Consultant vs in-house security engineer
Discussion
I have to potential offers, one is confirmed but one is not at offer stage but likely if I go further.
£105k salary
15% bonus (not guaranteed obviously)
25 days holiday
100% WFH
£85k is "top end" apparently but it's always hard to know if there is more wiggle room but it sounds like there isn't
20% bonus (not guaranteed)
25 days holiday
+15 days for training to be used however you want, eg funded courses or just sit at home researching.
WFH mainly
1-2 days in London office per week, not strict on this though. I quite like the idea of it as it will break the week up
.....
Obviously pay is quite different but so is jobs.
My thoughts are:
In-house is likely to be a far easier pace of work. They are a really nice bunch from the interviews I've had. Seems a nice company and good way of life there.
Consultancy is likely to be far more pressured as it's supplying services to paying clients who are suffering an incident. but it is more lucrative.
...
Has anyone worked in either situation? Anything I should consider here or think about?
- Option 1* - Consultant in cyber security
£105k salary
15% bonus (not guaranteed obviously)
25 days holiday
100% WFH
- Option 2* - In-house security engineer
£85k is "top end" apparently but it's always hard to know if there is more wiggle room but it sounds like there isn't
20% bonus (not guaranteed)
25 days holiday
+15 days for training to be used however you want, eg funded courses or just sit at home researching.
WFH mainly
1-2 days in London office per week, not strict on this though. I quite like the idea of it as it will break the week up
.....
Obviously pay is quite different but so is jobs.
My thoughts are:
In-house is likely to be a far easier pace of work. They are a really nice bunch from the interviews I've had. Seems a nice company and good way of life there.
Consultancy is likely to be far more pressured as it's supplying services to paying clients who are suffering an incident. but it is more lucrative.
...
Has anyone worked in either situation? Anything I should consider here or think about?
Felicity28 said:
eliot said:
Been an IT consultant for about 23 years - if you know your stuff you wont be stressed.
Even in incident response? I thought that would be quite intense with consultancy
Being a consultant in anything should define you as being pretty knowledgeable in your field - ergo you should be fine.
But I can imagine in that situation you would have loads of people demanding quick answers, having said that - you say it’s all remote - which is far less stressful than being in a datacentre at 3am with a customer upgrade that’s just turned to crap and you know it’s down to you to fix it whilst you freeze your nuts off and need food and a drink
Hi,
Retired Cyber Security consultant here. In my experience wfh generally means that the company doesn’t provide an office, but you will spend a significant amount of time on a clients site.
For cyber security incidents this will obviously be at a moment notice, convenient or otherwise and locations, might be nice maybe not.
Perhaps, things have changed since my day but in a cyber security incident the following will happen:
Management, including very senior management will run around like headless chickens whilst throwing their weight around to get everything sorted. (Sorry about the mixed metaphors). They will want to have people on-site rather than zoom meetings.
Secondly, the urge to shut down as much of the systems external access will be very strong. They are not going to want to grant administrator access to external consultants to trawl through business servers carrying out investigations.
Thirdly, there will be a lot of blame spreading, and politics in any incident and management in the business and IT will use it as an opportunity, with the incident response consultant often in the middle.
Sorry if this seems cynical. But I have done a fair number of incident investigations, but also things might have changed.
Retired Cyber Security consultant here. In my experience wfh generally means that the company doesn’t provide an office, but you will spend a significant amount of time on a clients site.
For cyber security incidents this will obviously be at a moment notice, convenient or otherwise and locations, might be nice maybe not.
Perhaps, things have changed since my day but in a cyber security incident the following will happen:
Management, including very senior management will run around like headless chickens whilst throwing their weight around to get everything sorted. (Sorry about the mixed metaphors). They will want to have people on-site rather than zoom meetings.
Secondly, the urge to shut down as much of the systems external access will be very strong. They are not going to want to grant administrator access to external consultants to trawl through business servers carrying out investigations.
