Big 4 Accounting Firm (PwC, Ernst and Young, Deloitte, KPMG) Cybersecurity jobs?

Hi all,

Do any of my fellow TE members have direct or indirect knowledge of accounting firms that have cybersecurity practices as well? A lot of the positions for the aforementioned companies (PwC, Ernst and Young, Deloitte, KPMG) require Monday-Thursday or M-F travel time to various other large cities across the country; you get to select a city of your choice close to an airport to fly from. I am very much interested in obtaining a job with one of these companies and was wondering what is the compensation like given various experiences, hours they make you work, and overall work/culture satisfaction?

Thank you in advance for any feedback given.

- Wiggly

Find more posts tagged with

Comments

LeBroke

Wigglytuff wrote: »

Hi all,

Do any of my fellow TE members have direct or indirect knowledge of accounting firms that have cybersecurity practices as well? A lot of the positions for the aforementioned companies (PwC, Ernst and Young, Deloitte, KPMG) require Monday-Thursday or M-F travel time to various other large cities across the country; you get to select a city of your choice close to an airport to fly from. I am very much interested in obtaining a job with one of these companies and was wondering what is the compensation like given various experiences, hours they make you work, and overall work/culture satisfaction?

Thank you in advance for any feedback given.

- Wiggly

Friend applied to Deloitte and KPMG, said they both offered him 70k, declined. Got a FT no-travel job for 100k that ended up being 90% WFH about 6 months later when much of his team got moved to a different city.

For the credentials they want for security auditor/consultant positions, it does seem like a raw deal - if you can do what they're asking, you can usually get a much better job as an in-house security engineer on a red/blue team.

I applied to Deloitte and had the experience they were asking for, but they turned me down at the resume review stage. Most likely because I don't have any security certs at the moment.

Only seems worth it if you want to get your foot in the door into a consulting position, or travel at company expense.

TechGuru80

Consulting companies usually seem to short change the bottom ranks for the hours you put in...and pay huge bucks to the top. Not to mention you usually have to travel a lot. It's a good way to get a lot of experience but consulting jobs have a high burnout rate.

Azazello

{Instead of opening a new thread, thought this might fit better here. If not, moderators feel free to transfer a fresh thread.}

Fellow TE'ers,

I recently applied to Deloitte for a role in their Cyber Services group, and in the invite they posted these requirements -- this is interesting because these areas are under what (all the Big 4?) consider as 'Cyber Security':

"If you’re a Cyber professional with at least 2 years of experience (after undergraduate) in any of the following areas, please join our Cyber Services Virtual Meetup..."

Skills:

ERP (Enterprise resource planning)

Oracle

Business Processes Designs, Oracle Cloud Security, Oracle Application Security, Oracle ERP/HCM Cloud security design and implementation, and risk management

SAP Business Process Controls, GRC Process Control, SAP S/4 HANA or ECC, SAP Controls, SAP Configuration, Segregation of Duties, Implementation

Cloud

Azure/AWS/GCP

Business processes designs, cloud security risk and readiness assessments, analysis of prospective Cloud platforms/environments for AWS, Azure, and GCP
Cloud Services (IaaS, PaaS, and SaaS), DevOps
Python, PowerShell, DevOps/Automation tools (AWS CloudFormation, Ansible, Jenkins, Git), Secure Software Enablement (SSE)
IAM, Active Directory, Centrify, MFA, McAfee AV, Tenable/Nessus, Trend Micro, Splunk, STIG Hardening.
IP networking, VPNs, DNS, load balancing and firewalling concepts – (Focus on AWS Networking, Palo Alto and Cisco DMVPN)
Microsoft Office 365, Enterprise Mobility & Security (EMS) and Azure Active Directory (AAD)

Digital Identity

Hybrid Operate

System Administration in hybrid, cloud environments, Unix and Windows, on AWS, Azure, and GCP
Bash, Python, JavaScript, Java, AWS RDS, DynamoDB or other cloud database services, Java

Analytics and Technology

Business processes, internal control risk management, IT controls
Install, integrate and deploy SailPoint, CyberArk, ForgeRock, and/or Okta products

Fusion

Hybrid Operate

Vulnerability/Attack, Incident Response, Attack Activities, Threat Intelligence and Threat Hunting
Security information and event management (SIEM), IDS/IPS, Data Loss Prevention (DLP), Proxy, Web Application Firewall (WAF), Endpoint detection and response (EDR), Anti-Virus, Sandboxing, network- and host- based firewalls, Threat Intelligence, Penetration Testing, Advanced Persistent Threats (APT), SOC

Analytics and Technology

General security concepts, defense-in-depth, least privilege, security architecture and design, threat modeling
Interpreting, searching, and manipulating data within enterprise logging solutions (e.g. SIEM, IT Service Management (ITSM) tools, workflow, and automation)
ServiceNow, NIST, GRC, SIEM technology (e.g. Splunk, IBM QRadar, Microsoft Sentinel, etc.), Enterprise Logging Solutions or IT Service Management (ITSM) tools, extending enterprise security controls to the cloud

UnixGuy

Old but thread but I want to add..

