by Adelaide Song on 2024-02-05.
Tags: software
I don’t think I need to tell anyone else in the industry that it’s pretty bad out there right now. It’s also difficult to imagine that stopping any time soon with the end of ZIRP and the overdue market correction that’s resulted. The grad explosion and the job drought has led to a couple of knock-on effects:
Cybersecurity is not something you can pick up overnight, but there isn’t the hard bar of a half-decade of experience the way that something like DevOps does. There’s also a centralised, ‘universal’ certification in the form of the OSCP, whereas a role like cloud engineer is typically fragmented across providers and products. Entry-level opportunities are limited, but newsflash- they’re limited everywhere, so the comparative harm of pursuing cybersec is much smaller than it would be in a more grad-friendly environment.
Most importantly, I know a guy in cybersec. I don’t know a guy in embedded systems or quant dev. Every job opportunity has six million people applying for it, so the only way to get your CV looked at is by end-running the process altogether, and you do that by knowing a guy. My last three bosses reached out to me, ate at my parents’ cafe, and were my literal cousin (in reverse order.) Nepotism works. I would be insane not to leverage it.
I’ve worked in food service as an unpaid child. I did not know it was possible to receive objectively fine pay for doing almost no work and somehow feel worse at the end of the day.
In fairness, there’s more that contributes to the ennui. The first one is that my commute’s about one and a half hours long, and requires about a kilometer of walking in both directions. Even as a morning person whose circadian cycle forces them awake at 6am, having to leave the house at 6.20 every single morning is still pretty crushing. Not being able to get a single consistent WFH day despite that (and promises of flexible WFH policy during the interviewing process) is outright infuriating.
(No complaints about the regular exercise, though. If and when I do quit, I’ll make a conscious effort to keep that part of the routine around.)
The second one is that pay is pretty miserable even for a junior role, and flatly awful in the context of software dev in general. I got a graduate position ripped out from under me last year that was offering ‘significantly higher’ than 80k. My current salary is 70k before tax, putting me in something like the 20th percentile on Indeed.
If I could move out I would be a lot happier for a lot of reasons- one of which is that my commute would be slashed to a clean half an hour- but with the property market the way it is in Sydney, that’s just flatly not possible, even before additional expenses like HRT.
Finally, this is just not a tech company, which is really, really bad for a junior in particular. Nobody else has the slightest idea of what I do. There are negative opportunities for mentorship. It’s profoundly alienating doing something completely perpendicular to everyone else in the office. Not having anything useful to do at the office is making me go stir-crazy, and I can also feel myself atrophying the more time I spend here- both work-relevant skills, and creative ones like drawing that I can’t get away with practicing or don’t have the motivation to after the soul-drain that is the office day.
I need to get out of here one way or another. This job is just useful as leverage to hold over an employer’s head during the interviewing process, as well as giving me the ability to buy things that ward off the demons for another day. (This paycheck can fit so many Magic drafts in it!)
With the depressing pragmatic reasons out of the way, we can finally talk about why I want to get into cybersecurity for reasons that aren’t ‘I will die.’
Fundamentally, I want to get into cybersecurity because it reminds me of my favourite parts of studying science, without the awful surrounding infrastructure of academia. (For more information, see acollierastro’s excellent video on the issue. Go watch her content in general.)
Science is all about the loop of theorising, testing and updating your theories as a result. Cybersecurity skips the hassle of booking labs and setting up apparatus and lets you get straight to the experimentation. I don’t know about you, but I can type a hell of a lot faster than I can rig a cyclotron, and I’m certainly less prone to dropping four-figure equipment on the floor. (Mostly.)
It also heavily encourages you to broaden your horizons and build a diverse knowledge base, since it cares about so much of the process that would otherwise get abstracted away as ‘implementation details’ by the rest of the industry. Certainly, I don’t think any other discipline would teach you how to lie your way into any building as part of the job.
Really my only complaint is that there’s not enough maths in cybersecurity. I guess this could be fixed if I went in more of a cryptography direction, but still.
So the next steps are pretty clear: I need to get the OSCP, and we’ll see where we go from there.
Leonardo Tamiano’s in-depth overview of the OSCP is where I’m basing most of my expectations. I’ve done some pre-study beforehand; a lot of Professor Messer in my downtime, primarily focussing on the Network and Security+ streams, which should hopefully cover most of the ‘general context’ pre-reqs.
As far as formal study goes, I’m currently working my way through the basics of Hackthebox. It’s a resource I can start working through for free and it’s one of the de facto starting points that most newbie-facing channels recommend. So far it’s stuff that I’ve encountered through the course of ‘being a guy who knows about computers online’ like de-minifying JS and using curl, although as a lifetime Windows user it’s been good to plug holes in my Linux knowledge. I’ve also set up Neovim + NVChad on my Ubuntu setup, which should both give me some extra nerd cred with interviewers and also force me to do more stuff from the command line. No baptism like fire.
I’ve also been trying to brush up on my math and stats for the purpose of potentially applying to quant roles. I recently met up with my friends for a night of pizza, booze and 3rd Strike, and during the festivities I learnt that I’m apparently two degrees removed from someone working at Optiver. That immediately makes applications a lot more feasible, especially given how big the referral bonuses are at that particular shop.
Work-life balance might be a concern working there, but again- I’m currently going crazy from a lack of work, if anything, and the pay bump would be enormous. Again, I’d really like to move out for my own sanity, and I also have budget items like my partner visiting in August to think about. (Rings are expensive, it turns out.)
Helpfully, cybersec’s focus on low-level systems and Unix also means there’s some limited cross-talk between the two fields of study, although I doubt either the OSCP or my ability to pick locks would be of much use in an interview. If anything I think Magic has given me the most help for a potential move to HFT firms by way of making me slightly better at gambling- culture fit, people, it’s real and it can hurt you.
I also need to book in time for a resume review and/or interview practice. I’ve held off on it for a while out of a misguided sense of pride (and the fact that I actually possess social skills, unlike the average r/csMajors user), but fuck it, beggars can’t be choosing. I’m more or less staying closeted because it’s so much easier to deal with professional environments; not exploiting that fact as much as I can is just throwing my mental health without getting any EV in return. Per Ludic:
At an Australian engineer’s salary, the interview would only have to save me one day of job searching to be a net positive. Is there any universe where a graduate wouldn’t benefit from even mediocre interview preparation?
Records produce accountability, or at least that’s the hope. Documenting the process helps keep the catastrophising at bay; it turns out wild, irrational trains of thought are a lot less compelling when you read them back and think, ‘what the fuck was I on?’ It’s also, frankly, just kind of sad having a memento of the fact that you’re not doing something that you said you were. Between the guilt and the venting, here’s hoping that keeping this going will keep me sane- and hopefully get me into a job that doesn’t drive me insane in the next six months.