MitM said: It sounds like you weren't into this gig. If that's true, it can't be the wrong decisionBtw what is typical salary for a full time threat analyst? Usually from $80 - $95K according to the manager that interviewed me.
scasc said: Always follow your gut - never go wrong. Personally speaking I would have done the contract - that's because I am a contractor and happen to work in Security Risk, Compliance, Governance etc. But if this type of work and role is not for you keep away.
egrizzly said: scasc said: Always follow your gut - never go wrong. Personally speaking I would have done the contract - that's because I am a contractor and happen to work in Security Risk, Compliance, Governance etc. But if this type of work and role is not for you keep away. Quite interesting. It was a pure Risk & Compliance role however what threw up red flags to me is that the manager from the big ISP said "you will not be working with any type of security industry software, just 100% policy and procedures documents". So tell me then. Is this the norm in Risk/Compliance work? Also I had another unrelated question for you.It looks like you went ahead and did an M.Sc as well as CHFI (Forensics) and CEH (Pen Testing). In which order did you do these?....and how do you keep all of them up to date since most certs expire once every 3 years.
RogueEnigma said: Agree with the rest. Follow your gut. I currently am in a role as threat analyst, SOC manager, but have been offered roles in the compliance arena for a few years now. Sometimes for much higher salary. If you enjoy what you do, taking a job purely based on a higher salary will not make up for being bored at work doing something you hate.
scasc said: egrizzly said: scasc said: Always follow your gut - never go wrong. Personally speaking I would have done the contract - that's because I am a contractor and happen to work in Security Risk, Compliance, Governance etc. But if this type of work and role is not for you keep away. Quite interesting. It was a pure Risk & Compliance role however what threw up red flags to me is that the manager from the big ISP said "you will not be working with any type of security industry software, just 100% policy and procedures documents". So tell me then. Is this the norm in Risk/Compliance work? Also I had another unrelated question for you.It looks like you went ahead and did an M.Sc as well as CHFI (Forensics) and CEH (Pen Testing). In which order did you do these?....and how do you keep all of them up to date since most certs expire once every 3 years. Hi - there are two parts to it. Either you are assessing and determine your security/compliance posture against a particular standard (e.g. checking design/operating effectiveness of controls against NIST/ISO/PCI etc) or you are working to help improve policies, standards and documentation as these have been already identified as being out of date/non existent etc. Normally the latter is done after the former and the assessor would not be doing the work - to remain impartial and independent. Just depends at what point you come into a project. I did my MS back in 2005 - when security was literally in an embryonic state. Straight after my BS here in London, Eng. CEH was the first cert I did to give me a foundation but I did Cissp soon after. CHFI I did some time after but to be honest not really worth it for my background. As I’m a contractor I run my own business so try to take time out every year to do a course - literally just done 566 with SANS last week. Other good ways are to listen to webinars from bright talks for example. Hope this helps.
egrizzly said: scasc said: egrizzly said: scasc said: Always follow your gut - never go wrong. Personally speaking I would have done the contract - that's because I am a contractor and happen to work in Security Risk, Compliance, Governance etc. But if this type of work and role is not for you keep away. Quite interesting. It was a pure Risk & Compliance role however what threw up red flags to me is that the manager from the big ISP said "you will not be working with any type of security industry software, just 100% policy and procedures documents". So tell me then. Is this the norm in Risk/Compliance work? Also I had another unrelated question for you.It looks like you went ahead and did an M.Sc as well as CHFI (Forensics) and CEH (Pen Testing). In which order did you do these?....and how do you keep all of them up to date since most certs expire once every 3 years. Hi - there are two parts to it. Either you are assessing and determine your security/compliance posture against a particular standard (e.g. checking design/operating effectiveness of controls against NIST/ISO/PCI etc) or you are working to help improve policies, standards and documentation as these have been already identified as being out of date/non existent etc. Normally the latter is done after the former and the assessor would not be doing the work - to remain impartial and independent. Just depends at what point you come into a project. I did my MS back in 2005 - when security was literally in an embryonic state. Straight after my BS here in London, Eng. CEH was the first cert I did to give me a foundation but I did Cissp soon after. CHFI I did some time after but to be honest not really worth it for my background. As I’m a contractor I run my own business so try to take time out every year to do a course - literally just done 566 with SANS last week. Other good ways are to listen to webinars from bright talks for example. Hope this helps. Ok, the job I turned down was gonna be the "latter" where a majority of the role involved working to help improve policies. Thanks for the responses on the order of the acquiring the credentials/degrees. Having now learnt of your business owner status, here's two more questions for you:1. Do you use staffing agencies to get the contract roles or did you create a company and are contracting through that.2. So did you have to read any book to help you learn how to do the contracting part of the work?Just curious as I had been researching how to become an information security consultant for the past week now.
