Career Crossroads

HackerGuy2020

I've been employed as a Network Security engineer providing enterprise FW and VPN support for close to 4 years for a large health care provider. Our security department is large is heavily segmented (NetSec, SOC, Vulnerability Management, Phishing, etc.) so there isn't much room to grow outside of the technologies you manage. I'm the senior member of our Operations team so I'm not the dumbest person in the room anymore. I've discussed openly with my supervisor about transferring internally to other security teams for a fresh start. I've applied for internal positions 4 times over the 4 years I've been hear, most of that being within the past 2 years. Each time, it has fallen through. My supervisor knows my career goals align better in the Vulnerability Management side, but there's only so much he can do. I've been looking externally for positions over the past year as well, but the problem is I think I'm so siloed in my responsibilities, that I'm 'too specialized' for the roles I apply for. Everyone seems to want a security generalist with experience in FW, SIEM, pen testing, etc.

I'm pretty bummed the internal transfers have fallen through over the past year as well as nobody externally wants to give me a chance. I'm not sure where else I can go from here. I'm definitely looking to move on from Network Security. For what it's worth, I recently obtained my eJPT and I'm currently studying for my OSCP.

Any advise/thoughts/suggestions are greatly appreciated!

Find more posts tagged with

Comments

itdept

Hmmm, I don't have much sage advice for you. Have you tried to establish any relationships between yourself and employees or managers in the other departments? Maybe if you can build some personal connections that might help you.

jasper_zanjani

There are lots of people hungry to get into the door, and just the possibility of getting an interview for a position like the one you are so desperate to leave - senior engineer working for a large enterprise - would be the fulfillment of years of work for a lot of people on this forum. So if you're here to bellyache about not being promoted as quickly as you'd like over the past two hiring cycles, well I think you won't find much sympathy here. I suggest, rather than asking for encouragement, you should be giving it to others on this forum who are your juniors in knowledge, experience, and earning power.

HackerGuy2020

itdept said:

Hmmm, I don't have much sage advice for you. Have you tried to establish any relationships between yourself and employees or managers in the other departments? Maybe if you can build some personal connections that might help you.

Our department works closely with the SOC and Vulnerability Management Teams. Both managers are familiar with my background and skill set. I reached out to the one to specifically ask what he'd look for in a prospective candidate.

HackerGuy2020

jasper_zanjani said:

There are lots of people hungry to get into the door, and just the possibility of getting an interview for a position like the one you are so desperate to leave - senior engineer working for a large enterprise - would be the fulfillment of years of work for a lot of people on this forum. So if you're here to bellyache about not being promoted as quickly as you'd like over the past two hiring cycles, well I think you won't find much sympathy here. I suggest, rather than asking for encouragement, you should be giving it to others on this forum who are your juniors in knowledge, experience, and earning power.

It was never my intention to come across as entitled or ungrateful for theopportunities I've been given. I'm not a senior in terms of title, all promotions were put on hold due to covid-19. I'm the most seasoned engineer on our Operations Team which handles the day-to-day responsibilities of troubleshooting, firewall policy management, etc. I think it's reasonable to expect continued career growth within a role that you're in. The problem is our duties are so siloed so daily tasks have become mundane. I need constant challenges to keep me engaged and my current team isn't providing that. I guess my question is where is one supposed to go if internal transfers fall through, and nobody externally will give you a chance?

p0sitron_col1dr

HackerGuy2020, I understand your situation. As a security engineer, what has helped most is joining various "cybersecurity" chapters and local Defcon meetups. These events (whether virtual or in-person) have helped introduce me to a host of new contacts, offers mentoring, provides insight into issues that other organizations face along with opportunities to collaborate as a community on solutions, hosts guest speakers, and often there are other members present who are striving toward similar career goals (including education or certifications) and willing to form study groups. I would consider the opportunity to collaborate has been most beneficial feature as it offers the ability to gain personally in regard to professional development while at the same time provides a structured method of giving back to the community.

LonerVamp

1. Take a good look around you on your team. You're a senior person. May it be possible the other roles you are looking to are wanting someone less expensive or more junior? Vulnerability Management is not terribly "hard" per se, and there may not be any room for a senior person there? Just keep that in mind. I don't know your situation. Do you have any internal teams dealing with risk assessments? That may be a way upward.

2. I would look into gathering up your CISSP if you want to push that well-rounded part. It should open doors if you don't already have it.

3. With your interest in the OSCP, I'd open discussions with your supervisor or even director about internal red team or threat hunting opportunities. Maybe even internal pentesting, but that tends to be an expensive way to prove the same thing a vulnerability scan is telling them: "Vuln here, and it's X criticality."

HackerGuy2020

LonerVamp said:

1. Take a good look around you on your team. You're a senior person. May it be possible the other roles you are looking to are wanting someone less expensive or more junior? Vulnerability Management is not terribly "hard" per se, and there may not be any room for a senior person there? Just keep that in mind. I don't know your situation. Do you have any internal teams dealing with risk assessments? That may be a way upward.

2. I would look into gathering up your CISSP if you want to push that well-rounded part. It should open doors if you don't already have it.

3. With your interest in the OSCP, I'd open discussions with your supervisor or even director about internal red team or threat hunting opportunities. Maybe even internal pentesting, but that tends to be an expensive way to prove the same thing a vulnerability scan is telling them: "Vuln here, and it's X criticality."