Thirdly, there will be a lot of blame spreading, and politics in any incident and management in the business and IT will use it as an opportunity, with the incident response consultant often in the middle.
Sorry if this seems cynical. But I have done a fair number of incident investigations, but also things might have changed.
ac13 said:
Perhaps, things have changed since my day but in a cyber security incident the following will happen:
.
Management, including very senior management will run around like headless chickens whilst throwing their weight around to get everything sorted.
.
there will be a lot of blame spreading, and politics in any incident and management in the business and IT will use it as an opportunity, with the incident response consultant often in the middle.
Sounds about right..
Management, including very senior management will run around like headless chickens whilst throwing their weight around to get everything sorted.
.
there will be a lot of blame spreading, and politics in any incident and management in the business and IT will use it as an opportunity, with the incident response consultant often in the middle.
When i was pentesting you always felt stuck in the middle of a load of politics/ego's and had to be delicate with how you presented your findings. Sometimes the management wanted to use it as an excuse to fire someone and sometimes it was the techs trying to highlight shortcomings in the management.
ac13 said:
Hi,
Retired Cyber Security consultant here. In my experience wfh generally means that the company doesn’t provide an office, but you will spend a significant amount of time on a clients site.
For cyber security incidents this will obviously be at a moment notice, convenient or otherwise and locations, might be nice maybe not.
Perhaps, things have changed since my day but in a cyber security incident the following will happen:
Management, including very senior management will run around like headless chickens whilst throwing their weight around to get everything sorted. (Sorry about the mixed metaphors). They will want to have people on-site rather than zoom meetings.
Secondly, the urge to shut down as much of the systems external access will be very strong. They are not going to want to grant administrator access to external consultants to trawl through business servers carrying out investigations.
Thirdly, there will be a lot of blame spreading, and politics in any incident and management in the business and IT will use it as an opportunity, with the incident response consultant often in the middle.
Sorry if this seems cynical. But I have done a fair number of incident investigations, but also things might have changed.
Exactly this ^Retired Cyber Security consultant here. In my experience wfh generally means that the company doesn’t provide an office, but you will spend a significant amount of time on a clients site.
For cyber security incidents this will obviously be at a moment notice, convenient or otherwise and locations, might be nice maybe not.
Perhaps, things have changed since my day but in a cyber security incident the following will happen:
Management, including very senior management will run around like headless chickens whilst throwing their weight around to get everything sorted. (Sorry about the mixed metaphors). They will want to have people on-site rather than zoom meetings.
Secondly, the urge to shut down as much of the systems external access will be very strong. They are not going to want to grant administrator access to external consultants to trawl through business servers carrying out investigations.
Thirdly, there will be a lot of blame spreading, and politics in any incident and management in the business and IT will use it as an opportunity, with the incident response consultant often in the middle.
Sorry if this seems cynical. But I have done a fair number of incident investigations, but also things might have changed.
Well that all sounds pretty miserable! 😂
I don't believe many IR companies go on site that often. It costs the client a ton more money and in this job they've said it's rare for any need to go to the site.
In terms of pay vs pensions it is:
Consultant: £100k, 3%/6% employer pension and up to 15% bonus
In-house: £85k, up to 7.5% matched pension. They match what you put in. Up to 20% bonus plus the 15 days training you can use however you want
I don't believe many IR companies go on site that often. It costs the client a ton more money and in this job they've said it's rare for any need to go to the site.
In terms of pay vs pensions it is:
Consultant: £100k, 3%/6% employer pension and up to 15% bonus
In-house: £85k, up to 7.5% matched pension. They match what you put in. Up to 20% bonus plus the 15 days training you can use however you want
Felicity28 said:
I have to potential offers, one is confirmed but one is not at offer stage but likely if I go further.
£105k salary
15% bonus (not guaranteed obviously)
25 days holiday
100% WFH
£85k is "top end" apparently but it's always hard to know if there is more wiggle room but it sounds like there isn't
20% bonus (not guaranteed)
25 days holiday
+15 days for training to be used however you want, eg funded courses or just sit at home researching.
