"Security Generalist" is gone. How do you focus long-term training?

"Ok, you're a pen tester, now where do you see yourself in five years?"

It's easier to make education and training choices when you're starting in information security, but I've been a penetration tester for nearly two years now (not long) and I'm feeling lost again, though I do love my job, this is not endgame.

The training out there tends to cap at mid-level complexity, and all the "advanced" courses are either not that advanced or exploit development, and the latter isn't that marketable. You're basically on your own.

There's "learning", and "specialising". You can learn everything all the time, but you can't really specialise in mobile, web, wireless, application, network, coding, forensics, etc. all at the same time, or ever, so what do you do? I've started to narrow my options by process of elimination, crossing out domains I know I don't want a committed future in, what's your method? How do you plan what's next after you've already "made it"?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

LordQarlyn

The Security Generalist is dead, long live the Security Generalist!

Honestly, I never thought there were much of a demand for generalists in IT in the first place. Outside of small organizations where the IT individual could be expected to have skills in broad areas of IT, including security, most of the positions are for a specific area.

Then it just goes that you need to find your passions and try to align them with market trends. There's something out there for everyone, and if you happen to be a specialist in a niche field, then be damn good at it. Start looking for jobs in those areas and concentrate your training there. That's where I start myself. I've found where I am passionate about and started focusing my training and certification along that route. It doesn't mean I can't learn about other areas. I haven't stopped learning about hard sciences just because I am focusing my career in information security.

UnixGuy

@Sheiko37: You can become a team lead for Pentesters within an organisation or you can join a consultancy where you get to do pentesting for different customer sites, maybe learn news skills like pentesting SCADA, or more web apps if you don't do that already, or Mobile apps pentesting, or maybe pickup Reverse Engineering for Malware. Joining a service provider, you can do engagement that are not limited to Pentesting, you can do risk assessments, implementations, etc....or maybe get into Pre-sales? join a vendor?

I know what you mean though, I capped out at 'mid-level' and didn't know where to go from there as well...

Sheiko37

LordQarlyn wrote: »

I never thought there were much of a demand for generalists in IT in the first place.

I'm not sure if the term even existed before current times, where it's only used to refer to something that doesn't exist anymore. Would someone refer to themselves as a "generalist" in an emerging field?

@UnixGuy, I could just aim for more and more senior positions in penetration testing, though that'd be the "just learn everything" trajectory. Personally, I've drawn a line through mobile and SCADA/ICS, however I think they'd be great areas of specialisation. GRC I've also moved away from since our company has a dedicated team for that, and seeing the inner workings turned me off.

I have a big training budget just sitting there for the moment, and all of the SANS courses I'm interested in unfortunately aren't scheduled to come to my country. It's hard to predict the future of InfoSec.

UnixGuy

@Sheiko: if you have budgets for SANS, then how about SANS FOR 508 ? It's not pentesting but will give you excellent background in IR

660 is a great SANS course as well

tedjames

Sheiko37 wrote: »

"Ok, you're a pen tester, now where do you see yourself in five years?"

In five years, I don't just want to be a pen tester; I want to be a GREAT pen tester.