Discussing career advancement with manager

[Maromi]

Looking for some advice on anyone that's had a manager want to have a discussion about advancing your career.
It's tomorrow so I'm a bit nervous, but I've been thinking about it over the last two weeks and decided I wanted to go into infosec, since it seems like a fun, rewarding and well-paying career path.

Only thing is my boss wants to be involved in how to get me on said career path, and I'm not sure what action he'd need to take to assist. Only thing I can think of is using downtime to study for a CEH certification, but I'm also curious about that new google certification for cybersecurity that came out.

I know I am definitely not on the level of OSCP, but I have taken a course on ethical hacking that I thought was fun. However, I lost all my notes after google drive converted them all to some bunk format.

Anyway, back to the point, only thing I can think of is I'd just need time to study, and possibly use my manager to find connections with those already in the info-sec field at my company. Though, I do know my other leadership already has some connections.

Incident management wouldn't be a bad choice, and would probably be a good starter career path once getting certified. I am a tad familiar with how that role functions in my company at this point.

Main things I'm worried about are:
A. What my manager can do for me to go this career path.
B. Any deep background checks that may be needed, I heard that this info actually got leaked a few years ago which is sort of sketchy. (Anyone with a security clearance)
C. How fast I can get certified, and if I'd be allowed to study during downtime at work or how that would be viewed to my manager.

I think it would be pretty rewarding going this route, and decided against a programming career because I feel languages aren't a good strong point for me. I'm already familiar mildly with some of the tools for penetration testing.

Thank you!

 

[Maromi]

My boss ended up cancelling the meeting today, so that bought me some time if anyone has recommendations.

 

[Moo]

Most of your questions, definitely A. and C, seem like questions for your manager. So, I can't really comment on those.

What I can say is:
- Security can indeed be a fun, rewarding, and well-paying career.
- If your boss has guidance for how to get you on that career path, great! This is an asset to you. He probably knows what the company needs most (ie: the company would be most willing to pay you more for having).
- Even if you end up using your personal time to study for certifications, this is still a good deal - its an investment in your future skills/earning potential.
- There's nothing wrong with repeating the ethical hacking course and taking a new set of notes. Or trying to find a way to convert your old notes back to a readable format.
- Connections are extremely valuable. They are the main way people get hired, and other opportunities! If your manager offers to introduce you to people, say YES. Actually, say YES and then do some research before meeting them so you can make the best use of the introduction.
- Security clearances are usually used when you're either working for a government in a sensitive role, or you're working for a company that does significant business with the government and handles sensitive government data. Just working in cybersecurity in general doesn't require a security clearance. "Background checks" aren't something to fear. Lots of places that do "background checks" only check for the basics (that your identity is verifiable, that you don't have a criminal record, etc). The fact you're willing to take, and able to pass, even a basic background check can help you get a higher-paying and more secure job.

 

[Maromi]

Most of your questions, definitely A. and C, seem like questions for your manager. So, I can't really comment on those.

What I can say is:
- Security can indeed be a fun, rewarding, and well-paying career.
- If your boss has guidance for how to get you on that career path, great! This is an asset to you. He probably knows what the company needs most (ie: the company would be most willing to pay you more for having).
- Even if you end up using your personal time to study for certifications, this is still a good deal - its an investment in your future skills/earning potential.
- There's nothing wrong with repeating the ethical hacking course and taking a new set of notes. Or trying to find a way to convert your old notes back to a readable format.
- Connections are extremely valuable. They are the main way people get hired, and other opportunities! If your manager offers to introduce you to people, say YES. Actually, say YES and then do some research before meeting them so you can make the best use of the introduction.
- Security clearances are usually used when you're either working for a government in a sensitive role, or you're working for a company that does significant business with the government and handles sensitive government data. Just working in cybersecurity in general doesn't require a security clearance. "Background checks" aren't something to fear. Lots of places that do "background checks" only check for the basics (that your identity is verifiable, that you don't have a criminal record, etc). The fact you're willing to take, and able to pass, even a basic background check can help you get a higher-paying and more secure job.

Thanks for the input, I'm not too worried about background checks at this point. I heard the higher level ones are now limited to 10 years of history or so. I could agree with most of what you said for sure. I was doing some research this morning on entry, mid and higher level certs so I may try and grab a Security+ and a PenTest+ before a CEH cert.
I believe there's good resources out there for cheap/no cost for the first two certs but I'll hafto read up on the third.

 

[Edgewater]

As the job market continues to be tight regarding qualified employees and especially those they know will show-up and work! They are likely encouraging management to guide employees toward opportunities within the organization. Hence the inquiry from your manager.

