Perhaps this could go in a better subreddit, I’m unsure. Please advise me if it should be moved.
I’ve just graduated. I have a job, and I now have another job offer. I’m having trouble gaining perspective on what to do, and I feel like I need some guidance. I don’t really have anyone with relevant experience to speak with so ideally, I’d love to buy someone a coffee or beer for a phone call of your time but failing that I’ll outline my situation below.
TL;DR: I have a job at a small (and disorganized) MSP building out their security offering, but have been offered a position at a small industrial control systems company (with huge international clients) looking to hire a C developer that has a cybersecurity background. I can’t seem to decide what is better for my future because I lack a crystal ball or at the very least some real perspective on what to expect in these industries
I graduated in Cyber Security and Computer Science in December 2020, and I turn 30 in January 2022. Since starting the degree I’ve seen myself working in DFIR, but am interested in multiple facets of the cybersecurity space mostly around blue teaming (I have been told I wouldn’t be suitable for red teams, which is fine… we can’t do it all). It’s fair to say that whilst I love the idea of working in security, at uni I always enjoyed my programming units too.
When the COVID situation began evolving at the start of 2020 the Australian Government relaxed some of its rules around who could apply for welfare. One of their welfare payments involves applying to x amount of jobs per month. So while satisfying that requirement, I threw my resume at a few jobs I wasn’t really seriously considering just to meet the quota.
I got asked for an interview by one of the companies I threw my resume at. As they are an MSP, and the job was a level 1-2 service desk position I was considering dipping the interview but at the last minute decided to attend. What transpired was a very frank discussion between us about the fact I had no MSP experience, but that they were looking at expanding their cybersecurity offering and they were looking to hire someone with cybersecurity on their resume. On the basis of a ‘fast-track’ through the service desk trenches, I was offered a position at the company, at my requested remuneration rate (albeit the minimum of my range).
At no point was my intention to spend my whole career with this company. I am acutely aware of the unsuitable nature of this job beyond 12-18 months, and my intention when taking the role was to be working on projects in the security space, participating in RnD for the MSP. At 3 weeks in, I have been operating the service desk for about 85% of the time. While it feels insulting I cannot deny that I am learning a lot about Azure, O365, AD which I am finding very valuable as I have only had academic exposure to these things so far. So while the work feels menial, at least I am becoming familiar with these technologies. At the end of last week, a few messages on Teams with the managing director leads me to believe they are intending to put me where they said they would within the company, but as yet, I don’t exactly know what form that is going to take. I imagine there will remain a ratio of security to service desk tasks…
I fully understand that leaving a job so quickly is not favorable. This 2 job situation was never my intention.
Currently, the MSP has a client that is looking to implement WDAC policies for their workstations. The MSP has agreed to roll this out for them as a project. So I am currently researching how to implement this for them. I’m finding this very stimulating, and I’m really enjoying the exercise, and the thought of doing research for other projects/clients is very appealing to me. They keep dangling “pen testing” in my face like it’s an appealing prospect, but I think they’re not sure what this actually entails. Or perhaps they do and they are thinking they’ll get their very own in-house pentester for a fraction of the starting salaries at other places…
As with any company, there are some downsides to being there. I won’t go into the specifics, because they are not relevant but I will say that these downsides alone would be enough to stop me from working here for longer than necessary. I’m willing to accept these because I think I’m getting some good experience.
About 2 weeks ago a friend of mine has asked me to apply for an unadvertised job opening at his company. He is a major player in the company, and the company appears to be a major player in the utilities/industrial control systems/embedded controller space. He asked me over dinner, whilst talking about my degree, stating that they “need a cybersecurity guy.” So long story short, I put in my resume, and I have been offered a position.
During the interview process, it has become clear that the advertised role is actually a software development one, the interview was a semi-technical investigation into my C programming capabilities. But a lot of the people I interviewed with (6 people total) have stated that security is 100% on the cards, just that to begin with to understand product lines they offer, etc, they need someone in amongst the code. The impression I got when talking to the senior members during the second interview was that they are thinking ‘bigger picture’ with this hire, which to me means that I may get moved to different sections of the business in due time.
I guess ultimately I’ve got 2 very different job offers here, and I am really at a loss for what I should do. On one hand, I have implementation/project work operating on behalf of clients for a small MSP. I can see this leading me on a path that will enable me to secure a job that aligns with the DFIR vision I’ve had for my life. On the other hand, I have an opportunity to be a part of an international organization, with travel opportunities, mentors, space to grow, but perhaps not in the precise DFIR direction I always saw myself going in after spending some time in amongst their product offerings that are written entirely in C.
Does anyone have experience in this space that can offer me some perspective on this situation? I’m extremely unsure about what direction to take. Will time spent writing in C benefit me? Or will it just remove me from the security space making entry into that industry more challenging in the future? Would a role like that be considered favorably to other potential employers if I take the new job but decide it’s not what I want? Fortunately, with the job offer, I have been given some time to weigh up the decision but I don’t want to keep them waiting if I eventually end up turning the offer down.
Like I said at the top of this, I would love to have a phone call with someone but I accept that that probably isn’t everyone’s idea of a good time. And if by any cosmic chance someone who can help is reading from Perth, Australia I would absolutely love for you to reach out so maybe we can talk over coffee/beer.
Thanks for reading.