Should I work for big company or small would be better – that’s number one question not only for many people starting their career in cybersecurity, but for mature and high-skilled professionals as well. I was lucky to have had an experience in both types of companies (my first one had more than 100 000 employees, and now we’re even less than 300), so let me share my view on this.
- Sometimes security guys duties are not highly divided from system administrator’s. You’ll much more likely be a part of IT Department in a small company than work in a separate division. You’ll have to deploy servers and software, write scripts, do network things and make you infrastructure stable and reliable. But the bigger the business is, the more separated IT and Security duties are, and vice versa.
- Smaller company doesn’t mean you’ll have less work. Just an example: how do you you usually apply critical patches? Let’s create task and guys from IT department will fix things up, guy from security department of big company would say. Found a vulnerability on a freshly-deployed linux server? Alright, now go patch it yourself! Thats how guys working in a small businesses do.
- In a small company you will be sitting with your colleagues in one building in most cases. Or even one floor. That’s why you become friends with them very quickly, and that’s the bad point in terms of security. I’m not saying that you don’t need to be friendly and kind to everyone, however, it is much harder to say “No” (and in security we say “No” dozens of times during a day) to your friend than sending a “NO” email to a colleague you’ve never met before sitting hundreds of miles from you.
- Despite the previous fact, You’ll notice that security-awareness trainings are becoming much more effective when conducted in a small, friendly atmosphere. When working for big companies only thing most cybersecurity engineers do in case of social engineering or ransomware attack is sending a mass-emergency-mail-notification to everyone. Security Guys from small companies can immediately conduct a real-life meeting explaining to all employees why they should not open this malicious link in mail with spoofed CEO address. And that’s how it works.
- Sometimes you’re only one guy responsible for security processes in a small company. You have to implement tons of things: security policies, patch management, bug bounty programs, business continuity, risk and vulnerability assessment, PKI, auditing, security awareness… All by yourself. And this list is actually much longer. It is absolutely impossible to know everything, so you’ll eventually stand at the point where you know a lot however your skills in these things are still at average level. And it all because you had so many different tasks to do at the same time. When working for a big company, you can easily concentrate on improving particular skillset, because you know that there’ll always be at least one colleague who is responsible for another particular security area. For example, we had one guy who was responsible for Vulnerability Scanning, one for SIEM content writing, one for penetration testing… We all love multitasking, however, it’s always better to be a high-pro in one area than to be average in many, isn’t it?
- Variety of information security tools and systems that you can use on a daily basis is much broader when you’re in big company. Security budgets are bigger too, so you can have a hands-on experience with lots of great tools by most successful and well-known information security vendors.
On the other side, don’t expect huge money investment when working for small business when each cent is counted. You’re here to act, not to ask for money. If you can not achieve your goal with opensource or low-cost tools, then we have nothing to discuss, and things like “Why we need to buy this piece of software” can be painful.
- Changes are spreading way faster in a small company. For example, recently I’ve implemented company-wide 2factor authentication in less than 2 months. Now imagine how much time will it takes to deploy this solution to 200 000 employees sitting in different cities across whole country. Or switch everyone to a new VPN solution, make everyone read and sign non-disclosure policy and other security stuff?
Of course there are much more differences, I just payed attention for the most notable as it seems for me personally. Do you like to cook things yourself or you’re a better manager than technician? Would you like to play with expensive pro-level solutions or getting hands-on with opensource seem better for you? Do you like many small and fast-implemented projects or couple of huge step-by-step long duration stories? Do you like talking with people about security personally?
Choice is yours, and I hope this small article will help you to figure it out. Comments are greatly welcomed.