Have question on the ready as this kind of meeting can go very different directions. If your manager asks if you have any questions as stated: Have question!

It sounds like you are happy with the organization and if that is true, it is always good to state that you are happy and want to grow further within the organization.

Be open to a fairly wide range of opportunities as there maybe positions that you having not considered. I started in project engineering and ended up managing North American engineering and sales as I have a comfort in speaking in front of large groups.

Approach this as an opportunity and Have Fun, be Comfortable with Yourself!

 

[Maromi]

As the job market continues to be tight regarding qualified employees and especially those they know will show-up and work! They are likely encouraging management to guide employees toward opportunities within the organization. Hence the inquiry from your manager.

Have question on the ready as this kind of meeting can go very different directions. If your manager asks if you have any questions as stated: Have question!

It sounds like you are happy with the organization and if that is true, it is always good to state that you are happy and want to grow further within the organization.

Be open to a fairly wide range of opportunities as there maybe positions that you having not considered. I started in project engineering and ended up managing North American engineering and sales as I have a comfort in speaking in front of large groups.

Approach this as an opportunity and Have Fun, be Comfortable with Yourself!

Thanks for the input, I think I may try and go the route of incident response if I end-up staying here.
It wouldn't be a bad position for entry level Info-Sec support.

 

[Oaktree]

Another important question would be how much of their budget could they put aside for training. The unfortunate thing is, the big certs in cyber are pretty expensive. SANS courses themselves being around 8k now

With that said, these are resources I've recommended in the past that weren't that expensive. Also, anything cybersecurity I'd recommend getting a foundational understanding of networking if you don't happen to have that experience already. That and a level of scripting experience too like Python for example.

Free / cheap courses - https://www.cybrary.it/ (edited) (Full subscription however is a little pricey)

Free / cheap practice/learning environments - https://tryhackme.com/

Free/cheap, similar to try hack me - https://www.hackthebox.com/

Some small training material from SANS - https://www.sans.org/cyberaces/

Hacker playbook 3 - https://www.amazon.com/Hacker-Playb...esting-ebook/dp/B07CSPFYZ2?ref_=ast_author_dp

Also, I did see a recommendation for this https://academy.tcm-sec.com/ Cost $30 per month for their entire catalog which is awesome.

 

[Maromi]

After some more thought and trying a hackthebox machine I decided I didn't have the drive for InfoSec, I think it would suck every last bit of life out of me.

Decided I want to go into a sysadmin or networking role at this point, the tests are doable and I can make a lab to practice on easily. There's also demand for that at my work I'm sure right now.

The discussion is probably going to happen tomorrow with my manager, I have a task for him to see if he can find someone to help me study and shadow.

 

[LittleAndAlone]

nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
jmp closeenuff


Weeeeee.



Sorry not being useful here.

I always found security to be very stressful. If a client is compromised under your watch and you didn't catch it, you get walked out the door and your career is permanently in the toilet when you have to always explain how you left your previous job.

Much less stress on the engineering, analyst, design, and architect side of things while utilizing the same core skill sets for the same payscales.

 

[Maromi]

nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
jmp closeenuff


Weeeeee.



Sorry not being useful here.

I always found security to be very stressful. If a client is compromised under your watch and you didn't catch it, you get walked out the door and your career is permanently in the toilet when you have to always explain how you left your previous job.

Much less stress on the engineering, analyst, design, and architect side of things while utilizing the same core skill sets for the same payscales.

What makes me the most salty, is I've had past co workers literally make guest accounts with admin rights wide open, and I'm the one who got laid off.

like what the hell y'know.

but I know that guy doesn't work there anymore

 

[LittleAndAlone]

What makes me the most salty, is I've had past co workers literally make guest accounts with admin rights wide open, and I'm the one who got laid off.

like what the hell y'know.

but I know that guy doesn't work there anymore

I like the auditors that ask for complete firewall configs for review. And I'm like "nope that's a social engineering test failure" and refuse and my director is like
"<name>...be nice..."

Or the ones that follow change control process and have multiple vetted and reviewed approvals to have a wide open admin account and special permit any any firewall rules to allow their blocked scan tools to work and then they are like "LOOK AT ALL THE STUFF WE FOUND!!!!"

 

[Maromi]

I like the auditors that ask for complete firewall configs for review. And I'm like "nope that's a social engineering test failure" and refuse and my director is like
"<name>...be nice..."

Or the ones that follow change control process and have multiple vetted and reviewed approvals to have a wide open admin account and special permit any any firewall rules to allow their blocked scan tools to work and then they are like "LOOK AT ALL THE STUFF WE FOUND!!!!"