I've inquired to my supervisor about any internal testing engagements. We do have a separate security team that performs internal engagements against our applications. My management team won't reimburse me for the OSCP cert because 'they'd rather me focus on NetSec responsibilities'. The problem is I don't have any desire to continue in NetSec, I'm looking to transition so long term career goal wise, it doesn't make sense for me.

HackerGuy2020

certforexxx said:

Why do you think none wants to give u a chance

Within my current employer, I've applied to 5 total internal job posting over the past 3 years (3 SOC roles, 2 Vulnerability Management). All of them fell through and they went with other candidates. Externally, I've applied to countless opportunities, but I've only had 1 or 2 phone screenings in the past year.

SteveLavoie

certforexxx said:

Why do you think none wants to give u a chance

That's something you have to investigate. Usually lateral movement in a business is "relatively" easy. Most company want to keep their staff, and refusing a lateral movement is easily perceived as "a no future warning" by the employee. So after 5 times, I would have a good discussion either with the HR or other people involved to understand their decision. Maybe you would learn that you have an attitude problem. (real or not).

si20

One or two comments towards OP seem a little harsh... My 2 cents is that, if you've applied to 4 roles in the same company in 4 years, you're averaging a new role every year. To (some) managers, that can signal an alarm bell that you don't really like any role you're doing and as such, they kinda expect you'd do 12 months in this role and then move on (whether that is or isn't the case).

Now on the flipside, I think lateral movement is good. In fact, I've actually turned down a lateral move recently because I like what I'm doing now. I think the key here is: focus on something you do like. Whatever that thing may be. Once you've figured it out, then talk to managers above and ask how you can map out a roadmap. That way, they're likely to be more receptive.

iBrokeIT

HackerGuy2020 said:

Within my current employer, I've applied to 5 total internal job posting over the past 3 years (3 SOC roles, 2 Vulnerability Management). All of them fell through and they went with other candidates. Externally, I've applied to countless opportunities, but I've only had 1 or 2 phone screenings in the past year.

I've applied for internal positions 4 times over the 4 years I've been hear, most of that being within the past 2 years. Each time, it has fallen through.

My management team won't reimburse me for the OSCP cert because 'they'd rather me focus on NetSec responsibilities'.

Clearly it's past time to move on since your company isn't supporting your professional development and career path. Getting the OSCP is a good move. Additionally take are hard look at how you are presenting yourself on your resume and during interviews. Likely that's also part of the problem. Post up a sanitized copy of your resume for the community to help you.

HackerGuy2020

iBrokeIT said:

HackerGuy2020 said:

Within my current employer, I've applied to 5 total internal job posting over the past 3 years (3 SOC roles, 2 Vulnerability Management). All of them fell through and they went with other candidates. Externally, I've applied to countless opportunities, but I've only had 1 or 2 phone screenings in the past year.

I've applied for internal positions 4 times over the 4 years I've been hear, most of that being within the past 2 years. Each time, it has fallen through.

My management team won't reimburse me for the OSCP cert because 'they'd rather me focus on NetSec responsibilities'.

Clearly it's past time to move on since your company isn't supporting your professional development and career path. Getting the OSCP is a good move. Additionally take are hard look at how you are presenting yourself on your resume and during interviews. Likely that's also part of the problem. Post up a sanitized copy of your resume for the community to help you.

Yeah, I agree, it's frustrating because benefit wise, my currently employer is tough to beat with PTO, insurance cost, WFH, tuition reimbursement. However, since I'm not being challenged anymore, I'm worried about complacency.

HackerGuy2020

Sanitized resume attached.

Sanitized Resume.docx

jasper_zanjani

HackerGuy2020 said:

It was never my intention to come across as entitled or ungrateful for theopportunities I've been given. I'm not a senior in terms of title, all promotions were put on hold due to covid-19. I'm the most seasoned engineer on our Operations Team which handles the day-to-day responsibilities of troubleshooting, firewall policy management, etc. I think it's reasonable to expect continued career growth within a role that you're in. The problem is our duties are so siloed so daily tasks have become mundane. I need constant challenges to keep me engaged and my current team isn't providing that. I guess my question is where is one supposed to go if internal transfers fall through, and nobody externally will give you a chance?

You're on a cert study forum, so if you need a challenge get your CCNA, CCNP, MCSA... And if your job is that easy then maybe you can study for them on the clock. Or learn Python, Perl, Ruby, Bash... Start a GitHub and slap some projects together. Script something, make a pull request. Challenge yourself if your job won't.

HackerGuy2020

Update: I was recruited by a Director at my current employer in another division who I've worked with in the past. He recruited me and said their Cloud Team needs a renewed security focus. I applied internally and accepted the position. 10% bump in pay right off the bat, plus I'm eligible for an addition 4-5% after 4 months. My Masters Degree at Georgia Tech will be 100% reimbursed, and the Director will pay for any security certification I want. I'll be on a small team of 3 engineers, including myself, but I'll be looked at as the main security POC. I'll wear many hats and get to touch all security projects and initiatives - cloud/container security, VPN load testing, pen testing their AWS environment, Incident Response, etc. I'm super excited this opportunity popped up and allowed me to transfer within my same employer. I needed a fresh start.

jasper_zanjani

Great