A man and a woman stand either side of another man sitting in a chair at group of screens showing code, symbolising cybersecurity roles.
Image: © Gorodenkoff/Stock.adobe.com

In-house cybersecurity roles versus consulting roles: Which is best for you?

26 Oct 2022

Hays’ Christine Wright explores the pros and cons of working within a single company versus working as a consultant or for an MSSP.

The cybersecurity jobs market is growing, and the recent pandemic has widened the skills gap in this area.

This skills gap exists across the cybersecurity jobs market, with Microsoft Azure jobs, innovation and cloud services roles all growing in demand, according to a recent Gartner study.

The study states: “In spite of the shortage in talent supply and increasing overall demand, HR leaders can consider strategies for both short and long-term workforce planning in this tight and volatile labour market.”

This leaves many cybersecurity professionals facing a difficult decision: should you take an in-house or consulting role? There are a few factors to take into consideration to help you decide.

Let’s examine the pros and cons of each way of working, and the opportunities available in each role.

What does a typical in-house cybersecurity role entail?

If you work in-house with a specific company, you will work with the same team and IT environment every day. Each cybersecurity role is different, but your responsibilities may include assessing potential threats to your corporate network, prioritising threats, escalating threats and investigating any breaches.

Many cybersecurity professionals are also involved in training programmes, helping the organisation build a strong culture of awareness and prevention. And you may help to develop and implement a cybersecurity response or recovery plan for your business.

A standard in-house cybersecurity role is usually nine-to-five, unless there’s an issue. However, those working in a security operations centre (SOC) may work alternating night shifts.

Pros and cons of an in-house role

An in-house cybersecurity role gives you the opportunity to deep dive into an organisation’s IT infrastructure and business operations. If you enjoy working on such in-depth problems, this is the role for you. You also get the opportunity to work with business leaders and across the organisation.

However, in-house cybersecurity experts sometimes suffer from a lack of exposure. In some organisations, cyber specialists can get stuck dealing with tickets, where they prioritise and escalate threats day in and day out, rather than investigating these threats.

If you do find yourself stuck in a rut, you could ask for more challenging projects. Alternatively, you may want to start investigating a consulting role or work in a managed security services provider (MSSP) environment.

What does a typical consulting role entail?

When consulting, you will work on a specific short-term project before moving on to the next one. These projects can vary in length but are usually a few months in duration, where you often work with multiple clients.

In an MSSP role, you typically work with several long-term clients as well. The day-to-day responsibilities are similar to a consulting role but you get the opportunity to work with the same set of organisations.

For example, in a consulting role you may provide a specific cybersecurity service like penetration tests. At an MSSP, you are likely to provide an extensive range of cybersecurity services for organisations looking to outsource their SOC operations.

Pros and cons of a consulting or MSSP role

Both consulting and MSSP roles give cybersecurity specialists exposure to a wide range of business and IT environments.

So, these roles are ideal for individuals who want to expand their areas of expertise. They are also very diverse, which is perfect for people who find the routine work of an in-house role monotonous.

But there are downsides to consulting and MSSP roles. These short-term engagements are sometimes exhausting and frustrating in the long term, as you do not always get the chance to see your work in action or deep dive into a specific problem.

In an MSSP environment, for example, you are often rushed and may not be able to give your clients as much attention as you want to.

In a consulting role, you also have little to no opportunity to change the way your employer works. Your input and wider business impact is very limited. If the firm you’re working for doesn’t have an efficient way to onboard and service clients, every engagement can quickly get very repetitive.

With both a consulting and MSSP role, it’s important to assess whether your personality is suited to these fast-paced engagements with multiple clients.

Cybersecurity is a dynamic and exciting field for any IT professional to work in. It’s also filled with plenty of opportunities – but you must assess all your career options to find a work environment that suits your interests and goals.

By Christine Wright

Christine Wright is the senior vice-president of Hays US. A version of this article originally appeared on the Hays blog.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Loading now, one moment please! Loading