scasc said: egrizzly said: scasc said: egrizzly said: scasc said: Always follow your gut - never go wrong. Personally speaking I would have done the contract - that's because I am a contractor and happen to work in Security Risk, Compliance, Governance etc. But if this type of work and role is not for you keep away. Quite interesting. It was a pure Risk & Compliance role however what threw up red flags to me is that the manager from the big ISP said "you will not be working with any type of security industry software, just 100% policy and procedures documents". So tell me then. Is this the norm in Risk/Compliance work? Also I had another unrelated question for you.It looks like you went ahead and did an M.Sc as well as CHFI (Forensics) and CEH (Pen Testing). In which order did you do these?....and how do you keep all of them up to date since most certs expire once every 3 years. Hi - there are two parts to it. Either you are assessing and determine your security/compliance posture against a particular standard (e.g. checking design/operating effectiveness of controls against NIST/ISO/PCI etc) or you are working to help improve policies, standards and documentation as these have been already identified as being out of date/non existent etc. Normally the latter is done after the former and the assessor would not be doing the work - to remain impartial and independent. Just depends at what point you come into a project. I did my MS back in 2005 - when security was literally in an embryonic state. Straight after my BS here in London, Eng. CEH was the first cert I did to give me a foundation but I did Cissp soon after. CHFI I did some time after but to be honest not really worth it for my background. As I’m a contractor I run my own business so try to take time out every year to do a course - literally just done 566 with SANS last week. Other good ways are to listen to webinars from bright talks for example. Hope this helps. Ok, the job I turned down was gonna be the "latter" where a majority of the role involved working to help improve policies. Thanks for the responses on the order of the acquiring the credentials/degrees. Having now learnt of your business owner status, here's two more questions for you:1. Do you use staffing agencies to get the contract roles or did you create a company and are contracting through that.2. So did you have to read any book to help you learn how to do the contracting part of the work?Just curious as I had been researching how to become an information security consultant for the past week now. No problem at all - 1. I have my own company that I use to do my contract work. In order to obtain these - its a mixture of staffing agencies, job boards, recommendations, previous work with previous clients, linkedin etc. 2. I did not read any book as per say, however researched what I could to make sure I understood what needed to be done. You are based in the US right? I am based in the UK - setting up a company literally takes 20 minutes. As long as you understand what needs to happen to run the company you are good to go - company accounts, tax returns, dividend statements, expenses etc. There was that good webinar with Ted from SANS (https://www.sans.org/instructors/ted-demopoulos) last week where he outlined what you need to do to become a consultant - check out the past webinars you may find it will help. Ted also offers training in this area.
While $60 sound like a lot of money, when you consider all the extra taxes you have to pay, it's really not all that much. You have to pay the full cost of social security and Medicare, 15.3%, normally about half of this amount is paid by your employer if your a full time employee, as a contractor you bear the full burden of the cost. Then you have medical benefits, assuming you get cobra, it's going to run you around 15k a year, but easily could be double that about if you have to get insurance on your own without the great group rate plan your employer negotiates with the insurance company as a full time employee. About 50% of your pay rate is used up by Federal taxes and Medical coverage, this isn't even including state taxes. Now if you can get a full time job at 100k a year, while the base salary is less, you make out better deduction wise. I would want to see at least $80, if not $100 a hour to justify a cost benefit ratio over a full time position.
