I am asking from an American perspective. I have worked in IT, and am studying for a degree in Cybersecurity. I love it, and find it very interesting. I have noticed though, there is a massive increase in outsourcing. More and more businesses are replacing their IT staff with either temporary consultants or offshore services. I have done some project work as a contractor and there is no stability at all. Is this a trend that is going to continue? I don’t want to make a career out of being a temp.
On the plus side, some “temps” were called “contractors” and were well paid.
30 years ago I would have told you to go for it.
Now?
Hardly.
If you can figure out a way to polish a career, the field of security is wide open.
Become a $200/hr Consultant where you can review a client’s operations and find weaknesses (like putting everything on the web) and make detailed and accurate detailed, specific recommendations to improve, you may have a shot at a decent income.
How you get from where you are to being that consultant? No idea.
In general, there is this “Language of the Week under the Operating System of the Month” - the modern languages are “Revenge of the 4th Gen’s”.
Just trying to stay current on languages looks daunting.
Can you learn Hindi?
I think there is always going to be a demand for the best and brightest, but not for the average and below average students.
Well I’d say there will be senior roles but junior roles might peter out.
Which means it may indeed be hard for students starting out but doesn’t necessarily mean you need to be Sheldon or whatever. Just being hardworking and picking up the right kind of experience can be enough.
Even companies that oursource development work need engineers locally. The typical outsourced project typically involves a lot of investigation of the technical requirements, prototyping work, product design work, system architecture decisions etc before it’s “shovel ready”, and much of that either can’t be outsourced or would be more expensive to outsource that just having a local guy.
I think it can be a good career, but it needs to be thought of as a highly competitive career rather than as easy money.
It’s smart to specialize in areas that are harder to outsource-- management, product design, etc. To stay competitive, you’ll need to manage your career pretty heavily, continually learning new skills, attending industry events, and building a professional network. You will have to live with a certain level of instability, but that’s not unique to IT. You may also need to move geographically to areas with the most opportunity, and these may be high cost of living areas. It may also be smart to get some international experience.
Spend some time with your career councilor. Start going to job fairs, just to understand who hires for what. Stalk LinkedIn to get a good understanding of what career paths tend to look like- what entry level jobs have advancement? What companies hire and what types of people do they typically hire? What are people doing to make the leap from entry level to mid career? What do people from your school tend to do?
Finally, start talking to people. Learn the basics of informational interviewing, and start building your network. Over time, you will start to really understand the landscape.
This is my ultimate goal, is to start a security consulting business. My minor in college is small business management so I can learn the administration side of things in addition to the technical.
Understand that “IT” is not just programmers and engineers. It also includes project managers, business analysts, creative artists and UX designers, sales, aspects of legal, accounting and finance, marketing, risk management, pretty much everything. And pretty much every company now uses technology in pretty much every one of it’s business processes.
The downside is that, unlike say brand management for Proctor & Gamble, it can be a bit of an “Uber” job. That is to say technology-centric companies, whether services consultancies, start ups or product based software firms can be very competitive, often with highly eccentric or youth-oriented (bordering on juvenile) cultures that make up stuff as they go along. Technical skills get outdated or offshored quickly. And even under the best of circumstances, because implementations or client engagements are of finite duration, there is constant turnover as projects start and finish.
The general approach is to join a consulting firm like Accenture, Sapient, Deloitte or Cognizant that has a focus in IT and technology. Or, if you are unable to land a job with a big firm, try one of the thousands of small consultancies and vendors. Once you have a marketable set of skills and experience, you can switch firms, try to get placed as a contractor through a staff augmentation firm (basically a glorified temp agency / headhunter) or go out and try and find clients on your own.
Working for a large consulting firm, aside from looking good on your resume, provides a bit more stability than trying to be an independent contractor. Since presumably the firm is making an effort to staff you and you still get paid, even if you are “on the bench”. Plus it gives you a bit of a consistent anchor in terms of colleagues, corporate culture and things like salary and benefits. Although consultants do sometimes “go native” if they are on site at a client for long periods of time.
The downside is that they can be highly competitive and you don’t often have much say as to where you get staffed (which can require extensive travel).
This is important to note. In the broadest sense IT has been the world’s largest industry for a while. The generic question in the OP is much like asking if white collar jobs are a good industry.
The specific area of cyber-security is much like every other specialty in the broader field, it will be an excellent career path for an unknown amount of time. You can work for a company that specializes in this field, which currently is in a growth phase, but 10 years from now most of the individual companies in the field will either be consolidated or serving niches. Many non-specializing companies will employ a small number of in-house cyber-security personnel for a while but may end up contracting out such services or technology may eliminate the need for such personnel.
