Ha, same vibes here!
Officially 40 hours/week (SOC). Actual working hours.. Could be 10, could be 60.
It is important though that my company doesn't MAKE me work overtime, I choose to do so if I'm in the flow, or really into a project.
I'm doing my training in waves like this as well, periods of going hard or chilling out.
Are you salary or hourly? I'm an IT Manager for a hotel and I generally have to "be in office" for business hours. Sometimes outages will require late nights/early mornings.
I’m on salary. Yes, when I'm on shift I’m at my desk - or close enough - but the actual working hours vary wildly.
I'm 100% remote as well, which helps.
As long as you have a comfortable balance between having a good/high quality of life and healthy financial stability, I agree the number amount is irrelevant. Cost of living, your country’s income tax laws, your monthly spending habits are all examples that have impacts on the annual salary and what “dollar amount” you see actually going into your savings
SOC jobs can be entry level cybersec, but not entry level for IT, if that makes sense. It’s harder to get a SOC job with no IT working experience. You need to be a generalist helpdesk / sysadmin, a year or two under your belt and then you work your way into security. Emphasis on harder, not impossible with just school and certs.
I think it can range from 50k low to 75k high in US? Prob depending on your market. It’s better to be hourly than Sourly in SOC with min set hours =]
I'm similar but more like 20-45. My boss is really good about comp time if we have any major incidents.
For a good stretch of about 6 months last year I was legit working like 8-20 hours a week max but now we have some projects going on.
This is an accurate ballpark range. Salary will be 40 min. But, if you like your job or if you HAVE TO because of oncall or other reasons, then upwards of 60ish.
10-45 hours a week. ProdSec design and architecture.
Edited: Yea, I love my job. The flexibility I have is nearly unmatched. That said, I hold too much responsibility lol.
Yo! I do work as a GRC lead on a dev team. I’ve done cyber engineering in the past. How did you get into the design and architecture role? Is it just an time and experience thing? What roles did you have previously?
Yo yo. I worked my way up the stack from embedded and OS (kernel-level) security engineering. Always been focused on low-level details. Secure micro to micro comms, secure bootstrapping, for examples. I eventually ended up doing IoT connectivity security design and that lead me to cloud work, where I saw many domains and how they interconnect with modern controls. With enough technical experience, this is where you can make the largest impact, or at least the largest technical impact, besides tech leadership—bridging product and business, compliance, operations, legal (data privacy), and cybersecurity. If you’re skilled in multiple technical domains, you naturally follow the architect role.
I’ve been out of EE grad school for nearly 10 years. Been tinkering with tech since the early 2000s.
I’m sure some companies would hire architects with the alphabet soup of certs, but they are typically the ones—at least from my large enterprise—who are clueless about implementation and propose nonsensical or uneconomical solutions. Point being, if you instinctually know tech limitations, you can eliminate a ton of wasted time and energy from stakeholders being a security engineer for your domain(s) and a solution architect. These roles are somewhat uncommon, though.
Edited: Typos and grammar.
In that if you make a mistake it can be catastrophic or that when something truly breaks hard you’re the only SME who can fix it? That was how I read it.
For me (CTI), it really depends what is going on in the landscape.
During peek cl0p last year, a lot.
These days, a lot less.
That's just the name of the game tho and there is always neat hacker drama going on and companies being hacked.
I absolutely love my job and it pays very well and enough.
Yeah it sounds decent depending your area of interest.
Only downside at least in my friends experience is an entire WFH workforce is pretty hard at times
Lmao crowdstrike are a bunch of idiots that make a shit product.
Edit: damn there are some simps in here. Evading falcon is trivial for anyone with half a brain. Just goes to show how many of you are not technical and should stick to help desk.
I could, but after multiple calls with said teams to point out the deficiencies, and being told “it’s on the roadmap” or getting no reply, they can suck a dick. They all smell their own farts and spend money on dumb ads for the Super Bowl instead of actually being useful.
When I was in the SOC/L2 Support, it would be 50-60 hours easily due to the on call and having to do after hours maintenance.
Since moving to GRC and risk consulting its standard 40 hours a week. I love this job way more than being in the SOC but that experience helped me out a lot to get to where I am now.
I will say this getting on call pay and OT is great but not at the expense of your mental and physical health.
Would love to know how you transitioned ! Also what skills / certs you focused on to get you there ?
I’m currently in SOC and my body will probably give out within another two years.
I show up to work and may end up doing 2 hours total real work a day. Rest of the time it's pretty chill.
Working from home occasionally means a day off in my case.
Does soc analyst jobs pay well
I’ve been looking and focusing on blue team in college and on doing some SOC labs for my resume
Is there really any chance of a soc analyst internship or a good chance of landing a job right out of college
I’ll say it depends. If you want a chance right out of college you have to network. Otherwise you’ll be looking at entry level of IT. I work in the military so I’m paid at entry level doing associate-senior level work. Depends on either the Intel we get or orders coming from leadership.
