we need IT support, networking infrastructure to support those products and we need security to keep it safe (unless it’s a security product/company). I’ve seen the argument first hand where it was cuts need to be made, can’t cut dev because then no product, we can cut support a bit and infrastructure a bit but still need them. Cyber if we cut that then we are taking a risk but we can always write that down to fix later. t’s also why I’ve aways thought cyber was a lot more unsafe on a job level. At the beginning of covid my company wasn’t looking great and said we need to layoff some folks. Cyber was disproportionately hit because everyone says cyber is essential and all that but ultimately the business can survive without it. Although that place also had a lot of cyber fat to trim. It was someone brain child to advertise cyber capabilities but didn’t quite work out. Basically 4 departments of cyber created and all had 1 or 2 out of 10+ people actually decent and most of those left after event after event got their access and abilities taken away. They were initially in charge of firewall policy but had number cases of blocking critical traffic so that was taken away. Part of their mandate was IAM but were basically found to be giving anyone who complained admin access. Then to fix that they ran untested scripts that broke tons of things. They tried to be a part of design and other high level discussions but didn’t know the systems or business well enough. Eventually there were 30 or so people staring at logs all day creating tickets to other groups for things like can we block port 443 to these servers because we see a lot of traffic going to them. Or we see a lot of activities to these random high number ports but didn’t know/realize it was return traffic from things like web servers. Covid hit and 30ish people became 4 and security rolled back to under IT.
It really depends on your industry. Personally my team has been hiring nonstop since even I was hired in. I got a job almost a year ago with two other people then two people moved to higher positions and they started to build an entirely new team. Reason why? Government regs and the danger of bad publicity to our business relationship. If you’re in a software company say like sales force then you’re probably not in a hiring frenzy because major security breaches are less common and not as big of a deal. If you work in the medical or legal field then you’re probably desperate for more help.
Your story kind of punctuates the need for qualified cyber professionals doesn’t it. Hiring contractors or people with paper thin qualifications can burn a company to the ground. Almost as bad as being on the front page of the newspaper for exposing all your customer data.
Yes - I've heard that there are 700,000, 1.5 million, maybe 3.5 million open security positions in the US and there's no way they won't get a job. (insert eyeroll emoji here). Those numbers seem to be based on some idiots assuming that the demand for security professionals is going to just keep doubling every year for the foreseeable future. The reality is that the [TOTAL employment of security professionals in the US is about 160k](https://www.bls.gov/oes/current/oes151212.htm), with a [very high growth rate](https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm) - but that growth rate is about 57k new jobs *over the next 10 years.* Meanwhile, we're graduating people with cybersecurity degrees at the rate of about [28,000 per year](https://nces.ed.gov/programs/digest/current_tables.asp). So assuming a static enrollment for students, we're going to have 280,000 graduates available to fill 57,000 positions. Of course, there will be people retiring from that base of 160k, so we can add about 20% more from that pool, which is an additional 32,000 jobs. So we still have 280k people to fill about 89k jobs - and that's not even considering the people who are not getting a degree. That's very difficult to track so I doubt anyone has numbers on that, but at an absolute minimum, you can add another 100k to that number of job seekers. Tons of people with security degrees are never going to work in security. It's very profitable for schools, certification centers, and even the US military to create this illusion that there are way more security roles than can possibly be filled. In reality, it's saturated at entry level & it's becoming saturated at higher levels as well.
>It's very profitable for schools, certification centers, and even the US military to create this illusion that there are way more security roles than can possibly be filled. Exactly!
Yet i keep trying due to stupidity !
In short, infosec/cybersecurity is popular because it has a higher than average pay compared to sys admin / net admin, can be done from anywhere. Doesn’t have any infrastructure to actually manage or maintain outside of splunk or other SIEM tools.
> Doesn’t have any infrastructure to actually manage or maintain outside of splunk or other SIEM tools. Hell, I wish. Our security engineers are responsible for VPN gateways, WAFs, Drive encryption (servers only - helpdesk does endpoints), DLP, AV, vuln scanning (getting a scanner in each firewall'd tier and getting it to talk back to a centralized reporting server. Splunk/SIEM tools. And getting everything to talk as needed.
