Hours per day worked by IT Security/Pentesters?

ProlifixProlifix Member Posts: 8 ■□□□□□□□□□
Could those of you who work in IT Security/Network Security/Penetration Testing tell me how many hours a day you work on average? For instance, I know that Software Developers / Programmers work around 9 hours a day on average, whilst for many System/Network administrators 10 hours a day of shift work, plus being on call, is considered normal.

I know that one or two of you who work in IT Security mentioned that you work 8-9 hours per day. I wanted to find out if that is the norm since I myself am thinking about moving into IT/Network security or perhaps penetration testing.
«1

Comments

  • Danielm7Danielm7 Member Posts: 2,310 ■■■■■■■■□□
    It is 100% dependent on the company you work for and your lifestyle. I'm a contractor in security, I can't bill more than 40 hours in a week unless there is a major emergency and I need higher level approval for the billing.

    You'll find people who are in desktop support who work 65 hrs a week and aren't getting overtime, you'll find architects who work 30 hrs a week at most. It's really all over the map.

    What I will say about security that is different than my many years as a sysadmin, you have to do a lot of research. Things change every day, much faster than something like a new version of exchange coming out or a new version of a firewall. New attacks are constant. Some people might include the number of hours they spend reading about security as their work time. For example, if I bill 40 hours a week, but spend 8 hours a week at home reading about security because it really interests me, I wouldn't say I "work 48 hours a week".
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    The number of required work hours per week is going to vary quite significantly by the company as well as the particular role.

    For my case, I work maybe 60 - 70 hours a week (minimum). It also means I work every day at the moment, regardless of whether it's a company holiday or not. The dynamic nature of the work is quite fluid and for me it's a constant juggle of changing priorities. While I'm not mandated to work this much, realistically it's what I have to do to keep the backlog to a manageable level.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • ProlifixProlifix Member Posts: 8 ■□□□□□□□□□
    The reason I ask is because I was interested of going into IT Security, but not if its going to require me to work 10 hours a day. I always imagined that the nature of the job would require you to work less hours than system/network admins so that, like danielm mentioned, more time could be spent on updating your knowledge of the latest changes in hacking/security.

    Also, is it considered standard in the IT Security field to be 'on call', similar to the way it is in System/Network administration?
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I'm curious where you got the impression that security teams generally work less hours in order to account for allotted time to keep up on current news/trends/skills. If anything, security tends to require much more effort since there's a need to dive into all the tedious details, research/absorb relevant context quickly, and deliver results. Once an incident is declared, the clock is ticking and it's crunch time. Things don't conveniently stop when 5pm rolls around.

    Being on-call isn't isolated to system/network staff. I'm on-call 24x7x365 by default. It's just the way the environment I work in is structured. It all really depends on the organization you work in.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • Danielm7Danielm7 Member Posts: 2,310 ■■■■■■■■□□
    I'm with docrice, I'm effectively on call all the time too if something happens. I may only be contracted for 40 hours a week, but I spend a lot of other time researching and testing. If the crap hits the fan, I'm stuck there, it's sort of the nature of IT for most specialties.

    Really though, docrice, if you're working 7 days a week and 70 hrs a week minimum, you are understaffed, grossly. Hope they fix that for you at some point.

    Edit: This is the reason I frequently ask people WHY they want to get into the security field. If you don't have a passion for it you really aren't going to enjoy it. I know people watch movies/tv and think it's all about being a hacker and crazy exciting, the reality of it is usually very different from what most people imagine.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Danielm7 wrote: »
    Really though, docrice, if you're working 7 days a week and 70 hrs a week minimum, you are understaffed, grossly. Hope they fix that for you at some point.

    I believe there is truth to this.

