How to choose between in-house and consulting cyber security jobs

Christine Wright, Senior Vice President, Hays US

The cyber security jobs market is growing, and the recent pandemic has widened the skills gap in this area. The UK Government estimates 653,000 businesses (48 per cent) are unable to complete the basic tasks laid out in its Cyber Essentials scheme. Some 40 per cent of tech leaders also say cyber security jobs are the most difficult to fill.
This skills gap exists across the cyber security jobs market, with Microsoft Azure jobs, innovation and cloud services roles all growing in demand, according to a Gartner study. The study states: “In spite of the shortage in talent supply and increasing overall demand, HR leaders can consider strategies for both short- and long-term workforce planning in this tight and volatile labour market.”

In-house vs. consulting cyber security jobs: the pros and cons

This leaves many cyber security professionals facing a difficult decision: should you take an in-house or consulting role? There are a few factors to take into consideration to help you decide. Let’s examine the pros and cons of each way of working, and the opportunities available in each role.

1. In-house

What does a typical in-house cyber security role entail?
If you work in-house with a specific company, you will work with the same team and IT environment every day. Each cyber security role is different but your responsibilities may include assessing potential threats to your corporate network, prioritising threats, escalating threats and investigating any breaches.
Many cyber security professionals are also involved in training programmes, helping the organisation build a strong culture of awareness and prevention. And you may help to develop and implement a cyber security response or recovery plan for your business.
A standard in-house cyber security role is usually nine-to-five, unless there’s an issue. However, those working in a Security Operations Centre (SOC) may work alternating night shifts.
What are the pros and cons of working in-house?
An in-house cyber security role gives you the opportunity to deep dive into an organisation’s IT infrastructure and business operations. If you enjoy working on such in-depth problems, this is the role for you. You also get the opportunity to work with business leaders and across the organisation.
However, in-house cyber security experts sometimes suffer from a lack of exposure. In some organisations, cyber specialists can get stuck dealing with tickets, where they prioritise and escalate threats day in and day out, rather than investigating these threats.
If you do find yourself stuck in a rut, you could ask for more challenging projects. Alternatively, you may want to start investigating a consulting role or work in a Managed Security Services Provider (MSSP) environment.

2. Consulting

What does a typical consulting role entail?
When consulting, you will work on a specific short-term project before moving on to the next one. These projects can vary in length but are usually a few months in duration, where you often work with multiple clients.
In an MSSP role, you typically work with several long-term clients as well. The day-to-day responsibilities are similar to a consulting role but you get the opportunity to work with the same set of organisations.
For example, in a consulting role you may provide a specific cyber security service like penetration tests. At an MSSP, you are likely to provide an extensive range of cyber security services for organisations looking to outsource their SOC operations.
Is a consulting or MSSP role best for you?
Both consulting and MSSP roles give cyber security specialists exposure to a wide range of business and IT environments.
So, these roles are ideal for individuals who want to expand their areas of expertise. They are also very diverse, which is perfect for people who find the routine work of an in-house role monotonous.
But there are downsides to consulting and MSSP roles. These short-term engagements are sometimes exhausting and frustrating in the long-term, as you do not always get the chance to see your work in action or deep dive into a specific problem. In an MSSP environment, for example, you are often rushed and may not be able to give your clients as much attention as you want to.
In a consulting role, you also have little to no opportunity to change the way your employer works. Your input and wider business impact is very limited. If the firm you’re working for doesn’t have an efficient way to onboard and service clients, every engagement can quickly get very repetitive.
With both a consulting and MSSP role, it’s important to assess whether your personality is suited to these fast-paced engagements with multiple clients.
To conclude, cyber security is a dynamic and exciting field for any IT professional to work in. It’s also filled with plenty of opportunities – but you must assess all your career options to find a work environment that suits your interests and goals.