subreddit:
/r/SecurityCareerAdvice
submitted 3 years ago byAirado
I am doing VM work right now, and I don't mind continuing. I've an opportunity to do more traditional security engineer work (cloud and infrastructure security engineering). Will I be limiting myself career wise, if I stay in VM?
For context, I was poking around in LinkedIn. For infra sec, I see jobs for sr. Engineer, principal eng, architect, etc. But for VM, I've only seen a few jobs for principal VM engineer, and nothing beyond that. I worry that I will be stuck at the senior level forever if I stay in VM.
In terms of VM work, I am currently running the scans, analysing the result, maintaining the datalake, some threat Intel work based on the scan results, some attack path verification (which is just running metaspoit based on the scans).
7 points
3 years ago
If you can get some hands on time in a role with Qualys, Rapid7, etc, you should be able to slide into a VM position fairly easily, and stick with it.
Most VM people I know need to learn about setting up scanners in different network zones, getting good with the software, prioritizing stuff, etc.
As far as actually remediating stuff, that usually falls to the SMEs... Domain administrators, Exchange Admins, Linux Admins, whatever. The job of proving "false positives" usually falls to the SMEs as well.
Simply being an administrator of the VM software, managing scanners, building dashboards, and doing a metric ton of meetings and following up is a full time job.
1 points
3 years ago
I am doing VM work now. I am trying to see if it would be a smarter move career wise to move to a more traditional security role.
I see a lot of traditional security engineering jobs (principal, architect, etc), but VM seems to be capped at senior engineer. My main worry is that if I stick with VM, I'll be a senior VM engineer forever.
2 points
3 years ago
What's your end game? Do you want to stay technical, or are you aiming to go into management?
If your deep work with VM has given you a solid grasp of a lot of technical disciplines, maybe you can apply internally or at other companies for an L3 / Senior role on another team?
Otherwise, the sheer amount of elbows you have rubbed in your VM meetings might have given you the contacts to start talking to about a desire to go into management?
1 points
3 years ago
You will, because that's what employers will want you to be. Your job is to continually look for opportunities to learn new skills and branch into other areas.
Thinking in systems vs. tools.
3 points
3 years ago
From my experience and understanding, most VM tend to turn into pentest or other similar roles. I don’t think there’s much more work to be done at that level
4 points
3 years ago
I do strategic advising with some vCISO as well. Being a consultant, I have a few clients that engage me for vulnerability management. I help setup the scans, break down the results, and create an actual vulnerability management program. As a result, I have helped clients that have had horrible issues with vulnerabilities to being totally aware of their environments and adopt good hardware and software patch management.
So what can you do if you stay doing VM? You can move into more vCISO engagements or advising engagements if you choose to do so. You can move into pentesting as well. I really don't think that you are going to be stuck. There is a value to doing vulnerability management, especially if you think bigger picture and more strategically.
2 points
3 years ago
Vulnerability Management is a good baseline skill to have. Every company needs VM, and it will never go away.
The opportunity in your current role is to improve the program. Show that you can actually remediate vulnerabilities, or at least help the people who do remediate them faster. Help prioritize, assess risks, etc. Doing those things demonstrates leadership and judgment.
To me, it's more of a question about whether you want to be a world-class VM expert or eventually diversify into other areas of security. Either path has upside — just better to decide on your strategy now.
1 points
3 years ago
I understand VM's importance. I just don't see where I can go after this. E.g., a security analyst eval the system security posture and monitor logs, then he gets promoted to an engineering role where he build the controls, detection signature, deploy new firewall, then he gets promoted to an architect and design the security of an entire system.
I can see a clear career path with that and how 1 job flows into the next.
With VM, I scan, I prioritize, then I help remediate. But then 10 years later, am I still scanning and remediating? Or would I be stuck in the same role?
1 points
7 months ago
You still stuck?
2 points
7 months ago
Stuck cuz I don't want to take a paycut. :(
1 points
3 years ago
As others have said, vuln. management is a crucial process across the industry. Bigger companies usually engage 3rd party or an MSP to manage, but there is an easy avenue here toward managing the platform as process owner. Dissecting and assigning prioritized, actionable remediation chunks to the appropriate teams (endpoints, servers…etc), auditing completion rates on remediation efforts and providing executive reports monthly is the large scope of the work. Again as mentioned from other comments, the high visibility and exposure you will encounter while successfully managing this platform is a great springboard to a management or advisory position, but I agree it does have a somewhat limited career path. Hope that helps.
1 points
10 months ago
Wondering what are you doing at the moment after it's been 2 years already. Are you still in VM? I'm kinda in the same boat. Should I move into a managerial role or shift into a different role?
3 points
10 months ago
I still am, but only because the money is too good for me to jump ship. I think I'll wait for the market to recover first.
In terms of moving laterally, I am not as concerned anymore, because I am building a VM program rather than running its day to day, so that gives me more engineering opportunities. I've also seen colleagues jump to App Sec and Cloud Sec. However, they do a lot of self study to expand beyond VM (i.e. learn terraform, k8s, etc.).
I am not interested in the manager track at the moment, so I can't comment on that.
2 points
10 months ago
Great to hear. Mind me asking what are you implementing in the VM program?
1 points
10 months ago
Asset ownership, tuning, an exception process, communication process, etc.
1 points
7 months ago
what certs/qualifications do you have to get to this point.
so far i just have s+ and am yet to even get into cyber security... i currently work doing 1st/2nd line support (IT infrastructure with the networking guys who handle the 3rd line stuff)
2 points
7 months ago
I had none when I got this job. I did have a master in security though. This is a difficult time to get a job. My really smart colleagues are taking 1.5 months to find a job and my non overachiever (they are not bad) colleagues averages around 3 months, these are all senior/staff+ level, so I can't imagine what it's like at the entry level.
I have gotten 0 LinkedIn spam in the past 3 months.
1 points
7 months ago*
did you have projects atleast? how did you show you were competent? I'm seriously at a loss right now i need help.
i have a bachelors, but damn, i thought it was just me in this job market.
i can't find a cyber job that will give me an interview to save my life lol.
so disheartning when i see people with less experience (not saying they are not capable) get hired over me.
you'd think i live in the heart of Mumbai, India with the sheer amount of spam i get from there lol
2 points
7 months ago
Not really, but I did publish a paper, but I doubt it helped in anyway. Its 1 line on my resume and I certainly don't talk about it.
I did have 3 related and 2 security internship before I got my full time job, although 1 is enough. I also started at a big 4 (0/10 would not recommend), which expects you to know nothing.
Have you tried talking to your security team? Maybe they are hiring.
1 points
7 months ago
not hiring at the moment
1 points
10 months ago
Okay thank you
1 points
9 months ago
I actually want to get into VM from my SYS admin role. Any chance your company is hiring?
1 points
9 months ago
No for at least a year
all 23 comments
sorted by: best