Work-Life balance in Information Security Industry
The Information Security industry is one of the most desired, in-demand, and well-paid professions worldwide, and with the spotlight comes a lot of questions, one of the most recurrent I am asked is “how the work-life balance is in this field?”, and like many questions in IT, the answer is “it depends”, so let’s break it down.
Working hours and schedule
Most companies work on a ‘normal’ schedule. You work Monday to Friday, 9 am to 5 pm. Some companies may have a bit more flexible hours depending on your role, but they’re still generally within the same range. And businesses are trialing alternative working schedules for example having a bit longer workdays and having Fridays off.
However, many companies offer 24/7 support. They have shifts that cover all hours of the day and night, on weekends and holidays. Entry-level roles and specific areas like SOC and NOC may have teams working in shifts to achieve this 24/7 coverage and can be in the form of a local team working 6–7 days per week for 4–6 hours each day or a team spread across the world “following the sun”.
For various roles, there is also the on-call. You work on a normal schedule but may be required to work outside of those hours when something comes up that needs attention. Hopefully, things go out of normal order once in a long while so you won’t miss too many nights of sleep.
Non-technical roles tend to be the ones that work on regular 9 am to 5 pm and are hardly bothered on off-hours and technical roles tend to be the ones involved in shifts, on-call, overnight work, etc.
Unfortunately, there is a trend of companies that don’t require nor incentivize working long hours or unpaid work in your free time but they make you feel behind if you don’t do it, that is simply a bad culture, run from it.
Pressure
In general, the Information Security industry is very stressful and pressure is always a constant. When you work as a penetration tester, your work is time-constrained and failure means that you may have to work longer hours. When you work in incident response or SOC, the pressure comes from having real problems on people’s systems and needing to respond fast lest they lose important data and have their business’ reputation at stake. I worked for example in a very critical environment where our response time was measured in seconds because each second of delay could cost millions of dollars for the company.
The work can be challenging, and you may find yourself working long hours to meet deadlines or support an emergency. Or simply racing against the clock to release a new feature that the security team became the bottleneck of the entire change process because it was involved way too late, but this is another discussion…
There is always the possibility of a data breach, which can lead to public scrutiny and media coverage. Your work may also require you to travel, which can add even more stress to your life.
The idea is not to demotivate people from joining the area, just to show that it’s part o the nature of the job to deal with emergencies and crises. More often than not there is not much time to proactively prepare for those incidents or prevent them to happen in the first place and when they get to you it may be an emergency already.
Perks and Benefits
Information Security companies offer a variety of perks and benefits to their employees. These can include things like health/life insurance, dental and vision coverage, 401k/Super plans, gym memberships, transportation reimbursement, and more. Some companies even offer free snacks and drink Google style, on-site childcare, and dog-friendly offices.
Training and education are the most sought-after perk. Each company works out the continuous education benefits in their way, some pay for training on a specific platform defined by management or HR, some let the employee choose, some give a fixed amount per year to be used on any educational institution of the employee desire and some will pay for certs, all of them have their pros and cons and ‘the best’ depends on you and your career. If your company doesn’t pay for education because it does not align with your current role or they are afraid of you upskilling and leaving it’s definitely a red flag.
These benefits really come to mind after a certain point late in your careers where certs and courses start to get very expensive such as CISSP and SANS, and any incentive helps.
Keeping up to date
To succeed in the security field keeping your skills sharp is fundamental. Getting the first opportunity in the area has always been difficult, security is treated as a specialty field of IT, which requires a lot of background information to perform your job.
For people wanting to start their careers in a security role, it will require some dedication to learn all the foundations of IT and Security. Depending on what area and role you are coming from this learning could be either organically added to your workday or a lot of off-work hours to learn new concepts and practices.
After landing a job and progressing in the career some upskilling and keeping current with the industry trends still applies, some do off hours with labs and learn new skills and some just keep the eye on news feeds to get the latest trends for bare minimum upkeep of their quality of work.
Working in Information Security can be very rewarding, but it is important to know what you are getting into. The work can be challenging and stressful, but the benefits and perks can make up for it. Just remember to keep your skills sharp and stay up-to-date with the latest trends this is what will make the difference in the long run. Hope that this article helped highlight some of the ups and downs of the industry regarding its work-Life ballance.