Sounds like your sec department does a lot. Most sec departments I’ve interacted with are in charge of policy, not configuration of the vpn/waf/firewalls etc. DLP/AV/Vulnerability scanning falls under their responsibility, but systems has to set those those VMs up initially.
It's the same on the software side when people want to get into machine learning or ai. People have no idea what the day-to-day realities of the job are like; they just know the end results from a consumer perspective and think it's cool.
Oh my god especially right now. The programming side of reddit is a lot of "should I even learn to code since GPT will take my job" or "how do I learn to program and make things like GPT in 2 weeks"
For people that weren’t making the kinda money they dreamed of, nor had the schedule flexibility. The advertising of “there’s over 1 million unfilled cyber security jobs and growing” sounds like a silver bullet to a newcomer, Or someone looking to make a career pivot with job security.
Exactly. Plus whenever there’s a Reddit post that asks what people do and what they earn, “cybersecurity, $200k, easy job, millions of openings, hiring managers are desperate to hire anybody with a pulse” is a reeeeeeally common answer. I’ve seen it often for a few years now and honestly looked into possibly going into it at one time because of those types of glowing endorsements.
Most posts here recently are "I have 0 experience, 0 knowledge, what do i have to do that doesnt require much effort and time to have 6 figure salary asap! Thanks" and most people heard that cybersecurity pays that so they think its just 1 paper away for them to have 6 figures
This is true. I know people who have paid thousands of dollars to attend boot camps and are aghast that they have to continue to put in effort to land a job that pays close to/above 6 figures.
I have a degree in Networking and Cyber, whenever I tell people this the reaction is “Ohhhh Cyber! That’s really nice!”. Money. People associate cyber with 6 figures starting. Personally though…all of my cyber classes felt like beating my head against a wall - I want nothing to do with it beyond ‘cybersecurity is everyone’s responsibility in IT’.
Its got more areas than a lot of other IT domains (offensive, defensive, IR, analysis and research, management, GRC, general engineering, devsecops etc) and all but GRC are pretty interesting. Most IT positions are support focused and the idea of being a pentester or incident response lead is a heck of a lot more impactful when needed than your everyday sysadmin. I dont know a single person in the domain making less than 85k-150k from admin/analyst to director. The military hoards these people, makes pretty much every civilian working with them get training in it, has certification after regulation, after STIG you have to comply with so you need six ISSO's, an analyst, an infosec lead, training for everyone and a whole new program to manage it.
Except all anyone talks about is hacking and pentesting it seems
[удалено]
I'm just sick of coding the same crap all the time and I think it's neat.
I find this ironic a cyber security specialist trying to get back into software dev. Cyber security is just a repetitive.
Cyber security has job security. John mcaffee the same guy who sold anti virus was the same guy who released viruses. You make the problem and then sell the solution.
The term "Cyber" 20 years ago was definitely more sexy than it is today. The term use to mean any form of texting/video chat sex. https://www.urbandictionary.com/define.php?term=cyber
I put on my robe and wizard hat.
Everyone wants to be a hacker. That's about it
[удалено]
This is what it was for me. Was in college for networking and just realized all i was doing was following a basic process to probably retire working equipment with new equipment, and maintaining updates at a msp or something similar. Cyber has an unkown factor in it. Theres purpose outside of the technical requirements and way to actually make a meaningful positive impact in the world.
Cuz it sounds cool. And it brings images of conflict against hackers which is cool. I do networking. Does networking sound cool as cool? The only conflict I have is arguing with Comcast
If you're in networking with no conflict you must not use Cisco.
Yeah I hear a lot about Cybersecurity in my everyday life and a lot of people older than me who are in tech seem to be making bank from the field. It sounds cool, but I personally think DevOps sounds cooler. That’s just me though and what I am personally interested in.
>Is it just a result of the marketing from schools and bootcamps? Is it the way it is portrayed in movies and TV? Partly the former and partly the latter. Both have kind of a twisted relationship with each other in that your college wants to sell you a Cybersecurity degree as if it's even remotely useful with no technical experience. They also repeatedly fail to mention how hard the real work is and feed you worthless books on CEH that just does a surface level coverage of the tools involved. Once I actually took the OSCP, I understood that I was a fish out of water.
