June 7, 2021

Cyber Risk Management Questions & Some Advice from my Journey

This post originally started much more focused, but since I’m asking for some detailed information and advice I’d like to share some as well to those that are also somewhere in the continuum of cybersecurity interest>job search>career development>cont’d. Part 1 is an overview of how I eventually got a job in infosec and my advice to those early in their career, Part 2 is some specific questions for those of you out there working in cyber risk management or 2LOD roles.

TL;DR I eventually got a job in cyber security via a round about path, what’s next?

**Part 1 – Here’s what worked for me**

There are a million blog posts and questions about how to break into cybersecurity but I rarely see a follow up post from someone sharing what worked and their journey to get there so I’ll start with mine. Some details have been excluded because it’s a small world out there.

All jobs were in the same medium high cost of living city on the east coast. Salaries have been included because at the time I had no idea what was normal (still don’t to an extent) and out of the last few jobs it was absolutely not discussed to the detriment of everyone.

Progression timeline

2012 – Graduated with a liberal arts degree from a no-name university, had no plans for how my degree was going to get me a job.

Military Interim – Became an Officer in the Army National Guard, attended multiple training’s and mission assignments. During this time I started getting serious about what it would take to work in cyber security and got the following certifications: A+, Network+, Security+.

2014 – Tier 1 helpdesk job, $40,000 at a midsize software company. Initially answering phone calls, technology support in a Windows environment. Kept pushing for more responsibility and took on some Project Management, Change Management roles.

2015, Military Interim – Transferred to a cyber security related unit, semi-technical role with good training opportunities but limited “real-world” development as a reservist.

2018 Finished an online degree in Information Systems, started applying to any company that had a New Grad training program.

2018 – Infrastructure Engineer, $70,000 at a large software company. Wide variety of tasks around AWS and Linux server management using configuration management/orchestration tools. Job had exposure to good tools but was a very high stress environment and minimal support on the team.

2019 – Operations Engineer, total compensation $120,000 (105k salary + 15k performance bonus), large financial organization. Linux environment with lots of Oracle and integration to AWS products. Primary role was to facilitate technology incident management processes and plan/execute resiliency events. Redefined my understanding of high stress, lots of nights and weekends.

2020 – Cyber Risk Analyst, total compensation $125,000 (lateral move internally), same large financial organization. Work with first line teams (SOC, pentesting group, etc.) to evaluate how effective their technical controls are at mitigating various cyber risks. Semi-technical role that deals with the intersection of policies and technology.

Current certs: CISSP, GIAC GSNA, Project+, Linux+. Most entry level certs I’ve let expire.

Some advice based on my experiences so far:

* Getting a relevant technology degree was the best salary boost early on and really helped me get past HR screening.
* If I could go way back I would have buckled down and got a Computer Science degree first, developers tend to make better salaries than operations, and there is a higher demand.
* Certifications are good for showing career progression over time, however getting too many at once (i.e a person can’t learn all of these things in this period of time) or ones that are far more senior than your role tends to raise questions from a hiring manager perspective. The best certifications are the ones your job will pay for.
* Very little of cyber security that I’ve experienced is an entry level career field, it takes deep knowledge in one of the main topics (coding/development, unix, windows, networking, cloud, etc, etc) before you become very useful to a company. For this reason I strongly advocate against getting a “Cyber Security Degree” and recommend something that would be immediately more useful to your first few jobs like IT or Computer Science.
* Imposter syndrome is very real for me and has had an impact on the types of jobs I felt comfortable pursuing. I’ve had some bad interviews where I couldn’t answer <x technology> question and that has seriously made me think I wasted the last decade of work. Acknowledge that it might impact you up front and don’t get sucked into the downward spiral of self doubt.
* Soft skills like project management and trying to always be helpful has gotten me more accolades than knowing specific technologies inside out.
* Mentorship is hugely impactful in both your personal and professional development. I can’t emphasize enough how much it can help to have an industry veteran that will advise you on how to shape your career and move towards your goals. This is also an area where I’ve struggled to consistently have a mentor.
* There are some job postings where its 100% necessary to know Python 3 at an expert level, and others where it’s requested but they are willing to teach someone. Networking with your contacts or local security group will help you to know which is which.
* Cold applying for jobs is the least efficient way to get one. Work your contacts, local security groups, etc to try and get referrals or put in touch with someone they know is hiring. Despite saying that, I’ve rarely done it.

That’s about everything I can think of on the fly, all opinions here are from my experience, your individual mileage may vary. If you have questions, ask.

**Part 2 Now I’m reasonably experienced and in the Industry, what’s next?**

Title says it all, I’ve got that first job under my belt in an infosec area and looking for advice. Cyber risk management was something barely on my radar when I started the job and I had a bit of prejudice against non-tech roles but the reality has been pretty great. My team works in the middle ground between NIST recommendations and the reality of building and running a technology platform. I meet really sharp infosec engineers everyday and ask about how they are solving problems.

For those working in cyber risk management or have awareness of the field, what advice do you have for growing in the role? I’ve added a few questions as well.


* What’s the outlook like for this branch of infosec (cyber risk)? Is it considered a field that people pursue deep experience in or a stepping stone into other areas.
* Does anyone recommend the CRISC cert by ISACA? Comparing it to the CISA cert, it has very little name recognition in job postings.
* [National average salary](https://www.ziprecruiter.com/Salaries/Cyber-Risk-Management-Salary) for “Cyber Risk Management” on a few platforms seems to hover around $104k with the top 10% at $165k. The average seems low in the realm of cyber security jobs, does this square with what others in the field are seeing?
* Is there any area that is worth specializing in due to demand and salary opportunities (cloud, pentest, etc)?
* Anyone have experience on the differences between audit type roles and cyber risk? Is there a significant salary difference in either direction?
* *On an aside:* I’ve asked several questions on money, this topic sometimes gets a bit weird with some insisting that anyone who is not super passionate and ready to work strictly for the challenge of infosec will never survive and others saying to work 8 hours on the dot and bail at 5 no matter what. I think I’m somewhere in between those two arguments, A career is a means to funding my hobbies and pursuits, I am always trying to optimize towards that goal.


Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.