[samstave]

CISSP.

A buddy of mine is KILLING it in security - and he got a 30% raise and a $100,000 sign on bonus from his new gig plus a $40K sales bonus less than six months after joining.

But you have to actually need to be interested in security to succeed.

[akerl_]

Any company that values certs in InfoSec is not a company you want to work for. There are specific government roles that require certs, and thus there exist good companies that make a token nod to paying for their folks to get certified, but the CISSP isn’t going to teach useful skills and any company that says otherwise is a huge red flag.

Best route depends on what band of security you want to get into. Pentesting? Building systems? Incident response? It’s a big field. But essentially, would recommend getting your hands dirty, go poke at some bug bounty programs to get your feet wet. That’ll help you narrow down what you want to do and get a sense of what attacks look like in the modern era, which are the 2 really useful outcomes.

[samstave]

Palo Alto Networks. Government Clients....

[akerl_]

It’s not clear to me what you’re trying to say? I specifically mentioned that there are roles that require certs due to government regulations, and at companies worth working for, you get hired as you are and they pay for you to hit whatever checkbox certs the role needs on paper.

[samstave]

We are on the same page. I mentioned CISSP as a goal to seek out.... not "start out the gate at CISSP"

The guy said he was a full stack SWdev for ~10 years... I am sure he is technical enough to understand the path...

[akerl_]

We aren’t on the same page. CISSP is not a goal. For security jobs, there’s 3 possible states with regards to certifications (CISSP, SEC+, etc):

1. Your employer doesn’t care about certs, and their customers don’t care about certs, and so you don’t need to worry about certs.

2. Your employer doesn’t care about certs, but they have customers (like the government) who believe erroneously that certs are desirable. So your employer pays for you to go get the fancy piece of paper so their customers will pay them. This is no different than any other checkbox requirement from the customer.

3. Your employer cares about security certs. This is a sign that you don’t want to work there.

[giantg2]

I second the cissp cert. Seems to be more prevalent or sought after than security+. I think GSEC is another cert, or group of certs, that I hear about more than security+ too.

I don't know about the money part. The $120k EUR salary already sounds high to me, and this $100k bonus stuff sounds very high to me also. Maybe these are outliers. The median for an infosec analyst seems to be $103k vs $110k for devs in the US.

https://www.bls.gov/ooh/computer-and-information-technology/...

It's also possible that I'm a jaded pessimist since I'll never make that sort of big money.

[bawolff]

103k-110k (assuming that is total comp) sounds shockingly low for usa. At least i feel like it would be low for SF, maybe the rest of usa is dragging it down.

https://www.levels.fyi/comp.html?track=Software%20Engineer&s... shows much higher but maybe they only track higher end jobs.

[giantg2]

Those are the medians. SF would be substantially higher. Much of the US would be pretty close. I think Levels has a bit of tech, and maybe high earning, bias. Places like Glassdoor and Indeed are showing similar results to the BLS medians.

[eftel]

I’m currently making the 120k EUR as a contractor which means I have no benefits. I have to pay health insurance, retirement plan, my work laptop, office space, etc. which is normally covered by your employer (at least here in Germany).

I think it’s comparable to 85k - 95k EUR/year if you are employed.

[giantg2]

My total comp falls short of that range (adjusted for USD) and I still have to pay a hefty chunk for benefits too. Seems like the range you listed is around the median for the US. Not sure what it would be in the various EU countries, although I've always heard it's lower for many/most.

[eftel]

Reading about CISSP, this is listed as a requirement: - Possess a minimum of five years of direct full-time security work experience in two or more of the (ISC)² information security domains (CBK).

Looks more like an intermediate/senior level kind of certificate?

[strictnein]

Yeah, it's not for getting into the field at all.

The cert you're pursuing, Security+, is much better suited for that.

[strictnein]

You'll also learn about fencing requirements and where fire extinguishers should go.

CISSP is not a cert to get as an entry point into the field.

[raesene9]

CISSP shouldn't be an entry level cert. Something like SSCP or CSSLP might fit better here.

[MattPalmer1086]

You need 4 or 5 years experience in a few CISSP domains before you can get it.

So not a great one to pursue at first.