I think I can comment here. I was in traditional IT for a decade then moved into Cyber for the last 5 years. There is definitely a sexiness factor on perception of the average person. What I mean by that is when I worked in IT, no matter how high I got…systems admin, network architect etc it felt like people viewed me as a guy who fixes printers and plugs in monitors. In cyber, now I get the wow factor when people ask what I do. It’s cool being a hacker, it’s not so cool being an IT nerd, even though they aren’t far apart. Then there is the money factor, it does pay insane amounts at the senior levels, which is obviously attractive to people.
You hit the nail on the head!
I think it’s strange that IT and cyber are no longer the same thing. Incident response teams do kinda need their own carve out, but everyone else in cyber is just doing traditional IT jobs. But sometimes cyber has less power to implement change. IT implements everything, and myst always secure their implementations. This has always been and now that there are Cyber teams it’s still the case. IT still secures their implementations. Cybers value add is in being an external evaluator, a 2nd set of eyes after IT has secured it.
In my opinion, I believe this is incorrect. IT is simply based around making things work for the business. The reason IT security and cyber are so big right now is because of all the “traditional” IT people and poor support from the business. They shouldn’t be the same thing and it’s the reason all industries are so vulnerable/behind the times when it comes to handling good IT hygiene. I’ve talked to many traditional IT/only IT people and they are normally not the people you want securing your systems. However, that’s not to blame or shame them because a lot of times they are pushed into tough situations such as bad company culture towards IT and/or under staffed and pressured to “just make it work”. It’s just the nature of the way they think and their job. Again, it’s to support the business and make things work. Security steps in and is able to work with IT and the business (sometimes not always successfully) but no, IT, IT security and cyber security are not all the same job and honestly shouldn’t be.
The fact that you think IT secures their implementations by default is very naive, at least from my experience. IT is focused on the operations side and does what is necessary to support the business. That includes misconfigurations, unnecessary exceptions, and numerous other insecure practices.
I've been in the field for a long time. There's always been some hot new trend that avoids just getting a CS degree. It was get a CCNA for a while. Then it was be a network design guru. For a while it was do a programming boot camp and do dev ops. Right now it's go into security. For a hot minute it was clouds clouds OMG do things with clouds. Whatever recruiters are saying is so hot and easy always means it was over saturated by the time a recruiter learned how to pronounce it.
John Hammond convinced me lol
There will always be a need for someone to secure a network... job security.
Openings and money, however the deeper I get into IT I realize my BS degree in cyber security might be useless
Why is that
Ya I’m in cybersecurity management for product security. It’s just me arguing with people all day about hardening operating systems. Not sexy at all.
I don't get it, honestly. By all means, cybersecurity is a great field. If that's what you want to do, and that's where you want to go, by all means, go do great things. Additionally, we all need to *understand* security whether we're actually in those jobs or not. I wouldn't be much of a sysadmin if I was just leaving my servers open to the world. So it's as important a fundamental for everyone as something like networking is. I think a lot of people imagine a cybersecurity career as sitting in a basement hunched over a keyboard wearing a hoodie and taking down Russian communications systems or shady banks or something. In reality, even pentesters spend most of their time reviewing and updating documentation. Not much different from guys joining a combat arms branch of the military thinking it's going to be like the movie Platoon, and instead they end up mopping floors in Kansas. Personally, I prefer networking and cloud. Connecting things. Offering information to the world. That's cool to *me*. If a newcomer really wants to get into security and is willing to commit and learn, I'll give them the best advice I have and really wish them the best. Just not my personal ambition. Also, some have mentioned money. If you do well in this field, *anything* will end up paying well. I worked with a guy who insisted that if I wanted to get paid well, I had to shift towards security. I'm pretty close to someone who's done well in IT but isn't in security, and I mentioned their total comp to this guy one day, and he was shocked. If you want money, as I suspect a lot of us do, put your head down, never stop learning, and you'll get there, no matter the specialty.
Well said!