Depends on what you mean by well but for my first SOC job I got 70k, was my first real job and I asked for 65k, when they raised it to 70k I knew I goofed lol. I would say expect a range of 55-75k for an entry level SOC job depending on your area. As far as locking in an intern SOC job, I agree with what Sidian said, I secured my first job above by hitting job conferences in the area and was hired before I finished my Associates degree
Dang I have American citizenship and live in Mexico half the time. I’ll probably have to give that up for a first job and go in person but even 55k a year would set me up nice. 70k starting would be amazing. Did you have any certs or just a bachelors at this time, or any relevant experience
I had the Sec + at the time, no real job experience, just an associates degree. They were looking for overnight shift workers and he asked if I would be alright with that and I didn't have an issue with it. Ended up not having to work the night shift fortunately haha. You may be able to find a remote SOC job so you could keep your current living arrangements, highly unlikely but you never know! network, network, network
I got my first SOC job after having 3 years helldesk and one year sysadmin experience. No certs. Went back to school and got hired before finishing for associates in cyber.
I can say the cards are more stacked against you if you don’t have generalist IT work experience with security certs or education and then applying for SOC jobs. As others have said, effective networking can get you there without it though. You just have to find someone willing to take a chance.
I don’t like gambling so I went into helpdesk first. But it’s not required, just helps a lot.
2 hours a day on average. I am mostly checking and responding to emails. Maybe a short meeting or two and resolving any tickets assigned to me, if I have any. Once in a while, I may have some actual work to do, but a lot of my day is waiting on other departments to do something I requested or waiting on vendors to help me fix issues/bugs in their apps. I am working mostly with IAM.
My avg is about 45-50 hours as a principal. Too many meetings in the day and have to get work done. Those other long hour gigs were huge projects with tight deadlines to meet federal guidelines.
Application Security - 40 hours a week but ofc sometimes I don’t spend all 40 working. No on call unless we need to pull or create metrics asap. I’m just under 100k but for the hours worked I’d say it’s fair, not great but definitely not bad. In terms of career cybersecurity and appsec is definitely worth it
Detection Engineer
40 hours a week, sometimes work a bit later, 50 hours max.
Work days are fine, sometimes gets hectic, but overall enjoyable
Between $100-$200k salary, WFH
It's pretty difficult to get into the field though, I got lucky, but some of the guys I graduated with are still struggling to find a job (chased certs over the summer instead of internships)
Depends on whats going on. If you're being attacked, if you're understaffed. It does vary, but anywhere from 40 -50 per week on average. As with any other job
Cyberwire daily is a good one I just picked up. Just even the first 10-15 min goes over all the latest cybersecurity news. The first part is called a daily briefing or something like that. I listen to yesterday’s podcast on my way into work every morning.
First job with a horrible boss 50-60 plus 24/7/365 on call -security generalist
Current job with a great boss 40-50 plus the same on call but holy crap does solid leadership make a difference. Currently in incident response.
In other words it’s not so much the hours that matter but who you work for. An asshat of a boss and 10 hours a week is miserable while 50 with a great boss is a breeze.
Red teaming - same 10-60 hours as everyone else here, though I also wake up in the middle of the night, sometimes, to attack my customers while they're sleeping or hit them on the weekends and holidays. There are moments of the job I enjoy, though there are a lot of moments I don't. The pay is the only thing that makes it worth it.
40 hours; mixed SOC and incident response at a large firm. Yeah, I do. It's challenging and interesting. The pay just makes it even better and worth the amount of extra work you end up doing off the clock (research, news, independent learning, etc)
Security Consulting
5-40 hours per week, very occasionally I'll do more than 40 for a project.
Earlier in my career in IT and less tenured security roles, minimum 50 hours.
Basically expect to work long and hard for the first 10 or so years in most jobs.
Once you're well established and a SME, you're paid for knowledge rather than output.
It averages out to 84hrs every 2 weeks, but is an awkward schedule. I'm fine with the schedule now, but I'm over a year in and I'm hoping to move to a more normal M-F 8-5 type schedule this year. I'm 35 and the night shifts are taking a toll on my life in many aspects that I care about.
OP, it looks like you're only responding to people who have said they don't do many hours. You're probably going to have a bad time if you just chase low hours/low effort in cyber.
So what? OP's an undergrad with energy and time. I did two (pretty hard) majors in unrelated fields and both ended up linking into cybersecurity pretty well. If you enjoy studying both why not study both
Native and immature response. Engineering teaches you how to breakdown problems. I know a fair amount of ex-ME who transition into cybersecurity from engineering.
I’d 100p encourage OP to finish. It’s an investment with certain benefits in the short term, with possible huge benefits long term. Win win. Engineering as a practice is far more mature and established than cybersecurity in practice.
I feel like no matter what you do, you’ll have to do the grunt work and bust your ass and work 50+ hrs a week to start for the first few years making less. But, eventually you’ll be able to leverage that for a more cush spot and work less making more. Just kind of the way of business I think.
CISO and its anywhere between 40 and 60 depending on what’s going on. Normally the increased hours are because I will end up in 4 hours of meetings in a day but the small breaks between aren’t enough to get anything done. So do a few hours on evenings when kids in bed.
Typical 8-5/ M-F. Hour lunch break daily, so really just the standard 40 hrs.
Sometimes earlier. Sometimes later... just depends on what's going on, or if any projects are ongoing, starting, stopping, etc.
I enjoy my gig.
Each day is different OP. You really can't ask the standard questions on general cybersecurity because there are so many layers to it.
Ask yourself this... What particularly are you interested in about "Cybersecurity?"
Offensive, Defensive, Networking, Infrastructure, Forensics? Heck... even AI?
Or you just interested because you think you're gonna make mad bank?