    That said, it seems understaffing is a common story at many places. I think it's partially due to management not understanding how much extra work there is in dealing with evolving complexity and all sorts of one-offs in the environment which throws off estimations for time needed to get things done. And environments constantly change while your boots get buried deeper and deeper into the mud.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • InfoTech92InfoTech92 Member Posts: 75 ■■□□□□□□□□
    I'm new here (just made my account last night) but I'd like to chime in. If you're looking to work 8 hour days, come in at 9 and leave at 5, IT may not be for you. This is a career that isn't a 9-5. No offence. but if that's what you're focused on, it may not be the best fit. There are going to be 12 hour days depending on what's going on.
  • N2ITN2IT Inactive Imported Users Posts: 7,483 ■■■■■■■■■■
    Under staffing is a big strategy. I was listening to an IT Managers podcast just recently and some executive from Apple said their model was to hire one really smart resource, pay them big money instead of hiring 3 mid tiered employees. Instead of paying 3 average engineers 85,000 just pay one stud 150,000 kill him/her but bonus him out and take really good care of them.

    He implied that average engineers are a waste of money and would rather just go all out for that "special" one. (Just repeating what I heard)

    The interviewer used to work for GM I think, and was way up through the IT Ranks. He agreed with that philosophy.
  • E Double UE Double U Member Posts: 2,233 ■■■■■■■■■■
    I do bank security and I put in ten hours daily by choice for the money. There were only a few occasions when I actually had issues arise that required me to work beyond a regular eight hour day.
    Alphabet soup from (ISC)2, ISACA, GIAC, EC-Council, Microsoft, ITIL, Cisco, Scrum, CompTIA, AWS
  • markulousmarkulous Member Posts: 2,394 ■■■■■■■■□□
    InfoTech92 wrote: »
    I'm new here (just made my account last night) but I'd like to chime in. If you're looking to work 8 hour days, come in at 9 and leave at 5, IT may not be for you. This is a career that isn't a 9-5. No offence. but if that's what you're focused on, it may not be the best fit. There are going to be 12 hour days depending on what's going on.

    That's not true. Danielm7 nailed it on the first post. It depends
  • InfoTech92InfoTech92 Member Posts: 75 ■■□□□□□□□□
    markulous wrote: »
    That's not true. Danielm7 nailed it on the first post. It depends

    Okay fair enough, it depends. IT can be 9-5 if you aren't doing any over-time, any projects, weekend stuff, ect. Not to mention the time you have to put in for studying, labs, ect. It can be 9-5, but I suppose it depends.

    I'm just saying, expecting your whole career to be a 9-5 isn't realistic in IT.
  • ProlifixProlifix Member Posts: 8 ■□□□□□□□□□
    The IT Security field that I was specifically referring to was penetration testing. I know that those of you who do system/network security work long hours, but as someone who would be involved in writing assembly code for different exploits, and would therefore be more of a 'security programmer', wouldn't the hours be easier?

    The thing is I am more interested in the coding/programming side of cyber-security (e.g. writing malware, breaking into apps, and other types of penetration testing) and therefore assumed that the workload and hours would be similar to those of any other non-security programmer - as opposed to the network security team who actually have to physically set up firewalls and such.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    It would depend on your engagements and variables such as the allotted time for the test, the agreed upon level of penetration, the type of environment you're testing against, etc..
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • UnixGuyUnixGuy Mod Posts: 4,570 Mod
    E Double U wrote: »
    I do bank security and I put in ten hours daily by choice for the money. There were only a few occasions when I actually had issues arise that required me to work beyond a regular eight hour day.


    I work in bank security, but I didn't quite understand your comment. You mean you deliberatley work over time to get paid for it? Is there work to be done or do you create the work?

    I'm forced to work extra hours via on-call rotation, and I get paid for it.
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • UnixGuyUnixGuy Mod Posts: 4,570 Mod
    @Docrice: I know you are a very experienced / highly skilled individual but constantly doing 60/70 hrs a week could be a sign of time management? Perhaps there are ways to automate things or improve the process to make it take less than 60/70 hours?
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • Bchen2Bchen2 Banned Posts: 67 ■■□□□□□□□□
    InfoTech92 wrote: »
    I'm new here (just made my account last night) but I'd like to chime in. If you're looking to work 8 hour days, come in at 9 and leave at 5, IT may not be for you. This is a career that isn't a 9-5. No offence. but if that's what you're focused on, it may not be the best fit. There are going to be 12 hour days depending on what's going on.