I do see alot of answers of advertising or it's the "cool" thing, which may be the case for alot of people, for me personally the drive comes from growing up constantly reminded of threats in my environment, phishing and don't click links there may be a virus, and knowing that everyone is trying to get my data and sell it, so I have started down this path to be knowledgeable and secure in my personal life and for others that don't have the want or skills to obtain the knowledge, they should feel safe too.
I feel the same as OP. I don't get it. I've been a senior security engineer for eight years and it's really the most thankless job. If you're making security products or consulting and bringing home the bacon for your organization then you're a rock star. Great. That's maybe twenty percent of the industry. The other eighty percent of the industry costs companies a lot of money that they'd rather spend somewhere else. And if you have a great year and do everything perfect, nothing happens. No data breaches, no ransomware, just calm orderly business for which no one says, "thank you". If you actually have an incident because some numbnuts got their new unencrypted laptop swiped from the front seat of their car then there's hell to pay. Yes, the jobs pay well but that's because the vast majority of people actually qualified to do even entry level infosec have no less than three years of experience and four to five years is a lot more common. But devops pays just as well and SWE probably pays better overall for comparable or perhaps even less effort. And it's exhausting. Every new zero day, every supply chain attack like 3CX, every new exploit is something you're expected to know and might be asked about at the next job interview or by a coworker. You constantly have to prove yourself. The only reason I'm not doing something else is that I'm too stubborn to quit. So I don't get the fascination. Also I hate the term "*cyber*security", it's silly and pointless. There are no cyborgs, nor are we keeping them safe. Securing information about business and people is what professional information technology security workers do.
Talking about cyber security is great fun; doing cybersecurity is often incredibly tedious repetitive work. Or “Everyone wants to be a millionaire physical security penetration tester, until you tell them to hide in the dumpster for 12 hours”
Did anyone else read the title in Jerry Seinfeld's voice?
No, but I can see why someone would. Lolol
That's fair... "What's the deal with the obsession with Cyber Security?"
Agreed with advertising - unless you work in ethical hacking (and even then probably not), cybersecurity is anything but sexy Loads of paperwork; loads of looking for a needle in a haystack; loads of existential crises because when you're not catching bad guys you question you purpose at the company, coupled with trying to justify your existence to people who also think your role is unnecessary I personally have found much more fulfillment in DevOps with security architecture - it's fun shadow-boxing the bad guys and trying to build fences. It's not so fun having to watch the fences daily
Because everyone thinks cyber security is pen testing. When that is just one small role under the security umbrella
i feel people are more fixate on cloud more. Everyone keep talking about cloud this and cloud that and yes i played FF7. I saw cloud.
Yeah I think cloud has it's own hype beast too, but I think cyber security has more hype.
may i ask what's so bad about it? i am trying to break into IT and have researched tons of careers in the industry but cybersecurity definitely caught my attention the most as it seemed very interesting-- not just the name but the job description itself
There isn't anything bad about cyber security at all. There is however a lot of incorrect information and misconceptions about it, largely thanks to college and training advertising. (Which has largely been addressed in other comments.)
I see, thanks for clarifying. I do see a lot of people advertising it as a one-way ticket to being rich lol and also grabbing people’s money for their programs that are bogus and same contents that could easily be accessible through little research which is free.
Cybersecurity is part of being responsible for any computer system. They are just trying to get some benefit for going down the cybersecurity rabbit hole sold to them by their local college that targets adult students.
It promises high income right off the bat so people are drawn to it. Many fail to realize it’s hard to secure what you don’t know, that’s why it’s hard to directly start in infosec, usually you work as admin for a while and then move towards infosec
People like Boyd Clewis are promoting the hell out of this, with those who have no IT background at all.
It’s because they think cybersecurity is gonna be like the movie Hackers.
As someone who is currently getting their major in Cyber Security. I got into it because I wanted to get into IT, found I was too stupid for a computer science, so I switched to Cyber Security. I know taking classes are different than actually having a career, but I'm actually really enjoying the classes. I can't code for shit but I'm working on it. I also wanted a job that has flexibility and is in demand anywhere I go. I want to live and work abroad, so that's mainly what steered me towards cyber security in the first place. This may not answer your question, but that's at least why I'm doing it.