WFH mainly
1-2 days in London office per week, not strict on this though. I quite like the idea of it as it will break the week up
.....
Obviously pay is quite different but so is jobs.
My thoughts are:
In-house is likely to be a far easier pace of work. They are a really nice bunch from the interviews I've had. Seems a nice company and good way of life there.
Consultancy is likely to be far more pressured as it's supplying services to paying clients who are suffering an incident. but it is more lucrative.
...
Has anyone worked in either situation? Anything I should consider here or think about?
Whilst the consultancy role is 100% WFH, is there any client side travel required? This may be reduced now but may be a requirement in the future definitely worth considering. - Option 1* - Consultant in cyber security
£105k salary
15% bonus (not guaranteed obviously)
25 days holiday
100% WFH
- Option 2* - In-house security engineer
£85k is "top end" apparently but it's always hard to know if there is more wiggle room but it sounds like there isn't
20% bonus (not guaranteed)
25 days holiday
+15 days for training to be used however you want, eg funded courses or just sit at home researching.
WFH mainly
1-2 days in London office per week, not strict on this though. I quite like the idea of it as it will break the week up
.....
Obviously pay is quite different but so is jobs.
My thoughts are:
In-house is likely to be a far easier pace of work. They are a really nice bunch from the interviews I've had. Seems a nice company and good way of life there.
Consultancy is likely to be far more pressured as it's supplying services to paying clients who are suffering an incident. but it is more lucrative.
...
Has anyone worked in either situation? Anything I should consider here or think about?
Being a consultant, you can go in, provide recommendations, fixes, reports etc then walk away which has been my experience with consultancies and leave the teams to pick up the policies. You'll essentially be consulting but hands off.
The in house engineer, will likely be more hands on, be responsible for change, implementation and also internal consulting on strategy regarding product updates etc.
Just depends on what your looking for really? What role are you doing just now and what are the pros and cons and what are you looking for in your next role?
Raptor7000r said:
Whilst the consultancy role is 100% WFH, is there any client side travel required? This may be reduced now but may be a requirement in the future definitely worth considering.
Being a consultant, you can go in, provide recommendations, fixes, reports etc then walk away which has been my experience with consultancies and leave the teams to pick up the policies. You'll essentially be consulting but hands off.
The in house engineer, will likely be more hands on, be responsible for change, implementation and also internal consulting on strategy regarding product updates etc.
Just depends on what your looking for really? What role are you doing just now and what are the pros and cons and what are you looking for in your next role?
There isn't much travel they say. It's rare to go onto the client site as it costs a fortune and most are happy with just remote work. Being a consultant, you can go in, provide recommendations, fixes, reports etc then walk away which has been my experience with consultancies and leave the teams to pick up the policies. You'll essentially be consulting but hands off.
The in house engineer, will likely be more hands on, be responsible for change, implementation and also internal consulting on strategy regarding product updates etc.
Just depends on what your looking for really? What role are you doing just now and what are the pros and cons and what are you looking for in your next role?
The in house one is probably an easier transition for me and a more relaxing/nicer job role. The people I spoke to sound really nice too. Plus as it is not client based it's likely to be less stressful.
The pay is not as good though. The consultancy say they may be able to stretch further to £110k. So that is £25k more than the in house job
At the moment I am doing more of a management, hands off role in a slightly different sector. I'm keen to move more into hands on work again as I'm not enjoying what I and doing at the moment
Felicity28 said:
The pay is not as good though. The consultancy say they may be able to stretch further to £110k. So that is £25k more than the in house job
Have you worked out the difference in net pay between the two?Over £100k you start to lose your personal allowance at a rate of £1 for each £2 over £100k (I think....) and so the net effective tax rate between £100 - £120k is 60%. You can increase your pension contributions to offset this, but obviously this money cannot be accessed until you are at least 55
The difference in take home pay may be less than you think
Burrow01 said:
Have you worked out the difference in net pay between the two?