    Wrong
    I haven't work a weekend or night in my whole career its been about 2 years now 3 pretty soon and the same goes for the team i work with ( help desk and desktop support)
    There are 9 to 5 IT Jobs but the pay can suck thou for those jobs
    I think its better to say if you want a job where you come in at 9 and leave at 5 don't expect to get rich or make a lot of money that way
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    UnixGuy wrote: »
    ...but constantly doing 60/70 hrs a week could be a sign of time management? Perhaps there are ways to automate things or improve the process to make it take less than 60/70 hours?

    It's a situation where the environment's rapid evolution/dynamics/etc. has greatly outpaced staffing given the speed at which business moves. Any semblance of automation will result in heavy maintenance of that automation due to how frequently the requirements are re-scoped and plans shifted. Forecasting isn't always reliable given the volatility of the industry I'm in.

    Much of the extra work on my part is purely voluntary because I have a bigger plan in the works and it also enhances my experience in a shorter period of time (read: I'm trying to pay my dues faster). However, in order for me to achieve my aims I have to put the effort in. In my particular position, I have great influence on planning, building, deployment, and monitoring. However, there are also high-visibility projects with tight deadlines that I have to meet and it compounds the stress to keep pushing things off when I'm constantly interrupted with other day-to-day tangents (much of which doesn't have to do directly with network security). So putting in the extra hours is an investment for me because I can see the payoff coming, at least incrementally.

    Another issue is that finding candidates for allocated headcount(s) has been difficult. I've interviewed candidates for over a year (likely longer) for one position. It's a liability to hire someone who's not quite the right fit for a role where speed, precision, and solid communication skills are required and compromising just to get someone in the door and hope we can train him or her typically has poor effect. There are too many out there who are more inclined to be vendor appliance engineers rather than practitioners who have the potential to work in-depth. The organization I work for is very easy to burn out in given the culture, pace, and demands of other business units. It's great if you can thrive in such a pressure cooker. Not so good if you don't know how to adapt. My organization has a motto of hiring slow and firing fast.

    My previous job was at a Fortune 50 (although I didn't stay there very long). The manager there tried to ensure that the staff didn't work more than 40 hours/week. In general, it seemed they were pretty good about that. So those kinds of places do exist. From what I gather at most places though, that luxury isn't common.

    I consider myself lucky to be in a position where I have a lot of autonomy, get to attend SANS training once a year, go to Black Hat and DEFCON, and optionally attend my company's own security conference if I wanted to. I also get to work with a lot of talented people who are working on cutting edge stuff. For all that alone, I'm willing to sacrifice a bit in order to be immersed. It's also important to me that my results have at least some polish to them, not just slapped together. Pride in the quality of work I deliver is a priority for me.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • LeBrokeLeBroke Member Posts: 490 ■■■■□□□□□□
    Bchen2 wrote: »
    Wrong
    I haven't work a weekend or night in my whole career its been about 2 years now 3 pretty soon and the same goes for the team i work with ( help desk and desktop support)
    There are 9 to 5 IT Jobs but the pay can suck thou for those jobs
    I think its better to say if you want a job where you come in at 9 and leave at 5 don't expect to get rich or make a lot of money that way
    You're not wrong, you just don't have the full story. That's exactly what everyone is saying in this thread - IT is not a 9-5 job unless you want to stay in helpdesk. When you're really junior, there's no reason to call you in. When you're really senior, you have minions to do stuff for you. But the second you hit junior admin status is the second you get slammed with rotations and on call.

    You might not have to be on-call as a systems engineer, but at that point you're being hit with companies that want to overwork the hell out of you.
  • UnixGuyUnixGuy Mod Posts: 4,570 Mod
    @docrice: now I think I understand you mean. From my experience (not security, but IT in general..) I found that one of the fastest ways to get experience in the shortest time possible was to work for a service provider in a consulting role...have you considered doing something like this for example?
    https://www.linkedin.com/jobs2/view/58705482?trk=jserp_job_details_text