The Big4 are independent firms, so there is a big difference between there service offerings between countries (and even different states). I.e. KPMG Germany cyber will be different from KPMG Argentina cyber. Just something to be wary off.

Azazello

Point noted. Just to be clear-- these are not Deloitte's service offerings; instead, these are the functional/operational areas that their HR has defined can be (are?) under Cyber Security.

Let's assume they got guidance & feedback about these classifications from actual security professionals. (yeah I know, we're talking about HR...)

JDMurray

It's surprising how many long job requisitions include technologies/processes that the company is "thinking about adopting" but is not actually using at the moment. I've hired on to a couple of those reqs and never ended up never seeing the technologies I had hoped to get to play with--mostly tools and programming languages.

scasc

Whenever the big4 is discussed it’s as if I go back my roots. Any questions, feel free to give a shout.

Azazello

@scasc : your (and @luisbee ) very-helpful comments in https://community.infosecinstitute.com/discussion/133877/it-audit-risk-assurance-what-do-i-need-to-know is what I found when searching for people's experience with Deloitte/Big4 (which is actually 6?). I was considering putting my post in that thread, but wanted to share this information to a more generalized Title.

Azazello

Followup on my experience with Deloitte's Cyber Services Virtual Meetup:

My assessment: My fears that this was just an HR exercise, more likely just a cattle-call for potential candidates, with possibly no real vacancies are open, seemed proven by the experience.

The invite requires you to open an account on their meetup service and include a resume. So they see your credentials before the meeting.

The meetup was divided into four groups: {I should have recorded the official names, but they were effectively...}

[ERP], [Cloud], [Hybrid Operate from both Digital Identity & Fusion], [Everything-Else]

-- see my info above for what's covered in each group.

The meetup was schedule from 11am-2pm - and here's why: 3 of the group only had three maximum recruiters/HR-whatevers to meet candidates; [Everything-Else] had four.

During the two hours I waited to chat with someone (thank goodness I could still do my regular work in the foreground)......

[Everything-Else] had the most candidates queued - as high as 43. [ERP] had the least - as high as 8.

None of the groups had their full number of reviewers. [Everything-Else] varied between 2 and 3; the others btwn 1-2.

The format of the meetup was to do text chatting first, then the reviewer would decide whether or not to do video. Each session starts with a six-minute limit. I guess if the reviewer is impressed, you get more time. (I got a total of 16 minutes, with two 5-min extensions)

Of course I was in the [Everything-Else] queue, and I knew after the long wait that the reviewer was not gonna do video, as he had probably chatted with 20 people by then.

The first thing he says, yes, you have alot of risk and compliance experience -- ever worked in a SOC? Nope, I replied.

Next-- which of these do you have experience in - DevOps, Incident Response, Network Security, Vulnerability Mgmt?

{Notice these are all under [Hybrid Operate], which is covered by the other meetup group.}

I typed a quick summary of my work in each them (e.g. none in DevOps).

Then I posted that my focus for joining this meetup was for (Analytics and Technology - in both Digital Identity & Fusion)

He then said he wants to forward my app to (someone else in HR?) -- and, do I understand that the advisory side of the business might require 80% travel to client sites (when the health situation improved) -- am I open to this?

I lied and said Yes; I understand that's the nature of the consultancy side of the roles.

Being a bit over a 16-minute session, we gave each other perfunctory thanks & goodbyes, and the session or the reviewer booted me out.

UnixGuy

@scasc was a great help with Big4

scasc

@UnixGuy - thanks, try my best to help out

.

@Azazello - Have you had any correspondence from them since the virtual meeting? Do you exactly know which team/role you are interested in the level you are pitching yourself at? If you have not heard back, wait a few days and get in touch with them to see what the latest is. You may also want to find senior workers within the team you are targeting/HR folks on LI and try and get contact that way. I know they are recruiting all the time, year around.

balance

It has always been my dream to work for one of these positions. I had a HR rep from one of those companies tell me " With your experience go to the desert and do some contracting you will make a killing" I did and I am , but I still would love to work for one of the BIG 4.

scasc

Stay contracting

. Everyone has different experiences but I reckon contracting is a great position to be in