Penetration testing is a career like no other. For some, it’s a lifestyle – a hobby more than a job, and an honest hacker’s paradise. To others, it’s a springboard for pursuing other roles in IT security, even positions at the top of the ladder like CISO.
Whatever your future inclination, starting a professional career in penetration testing can be daunting for a fledgling ethical hacker. Pentesting is, as many will attest, fun work. But how will you perform when you have a team of colleagues counting on you and management on your back?
If you’re an amateur hacker or even an experienced cybersecurity pro considering a career in penetration testing, these are important questions to consider. Put simply; penetration testing is serious business, and career success in the realm of pentesting boils down to your attitude as much as your skills.
The cultural meme that suggests all hackers are antisocial basement-dwellers is an image that ethical hackers are passively erasing from public consciousness as most offensive security experts are, in fact, highly eloquent, personally approachable, and good team players.
Do you feel like you have what it takes to join the ranks of the ethical hacking armies of the world? Then read on for a breakdown of what a career in penetration testing entails.
Penetration Testing: Job Market and Demand
Ask any security expert if they are comfortable with their current salary. Most will say yes. That’s because IT security is increasingly viewed as an essential, well-budgeted expense for all types of business: small, medium, or enterprise.
Penetration testing is no different, and serious demand for skilled pentesters is, at present, astronomical. A decade earlier, and pentesting was primarily seen as an esoteric career limited to those in government or military. Nowadays, pentesting is everywhere.
When major security breaches and public data leaks come to light through the news media, and this will continue to happen, more CEOs and company owners take steps to batten the hatches against cybersecurity threats. In both the short and long term, this translates into higher demand for security professionals, particularly in the fields of penetration testing, vulnerability assessment, and forensics.
So, white hat hackers can thank black hat hackers for their own job security, but this is only half the story. With the advancement of the Internet of Things (IoT) and ubiquitous proliferation of wireless networking, the attack surface from which a hacker can gain access to IT systems has widened to mind-boggling proportions.
The expansion of attack surfaces means that there’s a special place in every organization for someone with unique skills on the cutting edge of IT security. And, in fact, few organizations can find candidates with the right skills for their security needs.
According to ISACA’s State of Cybersecurity 2016 report, 28% of hiring managers stated that it took their organization an average of 6 months to find and hire a Cybersecurity professional. Another 9% said that they were simply unable to fill their open positions.
Clearly, the job market is starved of specialized candidates capable of assessing a company’s IT security from the unique vantages points required. Such a deficit may be bad news for cybersecurity in general, but it’s great news for potential pentesters breaking into the field.
Job Titles and Positions for Pen Testers
“Penetration Tester” is a popular job title for companies seeking to hire an offensive security analyst because it is a straightforward description of what the job requires.
However, in-house penetration testers will commonly have a larger set of responsibilities than simply testing a network from the outside.
Extra duties include getting hands-on in the administration of a network to fix whatever security issues were discovered in penetration tests, as well as helping to build and maintain secure systems. These roles can be rolled into one generalized title, like Information Security Analyst, despite pentesting being a routine part of the job.
Other general job titles that regularly deal with penetration testing include:
- Security Analyst
- Security Engineer
- Security Architect
- Security Administrator
Many companies treat the above titles as stem words, adding another term like “Cyber,” “Application”, or “Network” to denote the job scope and area of specialization.
Stable, in-house penetration testing jobs can be found in military, government, and enterprise environments. Employers looking for skilled penetration testers include:
- Lockheed Martin
- Booz Allen
A rule of thumb is that if a company can be considered to be a tech giant, works in the online space, or deals in sensitive information (government, financial, medical), they likely have a need for in-house penetration testers, constantly working to break into things.
When it comes to independent consulting, a penetration tester can be simply a “Penetration Tester”, or something like the following:
- Security Specialist
- Security Consultant
- Security Auditor
- Security Analyst
As with in-house professionals, there are variations of job titles specific to different specializations, but the root title doesn’t differ much. Private security consulting companies are heavily involved in external threat modeling, so there is a tighter focus on penetration testing as a single, well-defined job role.
There are also great opportunities for experienced penetration testers in education and training. Certification training companies abound around the globe, so if you have experience or a knack for instructing, you could end up teaching pentesting.
Penetration Tester Salary Stats
According to PayScale.com, penetration testers command an average of $78,000 per year, with the lower end at $44,000 and the higher end up to $124,000. The average salary tends to go past the $100K mark after 5 to 10 years of professional penetration testing experience.
Meanwhile, in the UK, IT Jobs Watch has reported an average salary of £60,000, derived from a three-month period (March to April 2016) of penetration tester job postings on the internet. 10% of these job postings offered a salary more than £78,000, while 90% of the job postings averaged at £42,500.
Ethical Hacking Training – Resources (InfoSec)
Government or Private Work?
Government agencies and the defense industries typically require penetration testers to undergo thorough background checks, although these processes apply to most personnel regardless of job title. For many penetration testers, this can present a barrier to government work, as many hackers got their start as black hats. Neither the government nor the military are too interested in hiring hackers previously convicted of cybercrime.
On the other hand, private consultancies are more relaxed about the background of a penetration tester. As the saying goes, “Once a hacker, always a hacker,” and it goes without saying that an ethical hacker was potentially, once upon a time, a bad guy hacker. If you have the skills, there’s bound to be a private company out there willing to hire you.
The pay for government and defense work is not always as attractive as private security work. However, the lower salary is often balanced out by comprehensive benefits.
When working in government, you can expect to encounter more bureaucracy regarding security clearance and rigid framework regulations, so if that’s not your style then consider going private.
Although you will still have to stick to certain regulations in the private world, the workflow is more flexible and open-ended.
Pen Testing in the Real World
ISACA’s State of Cybersecurity 2016 survey indicates that the vast majority of information security analysts taken on by a company are not adequately qualified for their roles upon hire. The same is not always true for highly specialized penetration testers, but this survey finding certainly highlights a fact of life for new pentesters: learning is going to be a major part of the job.
On the plus side, hacking is all about learning, and you wouldn’t be interested in ethical hacking if you didn’t enjoy picking up new knowledge and skills, right?
In the real world, white hat hacking is not all fun and games, though. While you can imagine what the job’s primary focus is, i.e. hacking, cracking, and ‘sploiting, there’s a lot of behind-the-scenes planning and paperwork that isn’t always mentioned in the job description.
One of the responsibilities you may find yourself faced with is report writing. It’s not enough to claim to have penetrated a client’s or employer’s network and gained root access to the database server. You have to document every step of the way.
After documentation of your exploits, there’s more paperwork in the form of suggestions and recommendations. If you’re working in a larger team, you might not have to handle this personally, but if that’s what you have to do, you’ll need to spend time on coming up with working technical solutions. This requires at least a dash of business sense.