    pros: working with highly experienced people, different costumers/setups (read: quick exposure), lots of pressure, heaps of training,..etc.
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • BlackBeretBlackBeret Member Posts: 683 ■■■■■□□□□□
    @OP - Find a contractor that does what you're looking for. Raytheon was recently hiring reverse engineers for the vulnerability research team in San Antonio. When it comes to security work for contractors you're looking at a 40 hour week 85% of the time with about 15% travel, still putting in 40 hour days onsite. Some positions you wont travel at all, you'll get paid well, and you can accomplish everything you need while at work. A lot of it comes down to time management. These positions are rare, but do exist.
  • InfoTech92InfoTech92 Member Posts: 75 ■■□□□□□□□□
    Bchen2 wrote: »
    Wrong
    I haven't work a weekend or night in my whole career its been about 2 years now 3 pretty soon and the same goes for the team i work with ( help desk and desktop support)
    There are 9 to 5 IT Jobs but the pay can suck thou for those jobs
    I think its better to say if you want a job where you come in at 9 and leave at 5 don't expect to get rich or make a lot of money that way

    Exactly, help desk. If OP is talking about a security career, I doubt he wants to work help desk the rest of his life. Hell, I couldn't last more than a year in help desk with begging my manager for at least half of my day to be other stuff. Thank god he was cool and gave me more Jr. Sysadmin stuff to do.

    I guess I have to rephrase again. OP, if you want to work level 1 the rest of your life, you most likely won't have to work after 5. I'm kind of doubting you wanna do that though.
  • Bchen2Bchen2 Banned Posts: 67 ■■□□□□□□□□
    InfoTech92 wrote: »
    Exactly, help desk. If OP is talking about a security career, I doubt he wants to work help desk the rest of his life. Hell, I couldn't last more than a year in help desk with begging my manager for at least half of my day to be other stuff. Thank god he was cool and gave me more Jr. Sysadmin stuff to do.

    I guess I have to rephrase again. OP, if you want to work level 1 the rest of your life, you most likely won't have to work after 5. I'm kind of doubting you wanna do that though.

    I think any position that isn't a 24/7 responsibility can be good for the OP
    Security and Pen Testing doesn't seem 9 to 5 thou
    If you are a network administrator system administrator or part of a critical team to keep critical systems or servers up you better WELL be prepared for more than 40 hours a week that can go for security/pen testing too.

    Help Desk can be 9 to 5 and it does not have to be tier 1 always we have a Tier 2 help desk and Desktop managers that work standard hours. No on call
    So can Computer repair
    Some programming positions
    and Business Analyst can all be 9 to 5
    But in the end it depends.

    Most Higher Paying jobs in IT do come with on call or long hours thou
  • E Double UE Double U Member Posts: 2,233 ■■■■■■■■■■
    UnixGuy wrote: »
    I work in bank security, but I didn't quite understand your comment. You mean you deliberately work over time to get paid for it? Is there work to be done or do you create the work?

    I'm forced to work extra hours via on-call rotation, and I get paid for it.

    I deliberately work overtime and yes there is always work to be done here.
    Alphabet soup from (ISC)2, ISACA, GIAC, EC-Council, Microsoft, ITIL, Cisco, Scrum, CompTIA, AWS
  • InfoTech92InfoTech92 Member Posts: 75 ■■□□□□□□□□
    Bchen2 wrote: »
    I think any position that isn't a 24/7 responsibility can be good for the OP
    Security and Pen Testing doesn't seem 9 to 5 thou
    If you are a network administrator system administrator or part of a critical team to keep critical systems or servers up you better WELL be prepared for more than 40 hours a week that can go for security/pen testing too.

    Help Desk can be 9 to 5 and it does not have to be tier 1 always we have a Tier 2 help desk and Desktop managers that work standard hours. No on call
    So can Computer repair
    Some programming positions
    and Business Analyst can all be 9 to 5
    But in the end it depends.

    Most Higher Paying jobs in IT do come with on call or long hours thou


    OP is asking about security though.
  • Bchen2Bchen2 Banned Posts: 67 ■■□□□□□□□□
    InfoTech92 wrote: »
    OP is asking about security though.

