Life Advice

[WhiteRareBit]

Hey All,

I'm looking for advice on what to do with my career. Thank you for reading ahead if you choose to.

Let me preface this question with a bit about myself. I work in a quasi-security job, as a systems engineer in a company that has several large-ish MSA clientele in Australia.

I'd like to describe what I do as "consulting" (correct me if I'm wrong about this), on a day to day basis the range of requests that get thrown towards us is hugely varied. Rarely does systems engineering- a somewhat non-specific title encapsulate what I think I do.

To provide some examples on what I think is a variety; one day I may be provisioning RedHat Linux servers for a client, or responding to security incidents from behavioural threat monitoring, or demonstrating to my boss that some of the IOT devices our office are excessively vulnerable (I did this, with his consent, by popping a root BusyBox shell on the devices using a publicly available exploit). Other days I could be restoring user data, or working with TLS certificates on load balancers, or troubleshooting SSSD with Active Directory integration.

Additionally, I've worked on a few larger scale projects. I've designed, built and secured a Graylog syslog server, with which I included with this LUKS disk encryption on top of an LVM layout so we could encrypt the data at rest.  I also was given the task of choosing, designing and configuring our password management solution for use by our staff. Currently, I've been designing and configuring RedHat Satellite. This is to provide us with better visibility on the VMs patch status, to standardise the repository information, and to prevent our company from continuing to manually build RedHat VMs for the client. Building these VMs manually was inconsistent and used to take up quite a lot of our time now takes about half an hour. Because the company where I work  is small, there are requirements of the staff at my company to fill in the gaps and do what the client needs. 

I begun my career (perhaps foolishly) attempting to be a pen-tester straight out of University. Post-uni I studied for a year in an attempt to pass the OSCP, I have no regrets of spending my time learning the course material, and I can credit this time for exposing me to a multitude of different technologies and systems that I needed to land my job where I currently work. However, I never quite made it by passing the OSCP exam despite attempting three times- I like to credit these failures and many others earlier in life on unbridled ADHD (which until relatively recently I became aware of, and now have treatment for).

I needed a job, the money I had saved to study was running out- and with the rent needing to be paid, so I ventured out looking for a job.

I landed a few interviews with small pen testing firms. The first place, I found myself on the other end of a zoom call with an agressive man asking me "how in the hell I truly thought that I would be capable of working for his company", I was quite disheartened after this first attempt as I had invested a significant amount of my time doing a variety of tasks that they had sent to me during their interview process. The second place I interviewed for, I was shortlisted, got past the first round of interviews, got into the second technical interview, and then was ghosted.

After a few months, I managed to land the job where I currently work. Two years later, at age 25 is where I find myself now.

I work long days at 8:30 AM-5:30 PM 5 days a week, and occasionally out of business hours. I put my all into my job, and some days I (regretfully) skip lunch in any attempt to produce the best work I can in the shortest period possible. Unfortunately I find myself being consistently overwhelmed, stressed, and tired. You may think that this is due to pressure placed on me by my boss, but he's actually relatively relaxed and lets me work on what I decide is the best use of my time. The flipside however, is that my lack of effective time management leads me to attempting to focus on the more difficult and longer term projects to execute them as quickly and effectively as I can while somewhat shirking the smaller and simpler generic tasks. Please don't think that I'm looking for sympathy I know that many, many, others do it tougher than I do, I know nobody asked my life story. I just wanted to provide some insight and context for the question that I'm asking.

And the question is... drum roll...

What should I do now?

As far as I see it, I have three options.

1. Stay at my current work for the next few years, earn some certs, and continue to be a Systems Engineer.
2. Find another job. One that sits more succinctly in the security category (perhaps overseas?)
3. Start my own business of some kind, this option is more of a pipe dream.

I feel that I don't get paid much for what I do in my current field (I earn $75k AUD a year, and the average is $90k-$100k annually looking at the salaries on GlassDoor.) However, I do realise that I'm  green with two years of genuine paid experience under my belt. Right now though, I do hear that there's currently an information security job boom in my country and given the quantity of publicly visible breaches occurring, and a significant skills shortage due to the lack of immigration from, y'know, Covid-19.

Anyway, sorry for the brain dump. If you have advice then I'd be glad to hear it.

Edited November 6, 2022 by WhiteRareBit

[Sketchy Meerkat]

Fellow .au security bloke here. The big challenge early in a career is working out what you want to do for a living. Security is a broad church, and there's lots of different areas you can specialise in. Pentesting, GRC, ops, audit, identity, IoT. Heaps of areas to grow into once you find out what you like.

Regards option 2, if you're interested in a move overseas and could tolerate living in the USA there's a category of visa called E-3. It's a special visa category that was created for skilled .au citizens, presumably as a little reward for us tagging along and holding their coats during the second Iraq war. If you're at the stage of your life where travel is an option that interests you then it may be worth checking out.

There's definitely room for new cyber consultancies to start up. The best of them marry tech skills with business acumen; if you've got business skills/a salesy-type friend to go halves with you'll have a decent start.

[fkadibs]

First of all, it sounds like you dodged a bullet with a toxic interviewer who was rude on top of giving you homework assignments (???). Being ghosted by a potential employer definitely sucks but its the nature of things, unfortunately, so it is important to not let it discourage you.

One path that often gets overlooked, especially by people in their 20's, is taking a non-security job at a mid-to-large size company and then transferring internally, it is extremely common. This is what I did and it was the best thing that ever happened to me. Some of the best hires in our department came from other areas of the biz, even non-technical fields. Most orgs that can afford (or are required to have) a dedicated security team understand the value of hiring internally. You will have an advantage in being a priority candidate, and will likely be able to see job postings weeks before they get posted publicly. Get to know the security staff, offer to buy them coffee if you work in an office, many have office hours/open house where you can chat in person or virtually. You'll learn more about the various teams, how they operate, and what they are looking for. Use those conversations to identify possible skill gaps you might have. If they require a certain certification, many employers will cover the costs.