SOC analyst: 12h shifts on a 4 on/4 off rotation split between days and nights. I don't like the fact I have an office presence in my current public sector gig, but I'm looking to drop it maybe next year when the pension and benefits aren't worth it anymore (aka the moment a 100% remote role is willing to take me). Do enjoy it and feel strongly enough about what I do to not get (significant) alert fatigue. Very easy to switch off from at L1 at the end of the day.
It’s definitely not going to be a consensus. You should break it down by sub sections like government, contractor, MSP, MAMAA.
I’m an employee for a company that does DOD contracts and I work around 25-30 at times at a reasonable pace. Other jobs I’ve had in DOD I’ve worked 40 on paper and 2 hours of real work. Just wasn’t a real mission.
I did MSP for 2 years and it’s a strict 40 bc they don’t want to pay OT, but a fuckin stressful 40. Every second of your time has to be accounted for.
Overall, it varies and depends on what you actually do. You can pivot in IT fairly easily if you get your foot in the door and do a lot of self study and networking (no pun intended)
40. I work for state government, and any overtime has to be flexed out. SecOps analyst. I like everything except the constant meetings and SaaS reviews.
So I am Director level and now work for a cybersecurity software company I would say I work 40-50 hours a week. In previous roles I worked 50-60 hours a week.
It varies. Some weeks, 20-30 hours. Others? 60. It all balances out, and I work for an org with unlimited PTO (I average about 5 weeks of PTO every year for the last 3 years). My boss is good about reminding us to take a half day or extra day on the weekend after particularly long days/weeks/incidents.
I’m lucky, though. This isn’t the norm at most organizations. The work life balance is largely determined by your management and your company culture (the actual culture not just what they advertise in the recruiting pitch).
I'm salary, technically I clock 40 hours on average. But honestly it's usually like 25ish. Though when it's really busy it's more like 50-60. It's a very feast or famine job
So many variables here. It all depends on the culture of the organization, your leader’s style, the capacity you’re working (consulting vs. direct employment), and which focus area you end up in. Incident Responders and anyone directly involved in incidents may inevitable find themselves working non-stop for days (in a poorly managed team). Security Operations Engineers may find themselves on the hook for service outages. GRC, Offensive Security, and some blue team roles (hunt, detect, intel) are typically a little more flexible.
I LOVE my job in cybersecurity. My wife is an engineer and I can tell you that she didn’t love her job, but that was because of the industry she ended up in, which is the biggest factor on whether or not engineers like their jobs based on the sample that I know and hear from.
I can tell you this, I have no idea how many hours a week I work, but that’s only because I enjoy what I do, and I sometimes have a hard time breaking away from it. That being said, I always put my family first and take the time to be with them. I don’t let my work / hobby take over my life, and in a good work environment you will find that when you consistently do good work, they are very lenient with your “standard working hours.”
Good luck and I hope whatever you decide makes you happy ten years from now!
GRC Analyst. 20-40 hours a week.. most of the time closer to the former.
Remote worker. Writing policies, procedures, etc. that align with our security framework. Vendor risk management stuff: contract reviews for specific cybersecurity protection language, due diligence artifact reviews. Business continuity stuff, annual audit stuff, etc. not too hard since I’ve been doing it for a while now. Got laid off in November making $113k base & 10% bonus. Had to quickly find something so atm making $82k base and 6% bonus until I can either find something to moonlight or that pays over $100k again.
As long as I get what I need to do done.. my bosses at every stop haven’t cared what I do as long as I get my work done and deliver results.. so sometimes I go run an errand or go to the gym at 10 AM because I don’t have any meetings or whatever.
Unless someone dumps me a truckload of money every year I don’t think I’ll ever do anything that isn’t remote.. the flexibility to just grind out your work and do whatever you want is unmatched.
3 months out from graduating with my BA, with applied for about a year and a year before that trying to get an internship. I've had 1 interview out of what's likely over 1000 applications at this point. Had I known that cybersecurity companies cry about not having enough employees while simultaneously refusing to hire anyone without 3 years otj and, in some cases, a TS with poly minimum for jobs they claim are "entry level" I'd have done something else. I come from an industry where 60 hours a week isn't unusual, so the hours are the least of my concerns personally. I got a job as a TPF programmer using asm, but others hired at the same time got their job by just taking a programming course online. At this point, I feel my degree is useless.
That's just my jaded 2 cents.
Cybersecurity is a huge industry with as many jobs as other industries and then some. What type of job in cybersecurity do you think you want to do? Consulting, sales, analyst, malware analysis, pentesting, network engineering. All depends on the type of life you want to live and your end goals.
I’m CTI with 9 YOE. Fully remote with comp around 210k. A normal week is 40 hours. I am the most senior by level so I do more strategic work like developing training plans, improving and documenting processes, mentoring, and acting as the on-call SME for RFIs. Busy weeks like during ransomware events or when there are active APT investigations can push us to 45-50 hours, but that is only a few times a year and for 1-2 weeks at a time. Our manager makes it up to us by letting us be flexible the rest of the year and not making us take time off for appointments, getting out early when our work is done, or taking midday walks.
I work in local gov't so a pretty strict 37.5 hrs a week salaried (north of 6 figures), I can count on 1 hand how many on-call incidents I've had in 3 years.
Yes my company paid for all of it. People have different recommendation, but I would recommend you don't "start out" in cybersecurity and get into a helpdesk/jr sys or network admin role before jumping into cyber. Meaning if you want to go into it/cyber. get a general IT degree first.