Sounds good. I will say, as far as jobs that are in demand anywhere/everywhere IT and CS always top that list. I don't know many places that don't rely on IT infrastructure. They are as critical as electricity and plumbing in the modern world.
I’m cyber security and am about to retire for good at 47 years old.
I’m right here with you man, same age, about to pay off my house, bought a new ScatPack in cash, looking at enough in 401k to retire happy and thinking why do I need to work anymore. 20yrs in cyber and ahead of the curve. All the BS in this thread about paperwork and fake tv expectations. You’re all doing it wrong lol.
It’s an advanced role that you usually need years of experience for, hence why it pays well, but you’re not gonna get in with just a cyber security degree that these colleges are offering. A lot of people have to pivot from net admin/sys admin jobs into cyber and then work from there (2-4 years total). Beyond that cyber security is a TON of paperwork and bureaucracy. If you like dotting your i’s and crossing your t’s on a thousand papers, that’s cyber for you lol. I don’t know exactly why colleges are pushing it so hard, but what I do know, is all of my friends in college who went for cyber either didn’t get into IT or pivoted to systems/networking. Hell there’s even some cyber guys in my current office who had to pivot from cyber into networking. I feel like im the only guy who actually enjoys restoring internet to people lol
Everything looks swell until you are pouring through log files because someone didn't create a way to auto parse em.
It's where the money is.
Advertising and trying to fill jobs. Schools are jumping in the bandwagon creating cyber programs that offer 0 job placement and most don’t even start in cyber upon graduation because they have 0 experience
I honestly feel like IT and CS or even STEM to some extent are fetishized at this point. I think that people think that it's a job with minimal work and maximum pay and that's what's attracting people. Cyber Sec has been hot in the media but the IT and CS fields have been hot for a long time.
dude... my company just had a major cyber security attack. we lost 2 weeks of data from a global manufacturing company with a global supply chain. its still a mess. dont shit on cyber security till you have lived through an attack like this and know that your passwords and data are vulnerable.
Who is shitting on cyber security?
We have a good PR team.
I can see that, lol.
Because people thinks its cool and they saw mr.robot show etc in reality, its nothing like that at at all lmao
There are a lot of reasons, but to name a few; * It's sexy. People who want to enter the IT industry through Cyber typically have seen shows like NCIS or Criminal Minds and want to "bypass the firewall and clone the subnet mac". They think they're going to get a couple certifications and immediately start doing all the fun looking work like going after hackers and finding exploits. Their interest is born of ignorance and once they realize cyber is mostly really REALLY boring paperwork, they bail. * It's easy. Lower level cyber jobs don't get a whole lot of access, are relegated to writing RMF documentation, and are paid fairly well for what they do. After a bit, you can move on to policy enforcement, STIG implementation, scanning, etc. Remediation is typically handled by a sysadmin team but it's not entirely unheard of for security to have a hand in it, depending on the environment. Personally, I've never been paid so much to do so little in my life. * It's in demand. Tech boomed faster than we realized what could be done with it and its implementation outpaced its security. We quickly realized what kind of catastrophic damage could be done with computers and computer systems and security has been playing catch up ever since. We're in a decent place now, but it's a constant cat and mouse game. We patch one vulnerability and the attackers find another. Then some new firmware or operating system is released, a zero day threat is realized, and we start the dance all over again.
It is media hype, get rich quick campaign marketing. Reminds me of MCSE boot camps for Server 2000. There is too many Cyber Warriors, pun from DOD that are glorified IA pencil policy pushers.
Im half joking but half serious, but it's a nice phrase to say; just say it out loud, slowly. On a more serious note (I'm non IT looking to get into) I think the appeal for me is that it's a growing need, there's a talent gap and I'd prefer that over help desk work. Of course, there's much more to IT than those 2 sectors. Also, I live near DC and have a close friend in Cyber, so exposure is there. I'd say in general, it's due to a new tech bootcamp wave, and it's being marketed heavily and being lumped in with "sexy" careers like Data Analytics and Web/Software Develo0ment.
Ads promising six figures. Little do they realize once market gets saturated. They will be fighting themselves. The IT department needs more than just a security team.
