I think it is finally time to start looking for another job

alias454

As the title says, I think it is finally time to start looking for another job. I have been working at my company for just over 5 years and have come to the conclusion; things are going to stagnate for me. I have had a pretty good run at this company and have made several internal transfers to go from working on the helpdesk to being a senior network administrator. Don't get me wrong, the company is decent to work at(not the worst, not the best), the pay is good for the area and I have the respect of my peers and management. However, where I want to go with my career, doesn't seem to be aligning(specificly, my interest in implementing better security).

I took the job at the helpdesk to get my foot in the door and everything paid off for me there. In the time since I started, I have obtained a Bachelor of Science with a concentration in security, got my vcp5-dcv, got the eJPTS, worked on the CCNA (I failed it but will circle back around), and am currently working on getting my GSEC cert. I constantly try to implement new ideas into our environment to make things better like building a pretty sophisticated logging stack, pushing for a more robust monitoring system, implementing SALT as a config management system, and currently trying to get up and running with better internal threat detection mechanisms. Some other things I have done include; moving the VMware farm from old HP hardware to a Cisco UCS environment as well as managing about 110 servers out of 350 total. With their make-up being Windows, Linux, AIX, and VMware. I also dabble in SQL, PHP, HTML, C#, Powershell, VBscript, BASH, and Java(no Perl or Python, although I have been wanting to play with Python).

I have been wanting to transition into more of a true security role. I am not interested in pentesting/red teaming as a career path, nor am I really interested in the policy side of security either. So what else is left? I was thinking security analyst but I would want something where I can still get my hands dirty from time to time.

Advise or job offers welcome

TheFORCE

Seems that the company got you some pretty good experience there. That's not bad for 5 years! If I was you, i would talk to your management first and see if they have a role like the one you want to transfer to, or if they dont maybe they can create one for you, with the right salary compensation of course.

The_Expert

I think 5 years is a good run... I heard somewhere that one should move to a different company about every 5 years or so. Especially, when one starts to become comfortable in their job. That's when most people stop learning and things just become routine.

My current goal is to re-evaluate my job every 2 years. If things are good - I'll stay. If not, I'll move on and make more money elsewhere.

si20

Be extremely careful about the security analyst route. I've been doing it for 2 years now and my soul is destroyed. I'm finding it hard to get work anywhere else because there are absolutely no transferable skills. I strongly suggest you read this thread for a good insight into what being a security analyst can be like.

Mike-Mike

si20 wrote: »

Be extremely careful about the security analyst route. I've been doing it for 2 years now and my soul is destroyed. I'm finding it hard to get work anywhere else because there are absolutely no transferable skills. I strongly suggest you read this thread for a good insight into what being a security analyst can be like.

i have seen you post this before, and I'm not saying you are wrong, but I dont understand how that is the case. I have only been a Security Analyst for a little under a year, and my phone won't stop ringing.

With your experience you would be very valuable in the Security field, you know the Network, so you should be able to secure the network. Plus in this era of job hopping, 5 years with one company is amazing. If you don't hate your current gig, the ball is in your court. Stay at your current job, but look for a new one, and just ask for a ton of money. Ask for enough you can't turn it down.

goatama

The problem is that "security analyst" doesn't mean the same thing everywhere. In some companies it means SOC monkey. Other places it's someone who runs the gamut of hands-on technical duties, and in still others they want someone who can analyze their systems and suggest policies and changes to improve their overall security posture. The key is reading hundreds of job postings to see patterns and determine what type of security analyst a company is looking for.

We have analysts who do mostly admin work: creating users, security groups, handling AD and file shares, vulnerability scans, pretty low-level stuff, but they're still called security analysts. Our security engineers are the ones who do things like manage the firewall, do secure system design, write policies, document security plans, pentesting, and tier 4 support for the rest of the organization; the high-level security stuff, but with lots of hands on as well. It just depends on the team you get on and how they define the duties. Focus less on the title and more on the job description.

alias454

Thanks for the replies.

