Should I purse Pen testing or Compliance type work.

diggitle

I got hired by a small company (the target recommendation to anybody that wants to get into pen testing) in 2012 that wanted a newb with a bachelors degree in information security. I got the security+ the same month after being employed and have been pen testing for about 2 years 5 months now. I'm working on getting my CEH at my employers request (They only pay for what they view worth it i might add, I paid for my Sec+ and the CEH i used the MGIB for the training and materials). My issue is even after I receive my CEH I'm looking at probably only a $1,000 - $1,500 increase in my base pay, with a very little increase in commission as well. I'm not greedy and am aware of my inexperience that they use as an excuse, but when I see Job postings (mainly contracts) for pen testers with 3-5 years in Charlotte paying 50-60/hr I'd expect to get at least half of that, you know like 25-35/hr. A+ technicians in Charlotte get 20+/hr (not that they're lower than me), I'm just confused as this is a highly technical field according to lots of people.

My base salary over the years-->

2012 - $36,000
2013 - 37,000 ($1,000 increase)
2014 - 38,500 ($1,500 increase)

My commission schedule over the years ---> You get more if you bill more but not much.

2012 - 465 per month after billing 10k (I smoked how much i billed in the first year i averaged 14k each month)
2013 - 560 per month after billing 13k ( I smoked how much i billed in the second year i averaged 16k each month)
2014 - 660 per month after billing 18k ( I've been billing 18-23k that equates to $800-$1,095 extra to my base)


It will probably take me 5 years to get what I should be getting which is about $50,000. Employers logic = commission (you feel like you earn it), I'm good with that but when i bill over and above I don't get but the table scraps. My quota is 18k this year, I've been billing 19k+ for multiple months and I get only $800-$1000 for the work. I've spoken to the employer and they said they have a lot of over head, they also hinted at if I don't like it I can always leave (the republican at will mentality). But without having a CISSP and 5 years of Info Sec experience i feel like im between a rock and a wall. I say this because I work 60+ hrs at times, have all the grunt responsibilities and all the engineers i work with have "families" which gives them more options (working from home, getting flex time, more pay, etc). I want to work smarter not harder, i've learned my lesson from the army.

What should I do? I'm noticing a lot of "technical folks" pursuing a MBA, CISSP, CISM/CISA, etc, why is that? Is pentesting moving towards automation? Are we really moving towards the run nessus, metasploit fix issues repeart??? I'm seeing a lot more jobs for managed security i.e IPS/IDS, firewalls, etc and Compliance i.e PCI, SOX, auditing etc.

Thanks,

the_Grinch

Pen testing will never be fully automated (at least not for those trying to have a legitimate one done). That being said, you are seeing more of a run to compliance due to the number of break-ins. Companies want (and depending on the industry, are required to have) auditing teams that allow them to know where they stand currently. I know in the US government they have pre-audits before the full audits. My buddy flies out a month or two before a full audit and finds the issues for them to fix before the full audit team comes out.

Checking a box is never enough, but auditing should be part of any information security program. That way when you go to court you can show that due diligence was performed and that a risk was deemed acceptable (along with being signed off by someone). In my case I work on the regulatory side and deal with compliance teams on a daily basis. When you are risking a hefty fine it is in your best interest to be performing audits prior to your regulator coming in and finding the issue.

UnixGuy

You've been at your job for 2.5 yrs now, you are underpaid and you did it for the experience - smart move. Now it's time to move! I don't think you 'need' the CISSP though, just get a new job and start working on advanced certifications. You have good experience, don't underestimate it.

JoJoCal19

I'm not a pentester, but I would say after the CEH go straight for the OSCP. Between having the OSCP and by then about 3 years of experience, you should be able to land something paying much more than you're making now.

I work in the GRC (Governance, Risk, Compliance) side of InfoSec and it can be boring at times, especially if you're in a silo'd environment in a large corp like I am. I however, have always been of the mindset to broaden your knowledge and skillset, so I say also pursue some of the non-technical security certs when you are eligible (CISSP, CISM, CISA, etc). But first definitely go for OSCP.

Gorby

After 2.5 years at your current position I think your definitely underpaid and it's time to move on. If you stay where your at now you won't get that big increase so I'd brush up my resume and find another position.