I’d advise anyone looking to make IT a career to consider that whatever sector they start in they’ll eventually be a cog unless they’re capable of constantly learning and adapting to new technology. Be prepared to run as fast as you can to stay in the same place. Otherwise, just get yourself into sales or management because your current job will become obsolete.
This is the most important thing. I don’t know of any other industry where there is so much emphasis on learning new things. People in IT continuously take courses, read books, watch tutorials, &c. There is a revolution at least every five years and if you don’t learn how to learn you end up stuck in niche roles.
Even if you do learn how to learn, you can get pigeonholed into niche roles. Whenever I was job-hunting I followed the advice to focus on my strongest skill. And ended up pigeonholed as a Cobol programmer for 20 years despite learning and wanting to use other stuff. I finally got smart and job-hunted for something completely outside of my strongest skill and pivoted into the role of a business analyst. If I’d known that way earlier I might have had a more varied career.
I think this is a dead-end idea.
One-man security consulting is a great way to be a blogger. One or two of whom got famous waaay back when the field was wide open. Now? Not so much.
The problem with one-man firms is they can only service small clients. IT security consulting is not a product small businesses buy.
If you start out, ref msmith537, building a name for yourself as a guru working for a large consultancy you may become expert in some decent-sized niche. And meet enough consultants and customers to be able to leave with allies, an industry reputation, and a potential book of business.
But just hanging out your shingle as another mom and pop small biz IT helper, but this time with new and improved security as the tag line isn’t going to go well. IMO YMMV.
Alternatively, you get a process heavy waterfall development and ITIL operations stack, where cowboy and juvenile behavior doesn’t fly - but neither does innovation or risk taking - which means that the ERP system you are working with hasn’t been supported for five years because upgrading it would be expensive and risky and they threw in a few thousand customization that they don’t know quite what they do or how they work, but the company might cease to function if they weren’t rewritten - which will be expensive even to figure out what they ARE. (Can you tell I’ve been there?)
As someone who spent some time in IT Security, I’d look for a corporate job before a consultancy with a security firm, before hanging out a shingle. Understand how a company works, then understand how many companies work - building your network. I think you can make a go as a one man shop, but you may do a lot of supplemental staffing instead of the security evaluations and architecture you envision - those get jobbed out to bigger firms. (And honestly, supplemental staffing as an independent consultant tends to be steady and pay well. Its less exciting, but the cash flow problems are much less).
Also, while IT security is an awesome field, where change happens so quickly you’ll have long job security (it isn’t likely to be automated or offshored away), change happens quickly. You have to be autodidactic and willing to be constantly learning. As you get older (I’m 50) your brain may be less flexible - so like my eighteen year old son going into pipefitting who we’ve told “have a plan to give out before the physical labor is too difficult” - have a plan to get out before you lose the mental elasticity for the rate of change. If you are lucky, you (and my son) will be flexible enough to do your jobs for a long time.
If your contacts are GREAT, and your reputation is AWESOME, and you have the capital to pull it off, you can create a four or six person firm which will have the perceived manpower to do assessments and architecture. But its a fairly high risk proposition - my husband is an independent single man shop, and his first six months this year were awesome. And his last two months were good. And four months of the year we had the foresight to set away enough money to get through - plus we also do back end work for other consultants (placement, billing, contracts), and make a decent amount of money in investment income every year, so there is some money coming in every month even when he isn’t billing. And currently we are hoping the next gig comes though, probably another month as the guy who wants to bring him in gets project approval. But that could fall through, so there are three other people in his network he’s simultaneously working.
Is this true in the healthcare industry? A doctor’s private practice is a small business, and because of HIPAA, they have a great need for IT security.
I have a couple pals who’re small-practice doctors.
They buy the whole app suite from a web-app company that specializes in doctor office scheduling, operations, billing, and accounting. All they own is a half-dozen consumer PCs with consumer antivirus installed, a couple generic laser printers, and a wireless router set up with bog standard WPA-PSK.
100% of what they do business-wise with those PCs is log on to https://DoctorOfficeInTheCloud.com
They have no more need for IT security than does my brother the computer-illiterate and computer-less carpenter.
Bigger offices with 20-30 doctors are another story. They might still have some on-premises stuff.
Throughout every IT-using industry (which is to say, every industry) the advent of the cloud will centralize all facets of IT support into a few giant providers. Leaving perimeter defense of workstations about the only game still played by in-house expertise.