@TheForce: I have been fortunate to work at a place that has just enough size to need all of the same toys bigger places have but just small enough to not be completely burdened by bureaucratic BS. My last manager was pushing to get me more involved with securing our network mainly as part of a compliance based effort. However, there have been some recent shifts, placing me under a different manager. Part of the reason for my post was because of a conversation with the new manager. It's not that he is against security but I can tell he has other priorities. This leaves me feeling like when the time comes to push for something hard, his support will not be there. Problem is, we have NO security team to speak of. Literally two people do "security", one of them does "HIPAA" stuff and one isn't full time at it. The one doing security part-time is my old manager. I have been told in no uncertain terms that there is no budget to dedicate me to a security role full or part-time.

I don't want to sound like I am whining or somehow ignorant of the fact that a "security" title is meaningless. The real matter is the work that gets done to secure the network. I could care less what my title is; having the support from management to get these tasks accomplished is what I am looking for. I am cognoscente of the fact we still have a business to keep running and we can't always do what we want. However, support comes in many different forms. It might be not getting the stink eye when discussing future ideas for securing the network that might require a bit of funding or allowing for dedicated research time so I didn't have to do it all after hours because my normal workload hasn't changed, etc. I should note that even with time during the day set aside, I would still probably do the after hours bit since I am dumb

@The_Expert: I have read the 5 year number somewhere too. I have not starting feeling comfortable to where I am apathetic. After being where I am for five years I can certainly save a lot of steps and time in a conversation. Namely, I can tell you what server is in what rack and in what U, I can tell you the application that runs on that server and who supports it, I can also tell you how they take their coffee. However, to your point, I am worried about going into work one day 10 years from now and being "that" guy. I constantly re-evaluate where am at and if it is closer to where I want to be or not.

@si20: I read your prior post too and think maybe you had bad luck or the job isn't the right job for you. Don't get me wrong, I wouldn't want to look at log files all day either but building the infrastructure pieces and picking out the interesting bits does keep me interested.

@Mike-Mike: Thanks, No, I don't hate my current job(there are days though). Some of the people I work with are really great and any decision to leave will be a painful one. Ultimately this company is one of those places a person could work at for 30 years. Granted, things could change overnight with a new CEO or being bought out buy a larger institution. Ultimately, I have to do what I think is best for me. Your point about being picky is well taken since I am not necessarily in a big hurry to get out of dodge.

@goatana: I understand that titles are less meaningful than the job description, even those can be misleading. I think I was looking at a general category to start looking into. Honestly, many of the sec roles I have looked at say "must have CISSP + 15 years experience" etc. I haven't looked that hard though, so I will take your advice and start looking a little more. I think I was looking for a good starting point to shoot for. I know, I just have to put it out there and take the approach Mike_Mike suggested, which is to be picky. it's interesting those doing AD security are classifieds as analyst(i know every company is different).

I won't hold you o it but generally speaking based off of my experiance would you feel I was qualified for your top spots? I am not asking for a job just curious where I stand and what my expectation should be. I don't want to be too picky and end up looking for the next two years waiting on that "perfect" job.

Thanks again everyone, I appreciate your feedback.

alias454

I can't sleep again and it is because there has been an interesting turn of events at work. One of my colleagues was let go (it is a loss to the team and his presence will be missed) and I have sorta/kinda been offered his role. The position was brought to my attention and I was asked if I might have some interest in it. I would still have to go through normal channels so it isn't officially guaranteed. Another thing is it isn't a security focused role like I have been wanting but it is a title I have coveted for years, which is Linux System Administrator. There is a small catch though. The primary duties aren't necessarily Linux system administration. That is a large part of the job but the underlying role is more of a DBA role for a large EMR vendor's noSQL database and surrounding systems.

I am going to throw my hat in the ring and see what happens.
Regards,

si20

Mike-Mike wrote: »

i have seen you post this before, and I'm not saying you are wrong, but I dont understand how that is the case. I have only been a Security Analyst for a little under a year, and my phone won't stop ringing.