It sounds like you are on the right path. It's tricky to breakthrough completely but the good thing is that you only have to breakthrough once. 😀

[DrDisexon]

On 11/6/2022 at 2:26 PM, WhiteRareBit said:

Hey All,

I'm looking for advice on what to do with my career. Thank you for reading ahead if you choose to.

Let me preface this question with a bit about myself. I work in a quasi-security job, as a systems engineer in a company that has several large-ish MSA clientele in Australia.

I'd like to describe what I do as "consulting" (correct me if I'm wrong about this), on a day to day basis the range of requests that get thrown towards us is hugely varied. Rarely does systems engineering- a somewhat non-specific title encapsulate what I think I do.

To provide some examples on what I think is a variety; one day I may be provisioning RedHat Linux servers for a client, or responding to security incidents from behavioural threat monitoring, or demonstrating to my boss that some of the IOT devices our office are excessively vulnerable (I did this, with his consent, by popping a root BusyBox shell on the devices using a publicly available exploit). Other days I could be restoring user data, or working with TLS certificates on load balancers, or troubleshooting SSSD with Active Directory integration.

Additionally, I've worked on a few larger scale projects. I've designed, built and secured a Graylog syslog server, with which I included with this LUKS disk encryption on top of an LVM layout so we could encrypt the data at rest.  I also was given the task of choosing, designing and configuring our password management solution for use by our staff. Currently, I've been designing and configuring RedHat Satellite. This is to provide us with better visibility on the VMs patch status, to standardise the repository information, and to prevent our company from continuing to manually build RedHat VMs for the client. Building these VMs manually was inconsistent and used to take up quite a lot of our time now takes about half an hour. Because the company where I work  is small, there are requirements of the staff at my company to fill in the gaps and do what the client needs. 

I begun my career (perhaps foolishly) attempting to be a pen-tester straight out of University. Post-uni I studied for a year in an attempt to pass the OSCP, I have no regrets of spending my time learning the course material, and I can credit this time for exposing me to a multitude of different technologies and systems that I needed to land my job where I currently work. However, I never quite made it by passing the OSCP exam despite attempting three times- I like to credit these failures and many others earlier in life on unbridled ADHD (which until relatively recently I became aware of, and now have treatment for).

I needed a job, the money I had saved to study was running out- and with the rent needing to be paid, so I ventured out looking for a job.

I landed a few interviews with small pen testing firms. The first place, I found myself on the other end of a zoom call with an agressive man asking me "how in the hell I truly thought that I would be capable of working for his company", I was quite disheartened after this first attempt as I had invested a significant amount of my time doing a variety of tasks that they had sent to me during their interview process. The second place I interviewed for, I was shortlisted, got past the first round of interviews, got into the second technical interview, and then was ghosted.

After a few months, I managed to land the job where I currently work. Two years later, at age 25 is where I find myself now.

I work long days at 8:30 AM-5:30 PM 5 days a week, and occasionally out of business hours. I put my all into my job, and some days I (regretfully) skip lunch in any attempt to produce the best work I can in the shortest period possible. Unfortunately I find myself being consistently overwhelmed, stressed, and tired. You may think that this is due to pressure placed on me by my boss, but he's actually relatively relaxed and lets me work on what I decide is the best use of my time. The flipside however, is that my lack of effective time management leads me to attempting to focus on the more difficult and longer term projects to execute them as quickly and effectively as I can while somewhat shirking the smaller and simpler generic tasks. Please don't think that I'm looking for sympathy I know that many, many, others do it tougher than I do, I know nobody asked my life story. I just wanted to provide some insight and context for the question that I'm asking.

And the question is... drum roll...

What should I do now?

As far as I see it, I have three options.

1. Stay at my current work for the next few years, earn some certs, and continue to be a Systems Engineer.
2. Find another job. One that sits more succinctly in the security category (perhaps overseas?)
3. Start my own business of some kind, this option is more of a pipe dream.

I feel that I don't get paid much for what I do in my current field (I earn $75k AUD a year, and the average is $90k-$100k annually looking at the salaries on GlassDoor.) However, I do realise that I'm  green with two years of genuine paid experience under my belt. Right now though, I do hear that there's currently an information security job boom in my country and given the quantity of publicly visible breaches occurring, and a significant skills shortage due to the lack of immigration from, y'know, Covid-19.

Anyway, sorry for the brain dump. If you have advice then I'd be glad to hear it.

Don't get discourage, I'm on the same boat. I worked for a startup company in India and I did multiple projects related to Web, API, mobile, cloud, security operation center (SOC)setup, ISO270001:2013, configuration review and worked as a trainer as well. But the most interesting part is my salary was 20000 INR which is 247 USD/Month which is quite low to stay in a metro city, I had big trauma keeping with that money when my room rent cost was 14000 INR, I asked for a raised, he didn't provide me. So I quit the job last month.

But the only good thing was I have multiples of project in my CV

My Suggestion

1. Prepare for the goal(what you want to be), develop skills, write some blogs, you gotta make your CV look better which is love what you do

2. Don't the quit the job until you find the new one

3. Gotta be practical, starting a business is always best but All I have to say is be mentally prepare.

 

At last all I have to say is stick to one thing and "Be the BEST in it"

Remember after every bad day, there is always a good day

Like after dark, there will be light

Remember "Nothing Last Forever Even the Cold November Rain" --- GnR

"Its a Long Way to The Top if you wanna Rock N Roll" -- AC/DC

 

ALL the Best