Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!
I’ve found the good $$ is finding just a good ol’ “security engineer” title somewhere (most likely a tech company). If your title is “red teamer” or “pentester” and you’re not at a well-paid boutique consultancy you’re likely being underpaid compared to what you’d get on the engineer track. Where have you applied before/recently? Right now is a frustrating time to job hunt but better now than never, especially if you are bored or disgruntled in your current role. On the “security researcher” front, have you considered (or are you already doing) a blog or something? I’ve found that supplementing my day job with my own research and publishing it has the combined effect of keeping me interested in security in general as well as being good material to share with prospective opportunities.
So the thing is I can’t really be bothered with blogging rn , not sure if I’d make a good blogger cause I usually have small tips and tricks and not full blown posts. Also I’m currently locked in my contract for atleast another 9 months then I’m free to go. What’s the difference between a security engineer and security researcher?
I understand the obstacle to blogging. But that’s where micro-blogging comes in! Twitter is out of vogue so I’d say use Mastodon (or similar Fediverse-ey microblogging platform, e.g. Calckey, etc…). You can post all your tiny tips and tricks and other thoughts there rather than having to pull together full-fledged blog posts. This will help you build a portfolio of contributions to the community as well as build a network.
As for sec eng, vs sec researcher? These are merely titles. A security engineer could certainly be a researcher as well. I’d say you have a lot of “independent” security researchers who day-light as engineers. In some cases you have folks who are researchers as their day job but to get these sorts of roles I would suspect you would need some history of published research (like CVE’s, talks, papers, blogs, etc…).