Turned down a $60/hr Contract Job!! Right decision or not!

egrizzly

I have a background as an Threat Monitoring Analyst. We got laid off recently so I applied for a Security Analyst contract role with one of the top 3 major ISPs in the country. Everything was good and I made it to the final round interview.

At the final round interview I came to find out it was just a Compliance role and I would be the only person there.  I would be working with no software platforms, no senior analysts, and no immediate resource except the direct manager which I would be talking to through Skype.  What would my job be?  To identify the gaps in the security controls they put in place and figure out which immediate short-term solutions to apply their, then report to the manager to determine a more permanent solution.

All I would have to work with is just policies and I would be the only one there.

I would literally be the ONLY one representing this big ISP at that building.

So anyway, just this morning my gut told me to turn down the job since it was a contract role, especially since I had been invited for a final interview round interview at another company offering a permanent/full-time role in Incident Response.

So from a gut feeling I turned down the opportunity where I could have made $60/hr.

So did I just blow it?  ....or am I together with my thoughts on this?

chrisone

Were you getting the same or near the same amount offered at the second job you are looking at?

Was it a contract to hire position?

Being that you were recently laid off, it would be the wiser decision to obtain something that is considered full-time / permanent. It is only natural to want something concrete after being laid off. 

It happened to me back in 09 and to be honest I was sketchy about getting any contract jobs. I just wasn't sure if they were going to be permanent, was I going to have to look for another job 6 months from now, do they even care about my position or were they just filling some type of audit checkbox?

Its ok to be suspicious of contract jobs without any indication from the employer its contract to hire. If it is contract to hire, technically you can view most jobs as contract to hire since we all mostly start off on probation period for 6 months. 

I feel you have you have options here. 

PCTechLinc

Normally I would say that contract jobs aren't too bad at face value.  However, after reading what you would actually be doing and to whom you would be reporting... sounds a bit too temporary, for a specific purpose.  I would be extremely skeptical in that regard.

EANx

In that position, I would have tried to delay the response at least until after interviewing with company #2.

draught

If the job you turned down payed $60/hr what is the job you decided to take paying?

Also what major certs do you have besides the CCNP to get up to point? Since these forums no longer have a cert section that shows our certs sadly.

kaiju

As long as you are not hurting for employment it seems like you made the correct decision since a permanent position is your ultimate goal. Good luck with the next interview.

tedjames

Contract money sounds great, but it almost sounds like you would be thrown to the wolves. "Here's a hammer and nothing else. Go build a house." Better to go with the permanent job.

scaredoftests

Your gut was right. :-)

MitM

It sounds like you weren't into this gig.  If that's true, it can't be the wrong decision

Btw what is typical salary for a full time threat analyst? 

SteveLavoie

Follow your gut... often he is right.. 

egrizzly

MitM said:

It sounds like you weren't into this gig.  If that's true, it can't be the wrong decision

Btw what is typical salary for a full time threat analyst? 

Usually from $80 - $95K according to the manager that interviewed me.

scasc

Always follow your gut - never go wrong. Personally speaking I would have done the contract - that's because I am a contractor and happen to work in Security Risk, Compliance, Governance etc. But if this type of work and role is not for you keep away. 

Mooseboost

Just going to throw this out there, if this happens to a provider that rhymes with  Nomnast - you might be glad you made that decision. I have peers that came from there in compliance roles that were misrepresented to them and it wasn't.. pleasant. 

There are only a handful of times in my career that I have gone against my gut instinct. That isn't a mistake I make these days because, in every single instance, it has resulted in a lot of headaches for me. 

egrizzly

scasc said:

Always follow your gut - never go wrong. Personally speaking I would have done the contract - that's because I am a contractor and happen to work in Security Risk, Compliance, Governance etc. But if this type of work and role is not for you keep away. 

