@Anonymus said:
@TazWake I highly respect you as a professional and you are always nice and helpful so I will take your word for it, and thanks a lot for sharing.
Thank you.
You obviously know better then we who are not working in the field…
With the caveat that outside the UK and parts of the US, my knowledge is simply from googling open jobs.
Doctors are earning a lot more here as far as I know.
But that brings us back to the apples vs overcoats comparisons.
In the UK, a specialist surgeon working in the private sector with 15 years experience will be earning orders of magnitude more than an entry-level pentester or entry-level doctor.
It is a bit of a mistake to try and compare things which aren’t similar. If you have 15 years experience as a security consultant with specialisations in niche, yet required, areas, you will probably be the same as the specialist surgeon. But you probably wont refer to yourself as a pentester any more. The ground is less certain though.
I have a friend who worked as a pentester from about 2005 onwards. In 2011 he was very much ahead of the curve with mobile application security and was being paid well above averages by financial services organisations who were racing to develop secure applications. He wasn’t being paid to pentest them, he was being paid for his in-depth security knowledge which he developed through pentesting.
Sadly, once people realise this was earning around £1000 a day (vs £150-300 for pentesters), lots of people flocked to it, and they came up with frameworks to make it easier for everyone and now, you wont get a single penny extra for this “specialisation”.
But never mind I think we all got the picture now and we have to decide if we gonna take it or not…
Awesome. As a “profession”, it isn’t for everyone and, despite what training providers claim, I am not convinced there is a skill shortage either.
I know I definitely wont change my job for that salary, only if, God forbid , I am forced to…
That’s fine and a perfectly valid decision. The hash reality is changing any job into a brand new profession with a view to earning more money is a bit mistaken.
I am very well paid as DFIR investigator. If I thought I wanted to follow a new passion and become a Solicitor I would need to reconcile the fact that my income would plummet for the first 10 - 15 years. It is almost certain that a solicitor specialised in corporate law with 20 years experience will be earning more than I am, but it will take 20 years for me to get to that point.
There are elements in which the progress can be short-circuited (for example, I already have corprate experience and know how to read legal documents) but it isn’t a significant reduction.
If a Solicitor is earning £100k a year and they decide to be a pentester, they will probably never get back to the same income in their working life.
Just to reiterate though - the better paid infosec jobs aren’t pentester roles. The real money comes from management, leadership, strategy, boardroom experience etc. There is nothing to stop pentesters going down this path, but it really is a different role. (And for better or worse, there is no requirement for any pentester experience for most well paid infosec jobs).
But I will do the certs anyway because it is fun and I wish to learn. It is addictive
And that is super important. Earning well really does matter but if you spend 80 hours a week doing a job you hate, your life passes you by very, very quickly.
As an example, 10 years ago I could have decided to become a security architect and push into cloud designs, TOGAF and other good stuff. This is arguably better paid than DFIR by about 20% and there are lots more job opportunities.
However I detest it. I have tried reading the TOGAF documents and I fall asleep at the first page. It could pay £1m a second and I would still hate and still be very, very bad at it.
Thank you for informing us about what to expect, that is what this topic was all about.
You are welcome. I love the off-topic discussions because we all get to share our knowledge, ideas, hopes and experiences.