I work in compliance now and like JoJo states, it can be boring sometimes because of the paper drills so you should like writing at least somewhat. If you're a technical person and want to stay in that pen side I'd go for my OSCP certification than CISSP.

diggitle

Thank you everyone for your responses.

colemic

Keep in mind that for the CISSP, with a bachelor's degree, or Security+, you can shave one year off of the 5-year requirement... so you are a lot closer than you think, especially in you have any previous experience that would satisfy the domain requirements.

diggitle

Thanks for the input Jo Jo. How's your CEH study going. I'm retaking mine 2nd attempt next week. Yikes.... I hope to pass.

JoJoCal19

CEH studying is going slower than I'd like, but I'm approaching studies from a different angle than last time so hopefully it puts me over the passing line this time. Hoping to test by the 26th, if not the 30th.

diggitle

I attempt for the second time this Thursday; I'm thinking of rescheduling because im not doing well on practice exams.

diggitle

JoJoCal19 wrote: »

CEH studying is going slower than I'd like, but I'm approaching studies from a different angle than last time so hopefully it puts me over the passing line this time. Hoping to test by the 26th, if not the 30th.

What angle is that?

JoJoCal19

diggitle wrote: »

What angle is that?

Instead of just re-reading the AIO and going over all the info (I seem to have the basics and non-technical stuff down), I'm reviewing EC Councils official CEH Review Guide they made for the v7 and drilling home the technical stuff and the details of the most popular tools. Also Cengage has this nifty 34 page CEH **** sheet that goes with it that has all of the technical details of the processes and tools. As well I'm using the tools in my lab. I have a good feeling the technical tools and some details were my weakpoints. As well to keep the other stuff fresh I'm using the Boson practice exams too.

LinuxNerd

If you have real skills in the security field you don't need a certification. A self coded python script that does something unique is much better.

colemic

That's an entirely subjective opinion; most HR departments and/or hiring manager s would disagree with you. For JoJo's case, the cert (CEH) IS needed as it is part of WGU's MSISA curriculum.

pinkydapimp

LinuxNerd wrote: »

If you have real skills in the security field you don't need a certification. A self coded python script that does something unique is much better.

No. the problem with this is you may not get to the interview to display those "Real skills" without the certs due to the way Recruiters and Hiring managers work. And really, why would you want to take that risk? Id much rather have the cert and not need it, then find a job and not get it because i decided not to spend a few months studying for the cert. just my opinion though.

LinuxNerd

pinkydapimp wrote: »

No. the problem with this is you may not get to the interview to display those "Real skills" without the certs due to the way Recruiters and Hiring managers work. And really, why would you want to take that risk? Id much rather have the cert and not need it, then find a job and not get it because i decided not to spend a few months studying for the cert. just my opinion though.

Certs are a joke in the security industry. Take it to the bank.

cyberguypr

Joke or not what Colemic and Pinky say reflects the real world. You need certs to move past the HR drones. There was a discussion a few weeks ago on the SANS Advisory Board about this. Hiring managers get highly qualified talent and then HR axes them because they don't have the required certs. Same issue happens with degrees.

I'm not saying certs/degrees are a MUST, just that your options are exponentially limited by not having them. If you want to tip the scale to your side, it's the smart way to go.

UnixGuy

Certs, specially in the security field are very important! I've yet to see a serious security position that doesn't list them as a requirement.

So the OSCP certificate is a joke now? It's a very tough cert and proves a certain level of competency.

SANS certs are widely respected, and the associated training is the real deal. CISSP/CISA/CISM are highly regarded certs and almost required for any security management type position.

Cyberscum

LinuxNerd wrote: »

Certs are a joke in the security industry. Take it to the bank.

This made me laugh  But I do agree with most on this, certs get past filters...That is all.

...And to add for the OP. I do compliance and have never struggled finding work that pays well.

JDMurray

Yes, certs will only get you in the door for a first round interview for a new job or promotion. After that it's what you know, what you can do, and how you present yourself that will get you the position and allow you to keep it.

slinuxuzer

Don't forget DOD 8570, certs are required to get certain jobs and the last DOD 8570 offer I got listed CCNA CEH and CISSP as qualification for certain roles, I am not sure if this requirement is 8570 wide or just this employer that offered me the job. Also remember you can pass the exam and be associate of ISC2 and this is enough to meet the 8570 requirements. My advice. Start studying for the CISSP now, it took me a year to study for it. I realize your more into the nitty gritty pen tester stuff, but this will open some doors for you.