Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

  • boatswain@infosec.pub
    link
    fedilink
    English
    arrow-up
    3
    ·
    8 months ago

    Hey all! I’m trying to figure out where I go next in this career. I’m working at a mid sized company that is owned by a company that is owned by another company. Started out as a software dev about right years ago and spent a lot of time as a security champion; finally moved to the InfoSec team about two years ago. It’s a small InfoSec team: three people total. So I do a lot of stuff: contact reviews, vendor security assessments, firewall log monitoring, code reviews, run security trainings, coordinate external pen tests, gather SOC 2 evidence, incident response… Lots of stuff.

    I like most of the work well enough (though the GRC stuff is not my favorite), but recently my boss and my teammate quit, so our team of three is down to me. There’s some support available from the security team of the parent organization, and a very competent contractor, but it’s largely just me.

    What I’m wondering mostly is: if I go elsewhere, what kind of role am I looking for? I feel like this Jack-of-all-security-trades thing I’ve got going on can’t be super normal, can it? And also, is my current situation something I should embrace, and take the opportunity to run the InfoSec team? Having someone with two years of security experience at the wheel seems suboptimal to me, but maybe it’s worth doing for the experience?

    My ideal would be working with a team of five or six, with people I can learn a lot from; my concern is that right now, most of the learning I can do is from my own mistakes.

    • shellsharks@infosec.pubOPM
      link
      fedilink
      English
      arrow-up
      2
      ·
      8 months ago

      Im not sure if your situation is “normal”, but it may be less rare than you think. Chaos can be a ladder, but it can also result in you just being overworked and making no real progress technically or professionally. Given the situation I would probably just look for what else you can find and jump on anything that seems promising, but in the mean time keep your head down and get your job done and try to make the best of the situation. Do you feel your situation is stable in terms of job security?

      • boatswain@infosec.pub
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        I think I’m good as far as job security goes, so that’s a plus. I should ramp up the job hunt I suppose. Already trying to study for the CISSP after work though and I am a big fan of having down time to unwind.

        • shellsharks@infosec.pubOPM
          link
          fedilink
          English
          arrow-up
          2
          ·
          8 months ago

          On one hand, the market is such that it might be too much work / too depressing to passively hunt for a plan B. On the other, it’s probably good to have an idea of what a plan B could be…

          • boatswain@infosec.pub
            link
            fedilink
            English
            arrow-up
            1
            ·
            8 months ago

            Is the market actually bad at the moment, though? We’ve been trying to fill one of the vacant positions on my team, and the offers we’ve extended have been declined for other options. That makes it seem to me like candidates have plenty of options at the moment.

            • shellsharks@infosec.pubOPM
              link
              fedilink
              English
              arrow-up
              2
              ·
              8 months ago

              I haven’t been looking so I can’t speak with first-hand xp. From others accounts on socials it seems like it’s kinda rough but everyone has different experiences. Good to hear some potentially optimistic news for a change though so I’ll take it.