Quite interesting.  It was a pure Risk & Compliance role however what threw up red flags to me is that the manager from the big ISP said "you will not be working with any type of security industry software, just 100% policy and procedures documents".  So tell me then.  Is this the norm in Risk/Compliance work?  Also I had another unrelated question for you.

It looks like you went ahead and did an M.Sc as well as CHFI (Forensics) and CEH (Pen Testing).  In which order did you do these?....and how do you keep all of them up to date since most certs expire once every 3 years.

scasc

egrizzly said:

scasc said:

Always follow your gut - never go wrong. Personally speaking I would have done the contract - that's because I am a contractor and happen to work in Security Risk, Compliance, Governance etc. But if this type of work and role is not for you keep away. 

Quite interesting.  It was a pure Risk & Compliance role however what threw up red flags to me is that the manager from the big ISP said "you will not be working with any type of security industry software, just 100% policy and procedures documents".  So tell me then.  Is this the norm in Risk/Compliance work?  Also I had another unrelated question for you.

It looks like you went ahead and did an M.Sc as well as CHFI (Forensics) and CEH (Pen Testing).  In which order did you do these?....and how do you keep all of them up to date since most certs expire once every 3 years.

Hi - there are two parts to it. Either you are assessing and determine your security/compliance posture against a particular standard (e.g. checking design/operating effectiveness of controls against NIST/ISO/PCI etc) or you are working to help improve policies, standards and documentation as these have been already identified as being out of date/non existent etc. Normally the latter is done after the former and the assessor would not be doing the work - to remain impartial and independent. Just depends at what point you come into a project. 

I did my MS back in 2005 - when security was literally in an embryonic state. Straight after my BS here in London, Eng. 

CEH was the first cert I did to give me a foundation but I did Cissp soon after. CHFI I did some time after but to be honest not really worth it for my background. 

As I’m a contractor I run my own business so try to take time out every year to do a course - literally just done 566 with SANS last week. Other good ways are to listen to webinars from bright talks for example. 

Hope this helps. 

RogueEnigma

Agree with the rest. Follow your gut. I currently am in a role as threat analyst, SOC manager, but have been offered roles in the compliance arena for a few years now. Sometimes for much higher salary. If you enjoy what you do, taking a job purely based on a higher salary will not make up for being bored at work doing something you hate.

egrizzly

RogueEnigma said:

Agree with the rest. Follow your gut. I currently am in a role as threat analyst, SOC manager, but have been offered roles in the compliance arena for a few years now. Sometimes for much higher salary. If you enjoy what you do, taking a job purely based on a higher salary will not make up for being bored at work doing something you hate.

That was exactly my reasoning for turning it down. Coming from a Threat Analysis background I not only was gonna be the only person representing the company there, it was gonna be a purely Risk & Compliance role where you literally used no software applications of any kind, so even though the pay was 35K more than I made in the previous company, the fact that I would get bored and do something out of boredom that would get me terminated anyway just popped out as a big red flag leading to my decision to turn down the position.

egrizzly

scasc said:

egrizzly said:

scasc said:

Always follow your gut - never go wrong. Personally speaking I would have done the contract - that's because I am a contractor and happen to work in Security Risk, Compliance, Governance etc. But if this type of work and role is not for you keep away. 

Quite interesting.  It was a pure Risk & Compliance role however what threw up red flags to me is that the manager from the big ISP said "you will not be working with any type of security industry software, just 100% policy and procedures documents".  So tell me then.  Is this the norm in Risk/Compliance work?  Also I had another unrelated question for you.

It looks like you went ahead and did an M.Sc as well as CHFI (Forensics) and CEH (Pen Testing).  In which order did you do these?....and how do you keep all of them up to date since most certs expire once every 3 years.

Hi - there are two parts to it. Either you are assessing and determine your security/compliance posture against a particular standard (e.g. checking design/operating effectiveness of controls against NIST/ISO/PCI etc) or you are working to help improve policies, standards and documentation as these have been already identified as being out of date/non existent etc. Normally the latter is done after the former and the assessor would not be doing the work - to remain impartial and independent. Just depends at what point you come into a project. 