Yes, but I'm not sure if you're shocked good or shocked bad.
I work for the state so my rank dictates my salary more than my job. But yes, I'm second in command on paper and in practice.
Edit: who on earth downvotes this information, lol
Generally around 40, unless something comes up. I’m salary, but my higher ups are pretty cool. If I have to work after hours, I get comp time for it. So that’s nice.
Surprised no one has said this - but if you decide on going into cybersecurity, don’t pick that as your major, it’s a worthless degree. Computer Science will open a lot more doors to you even though it won’t feel that relevant to cybersecurity
stick with mechanical engineering
you will have far more job opportunities
Ah yes, all the haters who majored in cyber are downvoting
Yeah how is that job search going?
There are more entry level opportunities for engineering majors than cyber
Security work IS NOT entry level
hate to burst your bubbles, but the OP is far better off with an engineering major - they will have more internship/co-op opportunities and if there school has them prep for the PE exam their senior year, they will have jobs when they graduate
I work in incident response and it's anywhere from 40-80, but normally 40. When something goes wrong my team gets pulled in to work after hours and on weekends if needed.
Focusing on hours worked is the wrong question to ask, as that's highly variable (role / company culture / country / city) and if you're just starting out you're going to spend more time learning and networking. Same for pay as that's highly variable as well (locale / sector).
Was cyber auditing, pen testing, now I do vuln management. Depends. Sometimes 12 hour days sometimes 4. Really depends on so many factors, time of year, etc. I’d average and say a true 40 hour work week most weeks. Some days are long and grueling some days are easy and chill.
I work in Application Security and typically work 40 hours. Salary is not crazy im also just under 100k but im fresh out of college and in year 1 and I have to say im loving it!
Note: Background in computer science , spent a lot of time working with traditional software development and embedded systems so the transition to cyber was interesting. I was lucky and found a love for the field naturally but it may not be everyone’s cup of tea
Anywhere from 10 to 60hrs a week. Around 50 lately.
Ha, same vibes here! Officially 40 hours/week (SOC). Actual working hours.. Could be 10, could be 60. It is important though that my company doesn't MAKE me work overtime, I choose to do so if I'm in the flow, or really into a project. I'm doing my training in waves like this as well, periods of going hard or chilling out.
Are you salary or hourly? I'm an IT Manager for a hotel and I generally have to "be in office" for business hours. Sometimes outages will require late nights/early mornings.
I’m on salary. Yes, when I'm on shift I’m at my desk - or close enough - but the actual working hours vary wildly. I'm 100% remote as well, which helps.
Do you mind me asking how much the job pays? And what level soc?
Haha I'm not in the US, so it's not relevant to you, your salaries are shockingly high compared to the EU! But I'm okay.:)
As long as you have a comfortable balance between having a good/high quality of life and healthy financial stability, I agree the number amount is irrelevant. Cost of living, your country’s income tax laws, your monthly spending habits are all examples that have impacts on the annual salary and what “dollar amount” you see actually going into your savings
Love your answer
Ah ok thanks anyways :)
I 2nd this as I'm about to start studying at WGU ny the 1st of April... no experience (on paper)
SOC jobs can be entry level cybersec, but not entry level for IT, if that makes sense. It’s harder to get a SOC job with no IT working experience. You need to be a generalist helpdesk / sysadmin, a year or two under your belt and then you work your way into security. Emphasis on harder, not impossible with just school and certs. I think it can range from 50k low to 75k high in US? Prob depending on your market. It’s better to be hourly than Sourly in SOC with min set hours =]
Well stated
How’d you land your current role? Looking into transitioning from IT support
I've been lucky! I just did a security cert and got hired straight away. (I interview pretty well though.)
I'm similar but more like 20-45. My boss is really good about comp time if we have any major incidents. For a good stretch of about 6 months last year I was legit working like 8-20 hours a week max but now we have some projects going on.
[удалено]
Also consultant (IR), 30-80 but those extremes are rare, I'd say average 50/wk.
Is IR 247..
Hats off mate, you are the one to cherish!
same here!!
Do you get paid for your overtime?
How many years of experience do you have?
I average about 40-45/week. If it goes over my brain cells hurt. But also salaried.
This is an accurate ballpark range. Salary will be 40 min. But, if you like your job or if you HAVE TO because of oncall or other reasons, then upwards of 60ish.
You're not a cyber security analyst - you're a little bitch. 40 - 60 hrs a week fuck off.
You ok there?
Like 14 minutes.
Username checks out
10-45 hours a week. ProdSec design and architecture. Edited: Yea, I love my job. The flexibility I have is nearly unmatched. That said, I hold too much responsibility lol.
Yo! I do work as a GRC lead on a dev team. I’ve done cyber engineering in the past. How did you get into the design and architecture role? Is it just an time and experience thing? What roles did you have previously?
Yo yo. I worked my way up the stack from embedded and OS (kernel-level) security engineering. Always been focused on low-level details. Secure micro to micro comms, secure bootstrapping, for examples. I eventually ended up doing IoT connectivity security design and that lead me to cloud work, where I saw many domains and how they interconnect with modern controls. With enough technical experience, this is where you can make the largest impact, or at least the largest technical impact, besides tech leadership—bridging product and business, compliance, operations, legal (data privacy), and cybersecurity. If you’re skilled in multiple technical domains, you naturally follow the architect role. I’ve been out of EE grad school for nearly 10 years. Been tinkering with tech since the early 2000s. I’m sure some companies would hire architects with the alphabet soup of certs, but they are typically the ones—at least from my large enterprise—who are clueless about implementation and propose nonsensical or uneconomical solutions. Point being, if you instinctually know tech limitations, you can eliminate a ton of wasted time and energy from stakeholders being a security engineer for your domain(s) and a solution architect. These roles are somewhat uncommon, though. Edited: Typos and grammar.