Over £100k you start to lose your personal allowance at a rate of £1 for each £2 over £100k (I think....) and so the net effective tax rate between £100 - £120k is 60%. You can increase your pension contributions to offset this, but obviously this money cannot be accessed until you are at least 55
The difference in take home pay may be less than you think
Yea differences are shown monthly:Over £100k you start to lose your personal allowance at a rate of £1 for each £2 over £100k (I think....) and so the net effective tax rate between £100 - £120k is 60%. You can increase your pension contributions to offset this, but obviously this money cannot be accessed until you are at least 55
The difference in take home pay may be less than you think
In-house job: £85k = £4809 per month
Consultancy: £100k = £5534 per month
If the consultancy do increase the offer to £110k, then it goes up to: £6017
Felicity28 said:
There isn't much travel they say. It's rare to go onto the client site as it costs a fortune and most are happy with just remote work.
The in house one is probably an easier transition for me and a more relaxing/nicer job role. The people I spoke to sound really nice too. Plus as it is not client based it's likely to be less stressful.
The pay is not as good though. The consultancy say they may be able to stretch further to £110k. So that is £25k more than the in house job
At the moment I am doing more of a management, hands off role in a slightly different sector. I'm keen to move more into hands on work again as I'm not enjoying what I and doing at the moment
I've been offered similar and I'd like to go down the consulting rule but it's always involved travel.The in house one is probably an easier transition for me and a more relaxing/nicer job role. The people I spoke to sound really nice too. Plus as it is not client based it's likely to be less stressful.
The pay is not as good though. The consultancy say they may be able to stretch further to £110k. So that is £25k more than the in house job
At the moment I am doing more of a management, hands off role in a slightly different sector. I'm keen to move more into hands on work again as I'm not enjoying what I and doing at the moment
The in house would likely be the more satisfying and actually doing things as opposed to adapting different report templates for different clients but that would depends on the area of consulting.
I've found techy hands on people struggle with hands off not making changes and just operating environments but with no desire to change, If the money's not an issue and you want job satisfaction I'd probably go with the hands on role and get an idea of their next 1-3 year plan to see if it fits with what you'd like.
Evanivitch said:
What's T&C for consultancy of you're not currently assigned a customer? Some companies have a bench system on reduced pay (exists in engineering consultancy anyway). That can be a bugger when business capture isn't in your remit.
I believe there is a lot of things around preparation, or proactive work you can do with clients. Particularly towards end of the year. There are also desktop exercises internally you can take part in, research teams to work with, etc. So there's always something to get involved with.I've never heard of reduced pay due to no client work
ac13 said:
Hi,
Retired Cyber Security consultant here. In my experience wfh generally means that the company doesn’t provide an office, but you will spend a significant amount of time on a clients site.
For cyber security incidents this will obviously be at a moment notice, convenient or otherwise and locations, might be nice maybe not.
Perhaps, things have changed since my day but in a cyber security incident the following will happen:
Management, including very senior management will run around like headless chickens whilst throwing their weight around to get everything sorted. (Sorry about the mixed metaphors). They will want to have people on-site rather than zoom meetings.
Secondly, the urge to shut down as much of the systems external access will be very strong. They are not going to want to grant administrator access to external consultants to trawl through business servers carrying out investigations.
Thirdly, there will be a lot of blame spreading, and politics in any incident and management in the business and IT will use it as an opportunity, with the incident response consultant often in the middle.
Sorry if this seems cynical. But I have done a fair number of incident investigations, but also things might have changed.
Did you enjoy the consulting work? It doesn't sound like you did or was it just general cynasism but still good work?Retired Cyber Security consultant here. In my experience wfh generally means that the company doesn’t provide an office, but you will spend a significant amount of time on a clients site.
For cyber security incidents this will obviously be at a moment notice, convenient or otherwise and locations, might be nice maybe not.