I did my MS back in 2005 - when security was literally in an embryonic state. Straight after my BS here in London, Eng. 

CEH was the first cert I did to give me a foundation but I did Cissp soon after. CHFI I did some time after but to be honest not really worth it for my background. 

As I’m a contractor I run my own business so try to take time out every year to do a course - literally just done 566 with SANS last week. Other good ways are to listen to webinars from bright talks for example. 

Hope this helps. 

Ok, the job I turned down was gonna be the "latter" where a majority of the role involved working to help improve policies. Thanks for the responses on the order of the acquiring the credentials/degrees.  Having now learnt of your business owner status, here's two more questions for you:

1. Do you use staffing agencies to get the contract roles or did you create a company and are contracting through that.
2. So did you have to read any book to help you learn how to do the contracting part of the work?

Just curious as I had been researching how to become an information security consultant for the past week now.  

scasc

egrizzly said:

scasc said:

egrizzly said:

scasc said:

Always follow your gut - never go wrong. Personally speaking I would have done the contract - that's because I am a contractor and happen to work in Security Risk, Compliance, Governance etc. But if this type of work and role is not for you keep away. 

Quite interesting.  It was a pure Risk & Compliance role however what threw up red flags to me is that the manager from the big ISP said "you will not be working with any type of security industry software, just 100% policy and procedures documents".  So tell me then.  Is this the norm in Risk/Compliance work?  Also I had another unrelated question for you.

It looks like you went ahead and did an M.Sc as well as CHFI (Forensics) and CEH (Pen Testing).  In which order did you do these?....and how do you keep all of them up to date since most certs expire once every 3 years.

Hi - there are two parts to it. Either you are assessing and determine your security/compliance posture against a particular standard (e.g. checking design/operating effectiveness of controls against NIST/ISO/PCI etc) or you are working to help improve policies, standards and documentation as these have been already identified as being out of date/non existent etc. Normally the latter is done after the former and the assessor would not be doing the work - to remain impartial and independent. Just depends at what point you come into a project. 

I did my MS back in 2005 - when security was literally in an embryonic state. Straight after my BS here in London, Eng. 

CEH was the first cert I did to give me a foundation but I did Cissp soon after. CHFI I did some time after but to be honest not really worth it for my background. 

As I’m a contractor I run my own business so try to take time out every year to do a course - literally just done 566 with SANS last week. Other good ways are to listen to webinars from bright talks for example. 

Hope this helps. 

Ok, the job I turned down was gonna be the "latter" where a majority of the role involved working to help improve policies. Thanks for the responses on the order of the acquiring the credentials/degrees.  Having now learnt of your business owner status, here's two more questions for you:

1. Do you use staffing agencies to get the contract roles or did you create a company and are contracting through that.
2. So did you have to read any book to help you learn how to do the contracting part of the work?

Just curious as I had been researching how to become an information security consultant for the past week now.  

No problem at all - 

1. I have my own company that I use to do my contract work. In order to obtain these - its a mixture of staffing agencies, job boards, recommendations, previous work with previous clients, linkedin etc. 

2. I did not read any book as per say, however researched what I could to make sure I understood what needed to be done. You are based in the US right? I am based in the UK - setting up a company literally takes 20 minutes. As long as you understand what needs to happen to run the company you are good to go - company accounts, tax returns, dividend statements, expenses etc. 

There was that good webinar with Ted from SANS (https://www.sans.org/instructors/ted-demopoulos) last week where he outlined what you need to do to become a consultant - check out the past webinars you may find it will help. Ted also offers training in this area.

egrizzly

scasc said:

egrizzly said:

scasc said:

egrizzly said:

scasc said:

Always follow your gut - never go wrong. Personally speaking I would have done the contract - that's because I am a contractor and happen to work in Security Risk, Compliance, Governance etc. But if this type of work and role is not for you keep away. 