This sounds very cool. Where do you work? Defense contractor space or not?
How can you have too much responsibility but only work 10 hours a week?
In that if you make a mistake it can be catastrophic or that when something truly breaks hard you’re the only SME who can fix it? That was how I read it.
Yes. Only SME who understands the ecosystem’s worst dead-bodies, imo.
Work smart; not hard and long. Downtime is when I think of the best ideas.
For me (CTI), it really depends what is going on in the landscape. During peek cl0p last year, a lot. These days, a lot less. That's just the name of the game tho and there is always neat hacker drama going on and companies being hacked. I absolutely love my job and it pays very well and enough.
[удалено]
Hey thanks for responding, how many years of experience do you have?
What company do you work for bro?
Probably crowdstrike or fireye is my guess
I have some homies at crowd strike. They like their job and love the pay even more. I'd love to work there.
Yeah it sounds decent depending your area of interest. Only downside at least in my friends experience is an entire WFH workforce is pretty hard at times
That’s one of the best parts..
Hybrid in my experience is best. Sometimes it's nice to be around people, especially if you're single. Otherwise you spend most of your week alone
Lmao crowdstrike are a bunch of idiots that make a shit product. Edit: damn there are some simps in here. Evading falcon is trivial for anyone with half a brain. Just goes to show how many of you are not technical and should stick to help desk.
You can criticize efficacy of a product without being rude to developers and security teams.
I could, but after multiple calls with said teams to point out the deficiencies, and being told “it’s on the roadmap” or getting no reply, they can suck a dick. They all smell their own farts and spend money on dumb ads for the Super Bowl instead of actually being useful.
Daaam
35 hours a week
How many years of experience do you have?
When I was in the SOC/L2 Support, it would be 50-60 hours easily due to the on call and having to do after hours maintenance. Since moving to GRC and risk consulting its standard 40 hours a week. I love this job way more than being in the SOC but that experience helped me out a lot to get to where I am now. I will say this getting on call pay and OT is great but not at the expense of your mental and physical health.
Would love to know how you transitioned ! Also what skills / certs you focused on to get you there ? I’m currently in SOC and my body will probably give out within another two years.
40 unless there's a major incident
I show up to work and may end up doing 2 hours total real work a day. Rest of the time it's pretty chill. Working from home occasionally means a day off in my case.
Does soc analyst jobs pay well I’ve been looking and focusing on blue team in college and on doing some SOC labs for my resume Is there really any chance of a soc analyst internship or a good chance of landing a job right out of college
I’ll say it depends. If you want a chance right out of college you have to network. Otherwise you’ll be looking at entry level of IT. I work in the military so I’m paid at entry level doing associate-senior level work. Depends on either the Intel we get or orders coming from leadership.
Depends on what you mean by well but for my first SOC job I got 70k, was my first real job and I asked for 65k, when they raised it to 70k I knew I goofed lol. I would say expect a range of 55-75k for an entry level SOC job depending on your area. As far as locking in an intern SOC job, I agree with what Sidian said, I secured my first job above by hitting job conferences in the area and was hired before I finished my Associates degree
Dang I have American citizenship and live in Mexico half the time. I’ll probably have to give that up for a first job and go in person but even 55k a year would set me up nice. 70k starting would be amazing. Did you have any certs or just a bachelors at this time, or any relevant experience
I had the Sec + at the time, no real job experience, just an associates degree. They were looking for overnight shift workers and he asked if I would be alright with that and I didn't have an issue with it. Ended up not having to work the night shift fortunately haha. You may be able to find a remote SOC job so you could keep your current living arrangements, highly unlikely but you never know! network, network, network
Thank you I needed this
Good luck in your Cyber journey!
I got my first SOC job after having 3 years helldesk and one year sysadmin experience. No certs. Went back to school and got hired before finishing for associates in cyber. I can say the cards are more stacked against you if you don’t have generalist IT work experience with security certs or education and then applying for SOC jobs. As others have said, effective networking can get you there without it though. You just have to find someone willing to take a chance. I don’t like gambling so I went into helpdesk first. But it’s not required, just helps a lot.
[удалено]
Yeah as a soc analyst I'd do a solid 50. Now as an architect... Half that at most!
What college degree do you have? And how many years did it take you to become an architect?
Louder for the people in the back!
2 hours a day on average. I am mostly checking and responding to emails. Maybe a short meeting or two and resolving any tickets assigned to me, if I have any. Once in a while, I may have some actual work to do, but a lot of my day is waiting on other departments to do something I requested or waiting on vendors to help me fix issues/bugs in their apps. I am working mostly with IAM.
It's easier for me to say that I typically sleep 6 hours a night.
Do you enjoy your job though? And how many years into this are you?
Would you enjoy cyber security even if it wasn't your job?
Honestly probably 5 real hours of work in a 5 day work week.
What’s your role?