Doctors don’t maintain their own systems. They purchase their software or a service, more and more using an outside service, and those providers will deal with the security aspects. I work for one of the largest healthcare software providers on earth and we have about a dozen employees involved in security and only one of them doing that full time. The large institutions that are our customers generally don’t have much in-house security personnel either. Maintaining HIPAA privacy is a matter of practices by the users. Small companies can’t afford to have their own security personnel. Larger companies will contract out, only the very largest companies and software and communications providers would employ very many people in this area. Most of the job opportunities will end up with those providers and probably the greatest amount of employment will be by the government.
What would you do? Install Norton Antivirus on their 2 computers?
Generally large organizations like hospitals, health care companies and government are the ones who need armies of consultants. They are the ones who have infrastructure issues that are complex enough that they can’t just get someone’s kid to install some software.
There’s no single path. But whether you work for yourself or for a big firm, it usually takes some time (5-10 years) to get to a level where you can legitimately position yourself as an independent consultant.
As someone else pointed out, one man shops can service large clients. But they typically do so either as subject matter experts, interim management or augmenting teams in technical or project management roles.
The challenge with large clients such as big companies and government is that they often have lengthy procurement processes. So if you don’t come through one of the staffing agencies or consultancies they’ve already vetted, it can be a challenge to get in their system.
Whether you are an independent consultant, looking to be a partner at a large firm or somewhere in between, one of the biggest challenges is selling. Dangerosa’s husband’s experience is not atypical. A friend of mine who is a serial entrepreneur describes how one of the biggest challenges is what to do once you’ve exhausted your network. If you’re not in the industry, I assume you have only so many people who might be in a position to defer you cyber security work before you need to start pounding the pavement and making cold calls.
The small ISV I ran for almost 10 years had that customer base and a variant of that problem. Our primary target market was metropolitan or state governments. Followed by corps big enough to have continuity of operations challenges and a planning staff to match. We were selling completed software, not man-hours or custom dev-to-spec.
The slow stately march of purchasing decisions often took us to the brink of bankruptcy. Doubly so if an election intervened and suddenly the purchasing staff was replaced by new nepotic appointees.
We never cracked into the Feds precisely because of the “qualified vendor” hurdles.
I think the answer is “depends”. Career-wise I kind of feel like finance, marketing, sales, law, pretty much anything is better than IT. Sure, there are a lot of great tech companies. But I always feel like everyone who works for those companies only stay like 2 years. And they spend their time herded into “open plan” office spaces with exposed pipe and brick. People in those other areas seem like they stay at a company a lot longer, eventually get promoted into management or executive positions, and ultimately enjoy more prestige and even a higher salary. With the exception of a few outliers, IT people seem to always be very transitional and commodity-like.
Our small consultancy/placement augmenter works a couple of ways.
Where their is a lot of overhead to get in and they keep a small managed vendor list, we sub through a bigger firm that is already on the list. Generally these arrangements are less good for everyone - usually the corp has outsourced vendor management - and how that works is that vendor management is “free” for the corp - but gets 3% (or something) of the billings. Then our partner takes a cut, then we take a cut, then - if they are H1-B - their H1-B company gets a cut (if they aren’t H1-B you skip THAT middleman), the consultant gets the rest. Corps that do vendor management this way drive prices way down, so we tend not to place a lot of the high buck contractors that way - or if we do, our take is really tiny.
There are a surprisingly lot of big companies left where the vendor management process is much lighter, and there isn’t a small vendor list that you have to fight to get on. There we can bill direct, and then we and the consultant tend to get paid a little more. Most of these, if the salesperson gets in front of a manager with that has enough signing authority for a three month PO and we have the right person, they’ll do a three month contract, then keep extending it.
My husband is currently working on negotiating a gig that will be direct (and completely independent - our S corp to corp) with a really big company that has a tight vendor management process. They want HIM, they approached HIM, and the VP working the project will make it happen. This is about the only way to get into those big firms with outsourced vendor management at a good rate - have someone with an executive title fight for you specifically. That means an awesome network. This whole thing happened Friday - fell out of the sky - and I suspect he will be in place by Feb 1.
There is also the issue of W-2s. Many firms don’t want the regulatory hassle of independent contractors who should have been classed as employees - so they want everyone to be W-2 - they don’t want to do 1099s. In some cases they’ll take a independent S-Corp (you pay yourself and file your own W-2), but usually they want an organization bigger than one guy to hide behind. Again, for the right guy short term, they don’t care - but when you have someone who has shown up at the same desk for six years as a contractor, the lawyers get nervous.
I find it strange how many layers of people who have to get paid to place a couple of contingency workers. Most of who do nothing except cold call, email spam and forward the resumes of complete strangers.