How to choose between in-house and consultant cyber security jobs

How to choose between in-house and consultant cyber security jobs

The cyber security jobs market is growing, and the recent pandemic has widened the skills gap in this area. As outlined in our global cyber security report for 2023, 72% of employers believe that events in recent years have had a significant impact on their cyber risk profile. However, 90% claim that the skills gap is affecting their organisations’ ability to implement their proposed cyber security strategy. 
As it stands, there are currently 3.5 million unfilled cyber security jobs worldwide, with cyber security “a near-zero unemployment marketplace for those with extensive backgrounds”.
This leaves many cyber security professionals facing an interesting decision: should you take an in-house or consulting role? Let’s examine the pros and cons of each way of working, and the opportunities available in each role.

In-house vs. consulting cyber security jobs: the pros and cons


1. In-house

What does a typical in-house cyber security role entail?

If you work in-house with a specific company, you will work with the same team and IT environment every day. Each cyber security role is different but your responsibilities may include assessing potential threats to your corporate network, prioritising threats, escalating threats and investigating any breaches.
Many cyber security professionals are also involved in training programmes, helping the organisation build a strong culture of awareness and prevention. And you may help to develop and implement a cyber security response or recovery plan for your business.
A standard in-house cyber security role is usually nine-to-five, unless there’s an issue. However, those working in a Security Operations Centre (SOC) may work alternating night shifts.

What are the pros and cons of working in-house?

An in-house cyber security role gives you the opportunity to deep dive into an organisation’s IT infrastructure and business operations. If you enjoy working on such in-depth problems, this is the role for you. You also get the opportunity to work with business leaders and across the organisation.
However, in-house cyber security experts sometimes suffer from a lack of exposure. In some organisations, cyber specialists can get stuck dealing with tickets, where they prioritise and escalate threats day in and day out, rather than investigating these threats.
If you do find yourself stuck in a rut, you could ask for more challenging projects. Alternatively, you may want to start investigating a consulting role or work in a Managed Security Services Provider (MSSP) environment.

 2. Consulting

What does a typical consulting role entail?

When consulting, you will work on a specific short-term project before moving on to the next one. These projects can vary in length but are usually a few months in duration, where you often work with multiple clients.
In an MSSP role, you typically work with several long-term clients as well. The day-to-day responsibilities are similar to a consulting role but you get the opportunity to work with the same set of organisations.
For example, in a consulting role you may provide a specific cyber security service like penetration tests. At an MSSP, you are likely to provide an extensive range of cyber security services for organisations looking to outsource their SOC operations.

Is a consulting or MSSP role best for you?

Both consulting and MSSP roles give cyber security specialists exposure to a wide range of business and IT environments.
So, these roles are ideal for individuals who want to expand their areas of expertise. They are also very diverse, which is perfect for people who find the routine work of an in-house role monotonous.
But there are downsides to consulting and MSSP roles. These short-term engagements are sometimes exhausting and frustrating in the long-term, as you do not always get the chance to see your work in action or deep dive into a specific problem. In an MSSP environment, for example, you are often rushed and may not be able to give your clients as much attention as you want to.
Another potential risk of working in a consulting or MSSP role is the reliance on sales and a pipeline of customers. As a result, losing a client can be particularly costly and will have a large impact on your own security.
In a consulting role, you also have little to no opportunity to change the way your employer works. Your input and wider business impact is very limited. If the firm you’re working for doesn’t have an efficient way to onboard and service clients, every engagement can quickly get very repetitive.
With both a consulting and MSSP role, it’s important to assess whether your personality is suited to these fast-paced engagements with multiple clients.
To conclude, cyber security is a dynamic and exciting field for any IT professional to work in. It’s also filled with plenty of opportunities – but you must assess all your career options to find a work environment that suits your interests and goals.