Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Pay and Specializations in Security?
6 points by ohaideredevs on April 17, 2019 | hide | past | favorite | 4 comments
I am reading a post on security here (linked below) and it identifies three specializations (also below).

My questions are: Are these really three distinct specializations? Which is considered the most fun / prestigious / well paying / has the best career prospects?

1. "offensive security" (scanner jockey -> netpen -> appsec -> vuln research / red team)

2. defensive security (secops -> seceng -> security management)

3. malware analysis (malware analysis -> malware analysis -> still more malware analysis).

https://news.ycombinator.com/item?id=18487547



They are all great career prospects. There aren't enough heads in the field to meet the demand. I don't agree with the specializations you have listed. People move around all the time. I'm currently Red Team and got here by doing appsec, netpen and vuln research.

As for the most prestigious, there is no such thing. Red Team and Blue Team operations are both vital to any organization. The Red Team verifies attacks are caught, and Blue Team catches incidents to minimize damage asap. Prestigious probably depends on the company and which one they respect more.

As for most fun, I really enjoy breaking things and being malicious. It's why I do well in the field. I'd say you have to discover what you enjoy for yourself. You don't want to get pigeonholed into just doing code reviews your whole life or reading through log files. In order to get through this level you have to show you can do more than be a checklist jockey.

Pay is pretty much the same for all of these at the larger organizations.


"Which is considered the most fun / prestigious / well paying / has the best career prospects?"

Whatever you consider must fun, is the most fun.

Are these really three distinct specializations?

No, I've never heard of them being categorized into three specialisations before, and the progression tree you have listed certainly isn't true.

If you are interested in getting into security, just research and experiment with what interests you.

* If you like appsec, why not learn some programming languages and attempt some bug bounties.

* If you like netsec why not setup some labs and simulate some pentests, or sign up to HackTheBox which offeres pentest environments.

* and so on.

You will succeed in security by doing it because you love it, not because you are told it has good prospects.


This is probably the most narrow and poorly organized list of security specializations I've ever seen. If you literally just google "cyber security specializations" you will see a lot more options and insights available. Fun, prestige, pay, and progression are obviously four very different things, and honestly they are pretty subjective except for maybe pay, but that could be wildly different depending upon the area/region/country. So asking for so many facets of a career with such a poorly developed list of career options is not going to net you very useful answers. Instead, focus on researching and understanding the whole of security better rather than trying to find the most fun high paying prestigious job in the lot.


I'd say #2 is part of #1. #2 is especially tough to get right.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: