If you want sanity paired with outcomes in the career, work at places that are technical and have a strong regulatory incentive and related funding, or a strong threat model closely tied to profits to care about security culturally.
Main examples for me that hit that are:
- pre-IPO startups that want to pass SOC2 etc to go public: have the reg and profit incentive and pay to buy a security team from scratch
- crypto: has the threat model and profit incentive due to key theft and so on. Pays well too and great risk space to test out sec skills
- public tech cos providing a lot of critical infra: to an extent, some can veer into Too Big to Fail like MSFT, some have stronger internal sec teams like Google/Project Zero, Verizon/Paranoids, Cloudflare seems good.
- Banking is maybe: they have funds, more risk-averse culture, heavily regulated. But healthcare is also heavily regulated and id never work in it due to the volume of exploits and lack of care.
So ya, don’t work at MSFT as a sec eng IMO unless you’re on the DART team and want to see a lot of diverse incident response with legit threat actors, or want to do really low level OS sec.
No idea about Apple sec eng work, on this note.
This is also why the avg tenure in security careers +/- 10 years. Your sanity runs out and often pay is good enough where you can save up and do something else with your life by 30/40.
If you want sanity paired with outcomes in the career, work at places that are technical and have a strong regulatory incentive and related funding, or a strong threat model closely tied to profits to care about security culturally.
Main examples for me that hit that are:
- pre-IPO startups that want to pass SOC2 etc to go public: have the reg and profit incentive and pay to buy a security team from scratch
- crypto: has the threat model and profit incentive due to key theft and so on. Pays well too and great risk space to test out sec skills
- public tech cos providing a lot of critical infra: to an extent, some can veer into Too Big to Fail like MSFT, some have stronger internal sec teams like Google/Project Zero, Verizon/Paranoids, Cloudflare seems good.
- Banking is maybe: they have funds, more risk-averse culture, heavily regulated. But healthcare is also heavily regulated and id never work in it due to the volume of exploits and lack of care.
So ya, don’t work at MSFT as a sec eng IMO unless you’re on the DART team and want to see a lot of diverse incident response with legit threat actors, or want to do really low level OS sec.
No idea about Apple sec eng work, on this note.
This is also why the avg tenure in security careers +/- 10 years. Your sanity runs out and often pay is good enough where you can save up and do something else with your life by 30/40.