For those who worked in Infosec and then left, are you happier now?

packetphilter

For anyone who worked in Infosec, but then decided to move into networking, system administration, or some other area of IT, do you regret your decision? Also, did you find the transition difficult and how are your stress levels now compared to back then?

H-bomb

What the what? Usually you go IT to Infosec....

packetphilter

H-bomb wrote: »

What the what? Usually you go IT to Infosec....

Then I guess I'm looking to hear from the unusual...

TechGromit

I guess you looking for disgruntled former IT / Infosec employees. Well when I get disgruntled in a particular field, the first place I go to a website forum that specializes in keeping up my skills for my former field.

packetphilter

TechGromit wrote: »

I guess you looking for disgruntled former IT / Infosec employees. Well when I get disgruntled in a particular field, the first place I go to a website forum that specializes in keeping up my skills for my former field.

I take it that is sarcasm? I apologize, but I don't see the confusion in my initial post. I'm not looking for former IT people. I'm looking for former Infosec people who are still in IT, but now in a different area of IT.

Mike7

Infosec is very broad and you can move between domains, say from SOC to pen testing to GRC/auditing and even to infosec sales. You can also move to management.

RoyalRaven

I think a lot of you are missing the point of the question. It's legit.

Many people see security as the higher goal - but it's completely easy to burn out for a while there. I come from a very technical-heavy background and have jumped back and forth between security and sysadmin based on opportunities that landed in front of me.

What I can say is that when I was back in sysadmin work, I always felt like representing/trying to get into more security work as it somewhat seemed natural (I did a lot of security related functions and projects, but was still supporting other systems and was not classified as dedicated security). When I have been in security, I absolutely miss the depth of hands-on work and over time keep giving more of that up. There's something to be said on being on a dedicated security role...you definitely get more authority in the subject area, but you also have to let other people focus on the stuff that isn't your role.

I have found that I have built a solid tech/security background that is extremely in-demand and valuable, however, it's hard to keep both trains going forward at the same pace...and I think at this point I've settled on staying in security long-term. It means I won't go to the same depth as I was before in the technical areas, but I feel since I'm also spending more time on business and IT functions, I'm more diverse in skill set.

I think happiness is subjective and conditional. If I enjoy the work, I'm happy. I would say I'd only regret if I stalled/never advanced, and taking a step away from security is ok for a bit, but its probably not the best long-term goal if you enjoy the discipline.

NOC-Ninja

When you say infosec. What do you really mean?
The firewall guy? The Nessus scanner guy? The Risk management guy? The pen tester guy? The policy maker that have no idea how to tech?
The security guy that hardens the systems/group policy/vms? The ISE guy? The guy that reviews the logs? The physical security that deals with badges and locked doors? The lists goes on!

Infosec is big!

packetphilter

RoyalRaven wrote: »

I think a lot of you are missing the point of the question. It's legit.

Many people see security as the higher goal - but it's completely easy to burn out for a while there.

I think this is why I'm having trouble with my question. People just operate under the assumption: "Why would anyone want to leave infosec? That doesn't make any sense. No one would leave infosec to do something else in IT." And perhaps for the majority, that's true. But I still believe there exist at least a few people out there who were in infosec, but then left for another area of IT. Maybe there are none on this site and I won't hear from any, but it doesn't hurt to ask.

To respond to NOC-Ninja, I mean all those areas of Infosec. Red team, blue team, management, etc. I am interested in hearing stories from anyone in any area of infosec who decided to leave infosec for something else in IT.

Maybe you used to be a red teamer/pentester making $100k+/yr, but got tired of it and decided to go administer a red hat network for 55k/yr where you just type useradd twice a day. Just curious if anyone has stories like that and if they're happier because of the change.

TechGromit

packetphilter wrote: »

Maybe you used to be a red teamer/pentester making $100k+/yr, but got tired of it and decided to go administer a red hat network for 55k/yr where you just type useradd twice a day. Just curious if anyone has stories like that and if they're happier because of the change.

You would be hard pressed to find someone that took that kind of pay cut to make a change in there careers, the more likely situation is I'm tried of being a red team/pentester making 100k+ a year, I think I'll try Blue Team Incident Response making 100k+ a year.

Something similar could happen, I know one young girl in her 20's that landed a Federal job at the FAA making 80k a year that did documentation, after a few years on the job, her supervisor changed, she hated her, real personality conflict. She attempted to change departments, but her manager blocked her, she ended up quitting and become a homemaker after her Husband landed a decent paying contracting job. Yes, they earned a lot less money without her salary, but it was more than worth it to her to do without the stress.

I recall another story about a ******* couple that lived together, they were both pit managers in the casinos in Atlantic City, they were making a great living but the stress was killing them, they both took a good size pay cut to become Floor People instead. Floor People are one step down from a Pit boss, they are responsible for monitoring several tables, where the pit boss is responsible for the entire pit, sometimes two pits.

Hmm Strange, what exactly do you call two women who love each other, apparently it's a dirty word.

LonerVamp

This seems to depend so much on various things and people. I'd restate NOC-Ninja's questions: What are we really talking about here?

Some areas of infosec are quite deep, and very broad across IT. I tend to still get my sysadmin fix while in infosec, and that without the stress of being on-call for operational emergencies. I'm basically half a consultant as I have access to more things than pure server or desktop admins have access to (since I cover them both!).

But I can certainly understand if an infosec role is very narrow, such as just looking at a WAF all day or looking at data classification all day or IAM or just sitting watching VM scanner results at tier 1. In many of those cases, perhaps finding a role in a smaller company is the correct route to go?

Some of the burn-out, I think, comes from the fact that you really can't "win" as security. If you did, you'd be out of a job, ya know? It's a constant balance in the grey area between black and white, secure and insecure. Business makes a strange decision you don't agree with? Stress. Knowing you might be one major breach away from losing a job? Stress.

For others, such as red teamers, the hours can absolutely suck, especially if you're constantly boxed into doing your work overnight or on weekends. And some of them don't get paid what they should for the work they put into ever-decreasing time windows.

And I imagine in some places, the infosec team is a pure cost and probably view themselves as expendable early on when sales dip down for a few years. I can understand that, too. That's sort of about not feeling like you're a valued member of your team or organization.

I wonder if one of the other solutions you might find would be switching off duties in-house. Or if needing a chance of pace, try being a sales engineer for security companies, or security consultant for a while, and later go back to full-time in one house again. Maybe transition to red team for a bit and later back to blue team and so on. Maybe transition to security engineer/architect and go from maintaining things to building things, or back to maintaining for a while.

packetphilter

LonerVamp wrote: »

This seems to depend so much on various things and people. I'd restate NOC-Ninja's questions: What are we really talking about here?

I disagree. I don't think what I'm asking here depends on anything. I'm simply asking any people who have switched from any infosec role to any non-infosec role in IT to share their experiences. What exactly does that depend on? It's like if I asked people to share their story about catching a ball at a baseball game, and then someone responded with, "Well, that depends...what country are we talking about here? Do we mean a home run ball or foul ball?" And then I'm just left with a kind of blank expression, confused as to how they're confused.

I feel like people are making assumptions I'm not asking them to make. The end of your post seems to try to offer me advice, and I never asked for advice in my personal career. I simply asked people to share their experiences...nothing more.

LeBroke

I think I can actually contribute to OP's question.

I actually started off in infosec (after doing some part-time work for a security consulting company). Mostly I was, as someone above succintly put it, "The Nessus scanner guy." Nothing fancy, run automated scans, and then use tools and a lot of Googling to verify scans are legit. Eventually, started writing reports, doing basic pentesting, and some risk assessment stuff.

Never made more than $20-25/hour in this role, mostly part time (with about 4 months where I had enough work for it to be full time). Company eventually wanted to bring me in full-time.... in a sales role, at $14/hour, contracting (so no benefits), and thinly veiled the role as consulting instead of sales like it was.

I didn't take the offer, though I kept doing part time work for them until pretty recently (though was charging a fair amount more past a certain point).

I had an opportunity to go back to security (got offered a security analyst role about a year after that), but chose to decline as the salary was way too low.

I currently work in infrastructure, a combination of DevOps and cloud architecture, also making way more than I ever could doing security in my area.

Honestly, I'm not sold on security. I find it a lot more boring. I don't get a kick out of rooting a box or doing any other hacking... Either I know how to do it, in which case I don't see it as a challenge since it feels like I'm just doing stuff I already know. Or I don't, and I don't really know where to start figuring out. This is the technical stuff... The non-technical is even more boring. I hate paperwork and I hate having to deal with it. I like dealing with people, and I like technology, but I don't much care for processes, requirements, compliance, or other such BS. This seems to take up 90% of almost every security engineer's job.

On the other hand, I love building things, and I like immediate gratification. Typing 'terraform apply' and seeing it spin up 30 different resources in 30 seconds is much more satisfying to me than making yet another presentation on "And here's this month's list of critical CVEs. I've made a bar graph showing our most vulnerable resources. Windows team, can you please take care of X and Y? I've made a JIRA for you. DBA, Z is mostly an issue with our version of MySQL. When can you patch it to version Z+1 or later?"

UnixGuy

I understand your question and I can contribute a bit

I moved from System engineers (very hard core technical) to "Security"

So many times during my security roles I was tempted to go back or worse, completely change industires as I found some (most) of the work VERY boring

I took 3 job changes throughout 3.5 yrs and one promotion for me to start enjoying the work and it only happened after I started to have more impact on the organisation as a whole - this came with more business related activities than technical, but I still get technical challenges on specially in labs, POCs, trainings (SANS, eLearnSecurity, Offsec)...sometimes those training labs are more interesting that actual 'real work

Moldygr33nb3an

InfoSec as so many different concentrations, I imagine it would be hard to find someone who "got tired of it." I mean, I can understand getting tired of running scans, creating accounts, or making sure the personnel sign their AUP, but the great thing about IT in general is, you can learn a different discipline and move onto doing something else - and in this case - within InfoSec.

Threat hunter getting boring? K go red team.

Endpoint security not your thing? Go network security.

etc...

I think it depends how you see your career. Are you just trying to find something you're comfortable with? Or are you looking for something that you're passionate about?

I love picking up new things. I do get bored with something quick, so I just pick up additional tasks on my spare time.

Recently I got into bug bountys.

I comb websites looking for XSS, CSRF, and SQLi vulnerabilities and I report them. No money needed. Just doing it for fun.

I run a tor node, I read books. Teach.

Anyway, getting back to your main point, I think with the ambiguity of titles in IT and the roles that come along with those titles; if you feel you're getting bored doing something, then either A: go somewhere else or B: learn and do something else.

To be happy at a job means you're doing what you love. If you're happier leaving that, then you weren't really happy.