We used to have auditors in that position I was talking about, they once saw me working on a weekend and they were like "You don't work every weekend do you?" But honestly was never aware of what their entire job function was. I said no and lied anyway, guessing they found out but not sure why it mattered.

I think they mostly were just there to audit patient documents.

 

[Maromi]

Manager didn't show up again today, the tension of this is killing me inside!

 

[lilSorcerer]

Software development could be another good consideration, especially if you already have an education in it and some programming ability.

It only requires average intelligence but a decent amount of skills.

It does require a certain skill for politics though which many people don't expect.

I've seen many people make easy money in this field, working probably on average 2 to 4 hours a day, and I've seen others work unpaid overtime on the order of 60 to 80 hour workweek, never getting promoted and getting paltry raises at best, ruining their health and relationships, and ultimately burning out.

Most non technical people won't understand your contributions and will try to reduce or think of you as a simple, replaceable cog unless you're clever and cunning, making sure that you're only on the best projects and preventing your direct manager from getting too much power over you, the project, and the general flow of information. You have to be in charge. You have to be synonymous with the project, and the one who gets credit when it goes well. You have to make it clear that you being off the project or team is going to be painful to your employer, because your not easily replaced without significant pain. When it goes bad... well, that's why you're on a "too big to fail" project, right? You just tell the stakeholders that it will be done when it's done, and do your best, or if it's truly hopeless pretend and job hop before everything blows up in your face.

I've been a python terd for many years now and have had pretty good pay and work life balance, until I took a job with some devopsy flavors(BIG FAT MISTAKE. I knew better, although my wlb isn't too awful, just not where I want it to be), but it's pretty easy to job hop and I'll be gone soon for easy money , and sweet, sweet wlb 🏝

 

[BoundCoder]

I think the biggest way a manager can help someone who is looking to move in some direction is by finding opportunities within the organization to actually put skills to use. As someone looking to do something different, that is what I'd be looking for.

Sure, you can probably get some paid time to do self study and maybe get them to pay for a cert or even some training course.. but I think it's a lot easier and motivating to work towards a concrete role.

I work in software for a fairly large company, and we do this kind of thing all the time. Someone says they are interested in working on <whatever>, we try to get them paired up on a part time basis with someone in that area.. let them take on a few small tasks, help out where it makes sense, go to some of their meetings and see how things work, etc.

Part of the equation is also matching what you want to do with something the company actually needs. If you are working in a software shop, doesn't matter how enthusiastic you are, they probably aren't going to pay for you to take flying lessons.

 

[Maromi]

Software development could be another good consideration, especially if you already have an education in it and some programming ability.

It only requires average intelligence but a decent amount of skills.

It does require a certain skill for politics though which many people don't expect.

I've seen many people make easy money in this field, working probably on average 2 to 4 hours a day, and I've seen others work unpaid overtime on the order of 60 to 80 hour workweek, never getting promoted and getting paltry raises at best, ruining their health and relationships, and ultimately burning out.

Most non technical people won't understand your contributions and will try to reduce or think of you as a simple, replaceable cog unless you're clever and cunning, making sure that you're only on the best projects and preventing your direct manager from getting too much power over you, the project, and the general flow of information. You have to be in charge. You have to be synonymous with the project, and the one who gets credit when it goes well. You have to make it clear that you being off the project or team is going to be painful to your employer, because your not easily replaced without significant pain. When it goes bad... well, that's why you're on a "too big to fail" project, right? You just tell the stakeholders that it will be done when it's done, and do your best, or if it's truly hopeless pretend and job hop before everything blows up in your face.

I've been a python terd for many years now and have had pretty good pay and work life balance, until I took a job with some devopsy flavors(BIG FAT MISTAKE. I knew better, although my wlb isn't too awful, just not where I want it to be), but it's pretty easy to job hop and I'll be gone soon for easy money , and sweet, sweet wlb 🏝

I really wouldn't mind being a software dev, I am familiar with node debugging a tad, but mostly experienced in python. Though I could agree with a lot of the points you have. Though, I have no formal training in software development.
As far as I have gone though was making a ubuntu PPA for cryptocurrency miners a few years ago.
If I was to go into a dev role, I'd have to certainly move departments as I'm mostly just familiar with python and our product is node.
I think I would enjoy a sysadmin role though, either within my company doing network diagnostics, or outside as a systems admin. I feel like I would have a good shot at being a sysadmin being so vex'd in vmware at this point.

On that note I need to do some light studying to the vmware intro cert, because it's actually feasable with my experience. Then I want to move into getting a CCNA and/or network+