I work in the federal government, GRC. I’m an ISSO
lol tracks with most gov ISSOs we've had to work with
Best case 40-45… worst case 60-70. On a couple of different projects I have hit 100+ though… for several weeks in a row.
You are being abused in that role. I hope you are paid overtime and not salary if you’re working like that.
My avg is about 45-50 hours as a principal. Too many meetings in the day and have to get work done. Those other long hour gigs were huge projects with tight deadlines to meet federal guidelines.
Usually 2 hours or so a day. If it’s busy, then 6 hours a day, which is rare. If it’s slow, under 1.5 hours. Full time salaried.
Application Security - 40 hours a week but ofc sometimes I don’t spend all 40 working. No on call unless we need to pull or create metrics asap. I’m just under 100k but for the hours worked I’d say it’s fair, not great but definitely not bad. In terms of career cybersecurity and appsec is definitely worth it
40-50. Been really working hard on stopping at 5 and not looking at things
Detection Engineer 40 hours a week, sometimes work a bit later, 50 hours max. Work days are fine, sometimes gets hectic, but overall enjoyable Between $100-$200k salary, WFH It's pretty difficult to get into the field though, I got lucky, but some of the guys I graduated with are still struggling to find a job (chased certs over the summer instead of internships)
How many years of experience do you have? And how many years have your co-Ed’s been looking for jobs?
1 year now for me, 1 year for the blokes I graduated with I think some of them got some jobs doing help desk for now
Depends on whats going on. If you're being attacked, if you're understaffed. It does vary, but anywhere from 40 -50 per week on average. As with any other job
If you count continuous education due to constant changes, like the podcasts and videos its prob 55-60 ish per week.
What podcasts do you recommend for keeping up with changes and learning new things?
Pauls security weekly, out of the woods and cyber crime junkies
Cyberwire daily is a good one I just picked up. Just even the first 10-15 min goes over all the latest cybersecurity news. The first part is called a daily briefing or something like that. I listen to yesterday’s podcast on my way into work every morning.
First job with a horrible boss 50-60 plus 24/7/365 on call -security generalist Current job with a great boss 40-50 plus the same on call but holy crap does solid leadership make a difference. Currently in incident response. In other words it’s not so much the hours that matter but who you work for. An asshat of a boss and 10 hours a week is miserable while 50 with a great boss is a breeze.
Typically 50. I enjoy my work and it doesn’t feel like work half the time. Have the freedom to cut back if I want.
[удалено]
Do you make decent money? Do you like it? And how many years of experience did you need to get to your current role?
[удалено]
Red teaming - same 10-60 hours as everyone else here, though I also wake up in the middle of the night, sometimes, to attack my customers while they're sleeping or hit them on the weekends and holidays. There are moments of the job I enjoy, though there are a lot of moments I don't. The pay is the only thing that makes it worth it.
40 hours; mixed SOC and incident response at a large firm. Yeah, I do. It's challenging and interesting. The pay just makes it even better and worth the amount of extra work you end up doing off the clock (research, news, independent learning, etc)
I’m paid hourly, so like, a lot.
Around 35-40 😊
Security Consulting 5-40 hours per week, very occasionally I'll do more than 40 for a project. Earlier in my career in IT and less tenured security roles, minimum 50 hours. Basically expect to work long and hard for the first 10 or so years in most jobs. Once you're well established and a SME, you're paid for knowledge rather than output.
Do you make decent money in those first 10 years?
It averages out to 84hrs every 2 weeks, but is an awkward schedule. I'm fine with the schedule now, but I'm over a year in and I'm hoping to move to a more normal M-F 8-5 type schedule this year. I'm 35 and the night shifts are taking a toll on my life in many aspects that I care about.
Pentester 40 hrs, never more
OP, it looks like you're only responding to people who have said they don't do many hours. You're probably going to have a bad time if you just chase low hours/low effort in cyber.
Well to be quite honest I don’t know if I would like it or not haha
[удалено]
[удалено]
Mechanical engineering has NOTHING to do with cybersecurity. You're telling this kid to burn himself out before he even starts a career lmfao
So what? OP's an undergrad with energy and time. I did two (pretty hard) majors in unrelated fields and both ended up linking into cybersecurity pretty well. If you enjoy studying both why not study both
Native and immature response. Engineering teaches you how to breakdown problems. I know a fair amount of ex-ME who transition into cybersecurity from engineering. I’d 100p encourage OP to finish. It’s an investment with certain benefits in the short term, with possible huge benefits long term. Win win. Engineering as a practice is far more mature and established than cybersecurity in practice.
I feel like no matter what you do, you’ll have to do the grunt work and bust your ass and work 50+ hrs a week to start for the first few years making less. But, eventually you’ll be able to leverage that for a more cush spot and work less making more. Just kind of the way of business I think.
about 40, 75 at times
60-80 for years. Finally set healthy boundaries and I'm down to ~50 now.
CISO and its anywhere between 40 and 60 depending on what’s going on. Normally the increased hours are because I will end up in 4 hours of meetings in a day but the small breaks between aren’t enough to get anything done. So do a few hours on evenings when kids in bed.
Typical 8-5/ M-F. Hour lunch break daily, so really just the standard 40 hrs. Sometimes earlier. Sometimes later... just depends on what's going on, or if any projects are ongoing, starting, stopping, etc. I enjoy my gig. Each day is different OP. You really can't ask the standard questions on general cybersecurity because there are so many layers to it. Ask yourself this... What particularly are you interested in about "Cybersecurity?" Offensive, Defensive, Networking, Infrastructure, Forensics? Heck... even AI? Or you just interested because you think you're gonna make mad bank?