With your experience you would be very valuable in the Security field, you know the Network, so you should be able to secure the network. Plus in this era of job hopping, 5 years with one company is amazing. If you don't hate your current gig, the ball is in your court. Stay at your current job, but look for a new one, and just ask for a ton of money. Ask for enough you can't turn it down.

But has your phone been ringing for other SOC jobs? A security analyst doesn't secure the network, nor configure things. A security analyst, by definition, monitors the network for threats. Some people call this a "SOC monkey". If you are configuring security devices, you're not really a SOC Analyst, you're a security admin/network person (can't think of a job title to describe what you might do).

In my first SOC job, I was the "eyes on glass" guy - looking for threats 12 hours per day (well, 11 hours, with a 1 hour lunch, but usually i'd do the full 12 hours because colleagues didn't look down on you having lunch!).

But honestly, what have I learned since i've been in a SOC?? How to use arcsight? A little. How to run a report on arcsight - yup. After 2 years of being in a SOC, i've lost so many skills you wouldn't believe. To the point where I started doing a master's degree AND the Linux+ to re-gain skills i'd lost.

I've had a few job offers for working as a security analyst in other companies - but, I have ran far away. I want to get back into 2nd/3rd line jobs - where it's technical, i'm working on servers/virtualisation etc. Perhaps SOC jobs aren't for me. But i've worked with clowns who don't know what a phishing email is. I've ran reports in xls format. I sometimes wonder how SOC's have took off, especially SOCs for compliance.... don't get me started on that!

One last thing i'll say is this... I know a guy on 40k - he came to be a security analyst. He had several years experience in server administration and network administration. For the past year he has been working as a security analyst - and by his own admission, he has forgot pretty much everything about server admin work. Why? Because he doesn't touch it. We personally don't log into servers. We're in arcsight if needed and if not, we've not literally nothing to do.

Mike-Mike

si20 wrote: »

But has your phone been ringing for other SOC jobs? A security analyst doesn't secure the network, nor configure things. A security analyst, by definition, monitors the network for threats. Some people call this a "SOC monkey". If you are configuring security devices, you're not really a SOC Analyst, you're a security admin/network person (can't think of a job title to describe what you might do).
.

well, I guess by your definition I would be a "Security Admin" but my title for the company is Information Security Analyst. And I have had many jobs call about "Security Analyst" positions that have similar duties as mine.

However I also had an interview for a "SOC" job with a Fortune 100 company that was WAY more advance than what I do. As a previous poster said, you can't really go by titles. I had calls for a "Senior Security Engineer" that paid way less than I make, and had less responsibility.

it sounds like your role is a more traditional SOC, which I never really worked at. However I did work in a NOC and I found it very educational and it really helped me build my skills

tpatt100

I worked as a security analyst for several years and when opportunities come up myself and the people I worked with usually all get called as well.

There is a bad shortage of security workers, the problem seems to be getting calls for work I can't really do seems to greatly outnumber the jobs I can do.

inverse_one

Personally, when I think of security I don't get that excited. For me, the thought of having to look at logs and make sure things are "secure" is a bit dreadful. If you have to make changes to the environment, you have to go through someone else. The skills of building systems or networks and maintaining them go stagnate thus siloing your skills just to security. Obviously there are exceptions to this, where people can design security systems from the ground up, but most places can just have a consultant do that work and just have someone working for the company monitor things.

RoyalRaven

My experiences are very similar to si20's. Tried the security route twice in two different organizations only to have had short-term happiness.

I came up through the technical ranks (sysadmin for many years) then cut over to being a security officer for a hospital. It was a great way to learn business skills, but throughout the two years of doing that, I felt my technical skills declined and I was getting frustrated. I had the opportunity to jump back to technical work and did that for about 5 years again in the same organization. In that time, finished a masters degree, got the CISSP, etc, with a more long-term focus on security as an end-goal. Got the chance to take on a security analyst role at another organization. Almost a repeat of the prior experience...learned all sorts of new less-technical skills (such as risk management), but never got to leverage the old technical skills at the same level as before.