The cybersecurity guy at my job said he would’ve picked a different route if he’d known the reality of the job. He’s always knee deep in excel spreadsheets and all he does is read and implement policies. He said it’s boring af
I've noticed this too. I think it has to do with the amount of traction cyber security had over the past few years, coupled with the rumors of how much they make (which is true to a certain extent), and the recent cyber attacks we had. Also, I think it's also because people in general forget or don't know about the other roles in IT
I am also so annoyed with people who come here and are like..... " How do I get into cyber security within 2 years. I've never worked a day in IT." I think part of it is the glorification in culture. Especially after Snowden. They think it's cool and sexy but don't really understand what that area of IT actually is like
I know 3 friends who finished their cyber security training but ends up working as Help Desk Tier 1. It has been a few years and they've not gotten any closer to their dream job in the cyber security industry. Not to give up hope but, it is a hype more than anything. In my personal opinion, you'll need more than just a degree or a certificate in cyber security. You'll need more than just basic IT and some administration as well as networking background to fully grasp the role of cyber security. While some may get lucky and land a cyber security job, but the proper way is gaining some IT skills before elevating to cyber security.
Yup, the hype is real!
I think the "for-profit" IT schools have picked that term to basically maximize enrollment. It seems to really appeal to folks thinking of jumping into the IT field and these schools are using social media to constantly bombard these folks to the point it is like using the term kleenex.
Entry level cybersecurity = keeping your systems patched and performing basic change control and access minimization. It's what we use to call "sysadmin" work or "network hygiene."
That's the crux... entry level cyber security is just old fashion IT work, and newbs often don't understand that and are confused why they can'y just jump into cuber security roles.
I mean my buddy got his undergrad and masters payed for and started making over 100k. People see that kind of stuff and think it happens to everyone who goes into that field. Reality is he is just way better at it than most and the right people noticed
It's also easier for people with active security clearance.
Personally, it’s the job I wish I had been assigned in the military and when I went up for re-enlistment I tried to switch into it but there were almost no spots open. I worked with a bunch of IT/network/Intel guys and I’m aware it’s not super glorious or what it looks like on tv but to me it’s always been something of interest. So now I’m waiting for school to start so I can finish my CompSci degree and hopefully do something interesting in the field
Good luck. Sounds like you have the right mentality.
I don’t know about advertising but in my state school is free for cybersecurity. Kind of hard to say no to 20 grand degree at no cost.
That's valid!
Because “that’s where the money is”. Heard that all the time in college. Yeah, the money is there… after a decade of experience.
Buzz word, they think it's the key to getting rich in a career.
They sell it hard to seem cool! Red Team, Blue Team, Zero Day Vulnerabilities, Attack Vectors, HUZZAH! It sounds so fucking cool for a nerd industry. In reality, it's writing a shit ton of reports and dealing with shitty SASE products, and/or sifting through logs. There is a ton of shit out there being probed and attacked. A lot of this stuff hasn't changed as much in 20 years as the media around it all would have you believe. The rootkits and trojans I was clearing with sketchy Russian tools and Sysinternals tools in the early 2000s share a lot of similarities with the current attacks. It's 90% marketing, and marketing works. The security teams also feed into it, who wouldn't propagate their own coolness? At the tippy top of it all when you look at pen-testing and actual research it IS kind of exciting, but that's not most of what is actually out there for career paths. Some of the tech out there is really cool, that's what they want to sell so that's what is shown off when you look up Cyber Security. You look at blogs from lead Cyber Security firms and see more exciting stuff that sounds super fun to work with. Getting paid to try to infiltrate a corporation's infrastructure sounds like a dream job. Those are not typically what most security guys do day to day but it's the most publicized. Nobody wants to read a blog about the long standardized report you filled out about Mary in accounting finding a dodgy VPN to download on her BYOD device that wasn't properly enrolled in MAM and how she got some random trojan from the software, lied to you about how she got it, and the steps you took to find the source and have the network team block it. Then again, people on the outside of IT typically have the opinion that we do cool shit because of movies, or we do some kind of magic that they don't understand.