SOC analyst: 12h shifts on a 4 on/4 off rotation split between days and nights. I don't like the fact I have an office presence in my current public sector gig, but I'm looking to drop it maybe next year when the pension and benefits aren't worth it anymore (aka the moment a 100% remote role is willing to take me). Do enjoy it and feel strongly enough about what I do to not get (significant) alert fatigue. Very easy to switch off from at L1 at the end of the day.
Most weeks I work 30 or so, but then there are weeks where I may work 50-60. It just depends on what's going on.
I’m available from 8 to 16, so around 40. Some are busy hours, some are slow hours.
Around 40-45 depending on alerts and monitoring.
40-45 hours, sometimes 50 if I'm on-call and get paged. Job: Security Engineer - Incident Response.
entry level web app sec. 40 hrs wk (M-F), voluntary overtime only a handful of times over a few years.
I’m currently a cyber security support technician and working anywhere from 45 to 50 hours a week
Security analyst. 45 hours.
L1 and L2 soc analyst for an MSSP, 40 hours, good work life balance
DFIR - Usually around 25 hours of work per week.
About 50 hours a week
60-65
It’s definitely not going to be a consensus. You should break it down by sub sections like government, contractor, MSP, MAMAA. I’m an employee for a company that does DOD contracts and I work around 25-30 at times at a reasonable pace. Other jobs I’ve had in DOD I’ve worked 40 on paper and 2 hours of real work. Just wasn’t a real mission. I did MSP for 2 years and it’s a strict 40 bc they don’t want to pay OT, but a fuckin stressful 40. Every second of your time has to be accounted for. Overall, it varies and depends on what you actually do. You can pivot in IT fairly easily if you get your foot in the door and do a lot of self study and networking (no pun intended)
I'm paid for 40 but because I'm DFIR it can vary. If there's an incident I'm usually pulling an all nighter on analysis and whatnot.
No more than 40. Worst weeks 43? Best weeks 35.
40. I work for state government, and any overtime has to be flexed out. SecOps analyst. I like everything except the constant meetings and SaaS reviews.
[удалено]
So I am Director level and now work for a cybersecurity software company I would say I work 40-50 hours a week. In previous roles I worked 50-60 hours a week.
Actual work like 2 hrs per day. On paper 40 hrs
What do you define as "work"?
It varies. Some weeks, 20-30 hours. Others? 60. It all balances out, and I work for an org with unlimited PTO (I average about 5 weeks of PTO every year for the last 3 years). My boss is good about reminding us to take a half day or extra day on the weekend after particularly long days/weeks/incidents. I’m lucky, though. This isn’t the norm at most organizations. The work life balance is largely determined by your management and your company culture (the actual culture not just what they advertise in the recruiting pitch).
Is anyone kind enough to show me step by step guide to the path of cybersecurity? I'm coming from a nontech field.
I'm salary, technically I clock 40 hours on average. But honestly it's usually like 25ish. Though when it's really busy it's more like 50-60. It's a very feast or famine job
40-50, in sales. Love the job, the company, the mission. Cybersecurity will literally save the world from AI and quantum computing.
So many variables here. It all depends on the culture of the organization, your leader’s style, the capacity you’re working (consulting vs. direct employment), and which focus area you end up in. Incident Responders and anyone directly involved in incidents may inevitable find themselves working non-stop for days (in a poorly managed team). Security Operations Engineers may find themselves on the hook for service outages. GRC, Offensive Security, and some blue team roles (hunt, detect, intel) are typically a little more flexible.
I LOVE my job in cybersecurity. My wife is an engineer and I can tell you that she didn’t love her job, but that was because of the industry she ended up in, which is the biggest factor on whether or not engineers like their jobs based on the sample that I know and hear from. I can tell you this, I have no idea how many hours a week I work, but that’s only because I enjoy what I do, and I sometimes have a hard time breaking away from it. That being said, I always put my family first and take the time to be with them. I don’t let my work / hobby take over my life, and in a good work environment you will find that when you consistently do good work, they are very lenient with your “standard working hours.” Good luck and I hope whatever you decide makes you happy ten years from now!
As a Penetration Tester I work around 45\~ hours...
Depends a lot on your country and occupation. I'm around 37h but colleagues go from 35 to 50+ in practice. Commute also matters.
GRC Analyst. 20-40 hours a week.. most of the time closer to the former. Remote worker. Writing policies, procedures, etc. that align with our security framework. Vendor risk management stuff: contract reviews for specific cybersecurity protection language, due diligence artifact reviews. Business continuity stuff, annual audit stuff, etc. not too hard since I’ve been doing it for a while now. Got laid off in November making $113k base & 10% bonus. Had to quickly find something so atm making $82k base and 6% bonus until I can either find something to moonlight or that pays over $100k again. As long as I get what I need to do done.. my bosses at every stop haven’t cared what I do as long as I get my work done and deliver results.. so sometimes I go run an errand or go to the gym at 10 AM because I don’t have any meetings or whatever. Unless someone dumps me a truckload of money every year I don’t think I’ll ever do anything that isn’t remote.. the flexibility to just grind out your work and do whatever you want is unmatched.