Perhaps, things have changed since my day but in a cyber security incident the following will happen:
Management, including very senior management will run around like headless chickens whilst throwing their weight around to get everything sorted. (Sorry about the mixed metaphors). They will want to have people on-site rather than zoom meetings.
Secondly, the urge to shut down as much of the systems external access will be very strong. They are not going to want to grant administrator access to external consultants to trawl through business servers carrying out investigations.
Thirdly, there will be a lot of blame spreading, and politics in any incident and management in the business and IT will use it as an opportunity, with the incident response consultant often in the middle.
Sorry if this seems cynical. But I have done a fair number of incident investigations, but also things might have changed.
Yes I did enjoy the consultancy work in some ways, got a chance to travel to all sorts of places and working with different clients gave me a wide perspective on security. Some organisation were surprisingly good at security and others rubbish both in government and outside.
Eventually, I was mostly doing policy work and that got a bit depressing because every senior management team wants to say they have the policies in place but very few of them want to implement them rigorously and hold people to account.
Without being too political it is was all like Michael Gove saying “Robust Protocols in place re Liz Truss phone” doesn’t mean anything if you can’t get everyone to follow it.
Also you could get on a project that was long term, and whilst the company is making money from you being on that project they are very reluctant to let you move on to something else. I eventually went freelance because I wanted to pick and choose my projects.
IT projects can be a very mixed bunch, some are short term weeks or months at most and some are years\decades long, particularly government projects. The long projects are invariably very complex but also very slow to progress because of the complexity.
Some of the most interesting work was developing incident management processes and procedures for organisations., in that it covered business and communications management as well as the technical aspects. This could get quite involved and then getting all the players in a conference room to war game the procedure was always fun.
One of the roles you mentioned was as a security engineer. I’ve carried out this sort of role for various projects and organisations How enjoyable this role is, depends on the quality of the security organisation within the organisation.
The interesting aspects of this role is that you can have your finger in every aspect of the organisation and if the management trust you then you can really influence how well they do security.
Both roles have their advantages and disadvantages. Consultancy will get you wider experience in the short term but may ultimately lead you to be fixed into a particular role.
A security engineer role can also be good in that it will probably be more predictable with regard to work load and location and depending on the organisation can also give good opportunities to develop up the management structure if that is what you want.
Sorry if that is a bit rambling.
Eventually, I was mostly doing policy work and that got a bit depressing because every senior management team wants to say they have the policies in place but very few of them want to implement them rigorously and hold people to account.
Without being too political it is was all like Michael Gove saying “Robust Protocols in place re Liz Truss phone” doesn’t mean anything if you can’t get everyone to follow it.
Also you could get on a project that was long term, and whilst the company is making money from you being on that project they are very reluctant to let you move on to something else. I eventually went freelance because I wanted to pick and choose my projects.
IT projects can be a very mixed bunch, some are short term weeks or months at most and some are years\decades long, particularly government projects. The long projects are invariably very complex but also very slow to progress because of the complexity.
Some of the most interesting work was developing incident management processes and procedures for organisations., in that it covered business and communications management as well as the technical aspects. This could get quite involved and then getting all the players in a conference room to war game the procedure was always fun.
One of the roles you mentioned was as a security engineer. I’ve carried out this sort of role for various projects and organisations How enjoyable this role is, depends on the quality of the security organisation within the organisation.
The interesting aspects of this role is that you can have your finger in every aspect of the organisation and if the management trust you then you can really influence how well they do security.
Both roles have their advantages and disadvantages. Consultancy will get you wider experience in the short term but may ultimately lead you to be fixed into a particular role.
A security engineer role can also be good in that it will probably be more predictable with regard to work load and location and depending on the organisation can also give good opportunities to develop up the management structure if that is what you want.
Sorry if that is a bit rambling.
Gassing Station | Jobs & Employment Matters | Top of Page | What's New | My Stuff