I am a cybersecurity student and I chose it just because I wanted something in tech seemed to mesh well with my personality. After i started the degree, I started to get nonstop advertisements about it. I didn’t realize how popular it really is for newcomers. I tell people I decided on cybersecurity because of the show Mr. Robot tho lol. But yeah, it probably is the incessant advertisement mixed with the “get rich quick” aura surrounding it. As for the “sexiness,” I do think a lot of people come to the erroneous conclusion that it’s all Pentesting and you get to be hacekrman.
I went straight into Cloud Engineering then moved to security within 2 years. Completely skipped help desk, not sure why everyone thinks that’s the only way in
It's just a common way in.
IMO there is a rush into IT for the money. But there are only a few areas of IT that are truly 'safe' and profitable. Cyber brings in big paychecks and no company is every going to say we are safe enough lets get rid of our cyber team. So people see it as a way to a fat payday that lasts. They don't understand the reality of what Cyber is or how to actually get into it. And as a result there are literally hundreds of thousands of people clamoring to get into IT because they want to cyber. We are already seeing some of it but there is yet to be that whiplash reckoning that shakes out all the rookies that rushed in and or lied on their resumes etc. like there was back in 2000-2004. It will happen and when it does there will be bodies everywhere but for now the goldrush continues.
Im pretty sure it is because of tech influencers. "IT JOBS ARE IN HIGH DEMAND" " COMPANIES ARE WILLING TO PAY YOU TO TRAIN IN CYBERSECURITY" or "GET A CAREER THAT IS RECESSION PROOF" and then many get highly interested when they see the pay. Once they start figuring out that cybersecurity roles are more like mid - senior level roles and see that you don't just easily get hired on for those they start to get demotivated. Which is true most IT jobs are either helpdesk or desktop support before they even transition into a cybersecurity role. Many believe they will easily get their foot in the door by nabbing certifications and go into a mid level role without IT experience.
r/MrRobot
I agree. I think it's becoming oversaturated at this point as everyone and their cousin is trying to get in to some kind of cyber security gig. I'm getting in to cyber security because while getting my degree in network management, the security aspects were the subjects that really grabbed my attention and made me actually WANT to learn more. I enjoy networking and find it a little fun and challenging, but cyber security just really does it for me. But yeah, some people saw some hollywood bullshit and a decent salary and went for it
Also most "cybersecurity" jobs are just project manager jobs that people think they can slide into, rattle off a bunch of buzzwords and be good. I am seriously considering quitting my job because the people at my company who are in "cybersecurity" don't even know how to query our log system.
Yeah every kid wants to do cyber security because quite frankly they don't know anything about servers, cloud, windows engeneers or anything else
Yeah every kid wants to do cyber security because quite frankly they don't know anything about servers, cloud, windows engeneers or anything else
Newcomer to IT here: I’ve been obsessed with cyberattacks and malware for years. I’m subscribed to many Cyber news sites and like to watch many videos with experts talking about them. However, Cybersecurity isn’t the only long-term IT career that I’m interested in. I also like Cloud Computing and System Administration.
System Administration is interesting to me too. I think it's cool having the keys to the castle so to speak, but you also have to worry about the sword of damocles falling.
Because it’s a snake oil goldmine. Fear + shit to sell + sounding smart = business owners throwing money away. There are legitimate people and solutions in the field, but there’s a loooooooooooooot of bullshit.
At least from my experience, it was all the advertising from my college. They had about 4 IT degrees, but the one that was pushed the most & was the most popular was the Cybersecurity option. I don’t know what it is but people that were in my classes thought that the word “Cyber” had some sort of exclusivity to it? It also didn’t help that a lot of my professors would fail to mention that IT doesn’t start at Cybersecurity, it was never mentioned that Help desk is the beginning steps to a career in IT.
So I'm just starting out but I've considered staying away from Cyber Security because it seems to be all the rage.If the job market gets flooded with qualified applicants then the compesation will go down. Which is why I'm heavily leaning towards eventually becoming a Linux admin. I think a lot of even IT people are scared off by Linux, yet Linux runs like 90% of the web.
It is a bad cliche. A very tired, boring, bad cliche.
Cyber Security is a buzz word for what somebody who has been in IT for over a decade would call "doing a good job". It's generally used by those who have never actually logged into a firewall themselves.