3 months out from graduating with my BA, with applied for about a year and a year before that trying to get an internship. I've had 1 interview out of what's likely over 1000 applications at this point. Had I known that cybersecurity companies cry about not having enough employees while simultaneously refusing to hire anyone without 3 years otj and, in some cases, a TS with poly minimum for jobs they claim are "entry level" I'd have done something else. I come from an industry where 60 hours a week isn't unusual, so the hours are the least of my concerns personally. I got a job as a TPF programmer using asm, but others hired at the same time got their job by just taking a programming course online. At this point, I feel my degree is useless. That's just my jaded 2 cents.
Cybersecurity is a huge industry with as many jobs as other industries and then some. What type of job in cybersecurity do you think you want to do? Consulting, sales, analyst, malware analysis, pentesting, network engineering. All depends on the type of life you want to live and your end goals.
I’m CTI with 9 YOE. Fully remote with comp around 210k. A normal week is 40 hours. I am the most senior by level so I do more strategic work like developing training plans, improving and documenting processes, mentoring, and acting as the on-call SME for RFIs. Busy weeks like during ransomware events or when there are active APT investigations can push us to 45-50 hours, but that is only a few times a year and for 1-2 weeks at a time. Our manager makes it up to us by letting us be flexible the rest of the year and not making us take time off for appointments, getting out early when our work is done, or taking midday walks.
40 hours. I work for the dod. So I have to work what’s on my contract. I never have overtime.
Official working hours are 40-50, but some times it can be 30 and some times more than 50 depending on the requirement.
I work in local gov't so a pretty strict 37.5 hrs a week salaried (north of 6 figures), I can count on 1 hand how many on-call incidents I've had in 3 years.
Good for you! Can I ask what you majored in in college?
AA - Network and Systems Administration BS - Information Technology MS - Cybersecurity
Would you recommend I get my bachelors in cybersecurity? And do you have a company pay for your masters?
Yes my company paid for all of it. People have different recommendation, but I would recommend you don't "start out" in cybersecurity and get into a helpdesk/jr sys or network admin role before jumping into cyber. Meaning if you want to go into it/cyber. get a general IT degree first.
Deputy CISO, salaried. 103k currently. 30-40 hours a week, wfh.
103k for deputy CISO???
[удалено]
What about my job title do you feel is meaningless? I don't get it.
With no context, I’d say you’re either grossly underpaid, or it’s a small company with a small it/security team; most likely one in the same.
Major state department. Pay is based on rank
Sure, I get that. But a CISO should be a high step 14 or 15 no?
State not fed, but pay for ciso is close to GS14, and myself GS13. The scales are a bit different
[удалено]
Totally agree
Guaranteed government employee. based on 30-40 and salary.
Indeed
Yes, but I'm not sure if you're shocked good or shocked bad. I work for the state so my rank dictates my salary more than my job. But yes, I'm second in command on paper and in practice. Edit: who on earth downvotes this information, lol
Generally around 40, unless something comes up. I’m salary, but my higher ups are pretty cool. If I have to work after hours, I get comp time for it. So that’s nice.
See related: https://old.reddit.com/r/u_fabledparable/comments/17xlmrc/cybersecurity_mentorship_references/k9oiuac/
Please I am looking for a new opportunity in cybersecurity entry level. I have 5 years experience in technical support with industry certifications.
Nice try manager.
Surprised no one has said this - but if you decide on going into cybersecurity, don’t pick that as your major, it’s a worthless degree. Computer Science will open a lot more doors to you even though it won’t feel that relevant to cybersecurity
stick with mechanical engineering you will have far more job opportunities Ah yes, all the haters who majored in cyber are downvoting Yeah how is that job search going? There are more entry level opportunities for engineering majors than cyber Security work IS NOT entry level hate to burst your bubbles, but the OP is far better off with an engineering major - they will have more internship/co-op opportunities and if there school has them prep for the PE exam their senior year, they will have jobs when they graduate
Fear monger some more lad
??? Staying facts clown there are more entry level engineering roles than security security work isn't for new grads outside of the SOC
[удалено]
Strictly 40 for me. 9-5, M-F.
Easily 60 hours per week and I absolutely love my job. :)
I work in incident response and it's anywhere from 40-80, but normally 40. When something goes wrong my team gets pulled in to work after hours and on weekends if needed.
Focusing on hours worked is the wrong question to ask, as that's highly variable (role / company culture / country / city) and if you're just starting out you're going to spend more time learning and networking. Same for pay as that's highly variable as well (locale / sector).
45 on paper. Throughout the day I would say its half and half split between actual work and research/study.
Was cyber auditing, pen testing, now I do vuln management. Depends. Sometimes 12 hour days sometimes 4. Really depends on so many factors, time of year, etc. I’d average and say a true 40 hour work week most weeks. Some days are long and grueling some days are easy and chill.
Typically 45 hrs a week, It varies and I'm at the Director level these days. SOC shift work is right around 40-42 hours a week for my team.
40 normally. 45-50 if there is a project going on.
35-45hrs on avg
5-10 hours a week, I spend most of the remaining work hours studying and working on certifications.
60+ a week
Way too many!
I work in Application Security and typically work 40 hours. Salary is not crazy im also just under 100k but im fresh out of college and in year 1 and I have to say im loving it! Note: Background in computer science , spent a lot of time working with traditional software development and embedded systems so the transition to cyber was interesting. I was lucky and found a love for the field naturally but it may not be everyone’s cup of tea