Quite interesting.  It was a pure Risk & Compliance role however what threw up red flags to me is that the manager from the big ISP said "you will not be working with any type of security industry software, just 100% policy and procedures documents".  So tell me then.  Is this the norm in Risk/Compliance work?  Also I had another unrelated question for you.

It looks like you went ahead and did an M.Sc as well as CHFI (Forensics) and CEH (Pen Testing).  In which order did you do these?....and how do you keep all of them up to date since most certs expire once every 3 years.

Hi - there are two parts to it. Either you are assessing and determine your security/compliance posture against a particular standard (e.g. checking design/operating effectiveness of controls against NIST/ISO/PCI etc) or you are working to help improve policies, standards and documentation as these have been already identified as being out of date/non existent etc. Normally the latter is done after the former and the assessor would not be doing the work - to remain impartial and independent. Just depends at what point you come into a project. 

I did my MS back in 2005 - when security was literally in an embryonic state. Straight after my BS here in London, Eng. 

CEH was the first cert I did to give me a foundation but I did Cissp soon after. CHFI I did some time after but to be honest not really worth it for my background. 

As I’m a contractor I run my own business so try to take time out every year to do a course - literally just done 566 with SANS last week. Other good ways are to listen to webinars from bright talks for example. 

Hope this helps. 

Ok, the job I turned down was gonna be the "latter" where a majority of the role involved working to help improve policies. Thanks for the responses on the order of the acquiring the credentials/degrees.  Having now learnt of your business owner status, here's two more questions for you:

1. Do you use staffing agencies to get the contract roles or did you create a company and are contracting through that.
2. So did you have to read any book to help you learn how to do the contracting part of the work?

Just curious as I had been researching how to become an information security consultant for the past week now.  

No problem at all - 

1. I have my own company that I use to do my contract work. In order to obtain these - its a mixture of staffing agencies, job boards, recommendations, previous work with previous clients, linkedin etc. 

2. I did not read any book as per say, however researched what I could to make sure I understood what needed to be done. You are based in the US right? I am based in the UK - setting up a company literally takes 20 minutes. As long as you understand what needs to happen to run the company you are good to go - company accounts, tax returns, dividend statements, expenses etc. 

There was that good webinar with Ted from SANS (https://www.sans.org/instructors/ted-demopoulos) last week where he outlined what you need to do to become a consultant - check out the past webinars you may find it will help. Ted also offers training in this area.

You're awesome @scasc ....Thanks for all the info and sharing of resources.

scasc

No problem at all - best of luck. The US markets seems to have an insurmountable appetite for cyber professionals, certainly something I have been looking at recently to try first hand - even being a UK citizen, seems to be pretty difficult due to the Government's policy of foreign workers.  Check out the info from Ted.

TechGromit

While $60 sound like a lot of money, when you consider all the extra taxes you have to pay, it's really not all that much. You have to pay the full cost of social security and Medicare, 15.3%, normally about half of this amount is paid by your employer if your a full time employee, as a contractor you bear the full burden of the cost. Then you have medical benefits, assuming you get cobra, it's going to run you around 15k a year, but easily could be double that about if you have to get insurance on your own without the great group rate plan your employer negotiates with the insurance company as a full time employee. About 50% of your pay rate is used up by Federal taxes and Medical coverage, this isn't even including state taxes. Now if you can get a full time job at 100k a year, while the base salary is less, you make out better deduction wise. I would want to see at least $80, if not $100 a hour to justify a cost benefit ratio over a full time position. 

 

bigdogz

Working for small ISP's you are a jack of all trades. The same could be said for Bigger ISP's but it is not as prevalent. You may have been working with a handful of people but it is not hands on and the pay is not that much. If it was a bump in pay and I had no other income, I would have taken it to keep the bills paid until I found a new job. I have had to do that a few times in my career.

I just hope things work out well for you.