The thing I noticed is that I understand security and it's not bad work. However, after a while, the fun of it wears off for me. It becomes a bunch of meetings, discussions, and frustrations over time. It gets worse when you get a lot of highly-qualified security people because we can never agree. In comparison to my technical jobs (high-level support/sysadmin/design), I *never* really got frustrated and there was always a different sort of passion for hands-on technical work. Every time I've been separated from the operational-type work, I long to go back to it.

So I've been fighting going back and forth from security vs. sysadmin. Security is in extremely high demand and I'm constantly pinged for security work. It pays well, however, I also have two major priorities for me that keep me from going after high-profile roles. I do not want to move at all and I want a short commute (30 min or less). I took a role that has a 45-1hr commute (worse in winter) and I despise it now. I'm in a mid-market with major cities about 1-1.5 hrs away...90% of the security jobs are in the larger cities and do not meet my travel criteria. It's frustrating trying to find new roles as I'm already starting with a smaller pool (but there are interesting opportunities from time to time that do meet my criteria, so I hold out for those).

Time to time I think about potentially going into management-type roles. I recently went to a lecture where Steve Wozniak spoke. He talked about his career progression and that he refused to be anything but the best engineer. He didn't go after management roles. He knew what he wanted to accomplish. That helped hearing that the end goal is not always moving up the career ladder to the top role....we get so focused on promoting up that you start forgetting what mattered and why you're in IT in the first place.

In summary...it comes down to what you really, really want to do everyday at work. I figured out I'd rather be working with hardware/datacenters/operating systems, etc, so I'm pushing to go back into that area. I think it will help me be happier with my daily work and to enjoy IT more...regardless of pay, etc....just as long as I have what I need to meet any of my current obligations (home, family, etc.) I can always go back to security...but I find it extremely difficult to go from security to other roles because I feel like I'm losing my technical skills. It's good to have experience to leverage from prior sysadmin roles and I do find myself much more reliant on those than the security skills in a competitive job market.

Consider the reasons why you want to make in-roads into security and make sure they align with your passion and goals. I don't regret trying these things out - they've helped give me new perspective - however, I'd rather enjoy my work daily than to fight it. The old adage "if you love what you do, it's not work" has meant a lot to me. When I haven't loved what I do, it's a real struggle.

NetworkNewb

si20 wrote: »

But has your phone been ringing for other SOC jobs? A security analyst doesn't secure the network, nor configure things. A security analyst, by definition, monitors the network for threats. Some people call this a "SOC monkey". If you are configuring security devices, you're not really a SOC Analyst, you're a security admin/network person (can't think of a job title to describe what you might do).

I'm with Mike-Mike, I would be considered an admin too by your description but my title is Security Analyst... I've also been spending a lot of time writing powershell applications to help speed up audit processes.

si20

From what i've read just in this thread alone - SOC experiences vary greatly. There are SOC's with immature, lazy people, SOCs where you lose skills, SOCs where you can gain skills and SOCs where you get to be a security device manager/admin. My advice is: search for SOC advice and security analyst advice on this forum and you'll gain an insight into the world of being a security analyst.

Every company has a different idea of what a security analyst is. It really is pot luck. I've worked at 2 SOCs for 2 years (1 year at each) and they are worlds apart - both awful - lost serious knowledge at each one - but they're different. At the first role, I was allowed to make proxy/firewall changes. At the second, i'm stuck on arcsight the entire day running reports.

When I look for other SOC roles - they ask about my PCI/compliance exp - of course, I have none, because I run reports all day long. I look at Linux jobs - well, I don't work with Linux day to day. The only job i'm now capable of is forensics or 2nd line support - both of which are around 20k.

My advice is: just be so incredibly careful getting into compliance focused roles. They can mess you up.

alias454

I thought I would throw one last comment on here. I interviewed for the new role and was hired for it. I also get a 10k pay bump making me pretty happy. I will still continue to do some of the things I was doing while letting go of some others. Overall, it is a very positive move.

Mike-Mike

10k is pretty legit, congrats

clintonia

Very positive news, congrats!

coffeeluvr

Congratulations!