In the wake of high-profile IT breaches at Target and other major corporations, penetration-testing firms are more popular than ever. Companies and government agencies have woken up to the fact that a cyberattack on their data is all but inevitable, and they need employees and contractors capable of discovering vulnerabilities before hackers do.
In other words, it’s a potentially lucrative time to explore penetration testing as a career. You could work for the security offshoot of a well-established firm such as Dell or IBM, or you could try your luck with the specialized startups that have sprung up over the past few years. Should you pursue the latter, it always pays to examine the skills and reputation of the company’s founders and existing employees.
“You want to look for a company that has a strong process in place for running and performing engagements,” Mat Gangwer, lead security consultant and a network penetration tester at Indianapolis-based Rook Security, said in an interview. The size of the company shouldn’t really matter, he added: It’s about the quality of the company’s work and the people behind it.
Working at a smaller firm with clients in a variety of industries gives employees the chance to “work on such a diverse set of projects, and get as close to the action as you want,” Gangwer said. The downside to working as an in-house pen tester for a major corporation, on the other hand, is the lack of variety: Your job involves poking only one company’s soft spots (“A bank is always going to be a bank,” is how Gangwer phrases it). In addition, startups can offer equity, which could pay off big in the event of an acquisition or public offering.
Working for a company that runs vulnerability scans isn’t the same as working as a hacker using custom methods to break into a system, suggests Adriel Desautels, founder of Netragard, a Boston-based penetration testing company. For starters, the client will often impose limits on what the pen tester can do in any given situation. For example, a penetration test might focus only on a certain block of IP addresses, or a group of applications. The client may also declare certain employees off-limits to social engineering, such as C-suite executives. While declaring limits isn’t necessarily in the client’s interest (a restricted pen test is better at giving a company a false sense of security, as opposed to genuine protection), your average pen tester should be ready for anything—and prepared to explain to the client why they feel a particular course of action is best.
Pen testers should also write and modify their own exploits, and not rely on automation. “Are you working for a high-threat testing or a scanner shop that calls it testing?” Desautels said. “A real pen testing company cares about the project workload and scope.”
For experienced pen testers at the right company, the job can prove lucrative. (For an idea of what an interview for such a position might be like, check out our interview questions for penetration testers.) In addition to deep technical knowledge, candidates should also boast the communication skills necessary to explain risks and solutions to clients. Salaries depend on experience, with current demand driving up the pay for seasoned workers.
“Junior pen tests make $60,000 or more, and the senior people make anywhere from $125,000 to $150,000 on average,” Desautels said. “Pen testers who are research capable earn $200,000 or more.” An informal survey of job boards and pen testers seems to confirm that figure.
Gangwer thinks that working for a more generalized IT security company that plays both defense and mock offense could prove more beneficial than joining a “pure” pen testing company that specializes only in cracking vulnerabilities. “For instance, if you have an MSS provider, and they also do pen testing, you have a red team and a blue team on your side,” he said. “Security works better when you share information, and information shared between a red/blue team will have a positive effect on the overall security posture.” (If you want to build your own “red team” in-house, there’s even a handy guide for that.)
One thing’s for certain: Given all the high-profile data thefts of late, pen testing is a growth industry.
- 4 Interview Qs for Network Penetration Testers
- Thinking Like an Attacker: How Red Teams Hack Your Site to Save It
- Symphony of Self-Destruction: Strengthening Security with a Red Team
Image: Maksim Kabakou/Shutterstock.com