    Become an Information Systems Manager: Education, Career, Salary Information : INFOSEC INSTITUTE

    Link describes the penetration Tester
    It seems they would work long hours running assessments on networks databases etc.
    The testing and hackers don't stop at 5PM and someone needs to stop those hackers from hacking the systems.
    Don't let it be like target where they got all hack and the IT Security folks were snoozing on the job.
  • aftereffectoraftereffector Member Posts: 525 ■■■■□□□□□□
    I work in information security (job title: Senior Cybersecurity Engineer, duties focus on leading the GRC/policy team for a couple of enterprise networks). I work a standard salary-exempt schedule, averaging 45-50 hours a week because of my role as the team lead, but all of my junior guys work strictly 8-4. There is no shift work and no on call work in my section. In fact, there is only one on-call employee on the entire 20-something-strong security department, and that's the guy who handles NAC; he occasionally has to come in to get a VIP out of quarantine on the weekend or after hours. The rest of us - policy, compliance, software assurance/code review - work a very standard schedule.

    I can't speak about pen testing since we don't do that, but our team manages cybersecurity for a reasonably large DoD enclave and a couple of smaller ones. No one is going to work late at night scanning workstations for STIG compliance or rewriting a site security plan. Besides, our contract wouldn't pay the overtime anyways :)
    CCIE Security - this one might take a while...
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    I used to work a lot when I was younger. Now I work 40 hours. And wouldn't be able to work more even if I wanted to since I'm on a contract.

    But the thing is, I don't see much difference between work and non-work. I'm a kind of a guy who's not interested in anything but security. So when I'm not working I pretty much do the same thing. Reading stuff, sniffing stuff, writing code, analyzing logs, preparing for exams, etc. Even if I go out with my wife, I'm often with my headphones listening to a podcast or audiobooks or with my tablet reading something.

    So some would say that I have no life. That is true, I hate to travel, I hate people, I don't enjoy life in general. So I'd better sit in front of my PC, lol.
  • InfoTech92InfoTech92 Member Posts: 75 ■■□□□□□□□□
    I used to work a lot when I was younger. Now I work 40 hours. And wouldn't be able to work more even if I wanted to since I'm on a contract.

    But the thing is, I don't see much difference between work and non-work. I'm a kind of a guy who's not interested in anything but security. So when I'm not working I pretty much do the same thing. Reading stuff, sniffing stuff, writing code, analyzing logs, preparing for exams, etc. Even if I go out with my wife, I'm often with my headphones listening to a podcast or audiobooks or with my tablet reading something.

    So some would say that I have no life. That is true, I hate to travel, I hate people, I don't enjoy life in general. So I'd better sit in front of my PC, lol.

    man, sounds lucky to me. I wish I could meet a girl that wouldn't care if I spent that much time on something.
  • bpennbpenn Member Posts: 499
    I used to work a lot when I was younger. Now I work 40 hours. And wouldn't be able to work more even if I wanted to since I'm on a contract.

    But the thing is, I don't see much difference between work and non-work. I'm a kind of a guy who's not interested in anything but security. So when I'm not working I pretty much do the same thing. Reading stuff, sniffing stuff, writing code, analyzing logs, preparing for exams, etc. Even if I go out with my wife, I'm often with my headphones listening to a podcast or audiobooks or with my tablet reading something.

    So some would say that I have no life. That is true, I hate to travel, I hate people, I don't enjoy life in general. So I'd better sit in front of my PC, lol.

    I am kind of the same way. I hate traveling and prefer being around a minimal amount of people. I think once I get out of Help Desk I will be much more content with life!
    "If your dreams dont scare you - they ain't big enough" - Life of Dillon
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    InfoTech92 wrote: »
    man, sounds lucky to me. I wish I could meet a girl that wouldn't care if I spent that much time on something.

    I don't know if you really need a girl in first place. I mean, there's a lot of pron out there and modern girls aren't good at preparing food anyways.

    Sorry if I'm too dark here but I would consider meeting a girl not before I carefully assessed all the risks involved, existing vulnerabilities and potential damage to assets that could result when/if "a girl" suddenly becomes a threat source. It may very well be the case that risks outweigh benefits here.
Sign In or Register to comment.