I changed my major mid-stream. Technology and security controls changed so much; I was happy to switch my academic concentration from Security Engineering to Governance, Risk Management & Compliance. I was thinking that I would be setting myself up for a more fluid and certain day2day job. I “sipped the Kool-Aid” colleagues! I thought that I was going to a less technical, less rigorous job when I accepted an assessor’s role. If your thinking is anything close to what mine was, let me tell you now – stay in your engineering role, as this is some bovina-schizer! I never understood why those people were getting paid so well until now. Believe me, within a reputable organization, you will earn every penny!
Yes, its not about where you are today, but the journey you took to get there. When asked why I got paid so much by one Project manager I simply said - take a look at the teams round the room. I can perform all of their roles at a competent level as well as my own having done each for a minimum of two years myself. I can also perform as a security manager, enterprise architect and General Risk management consultant ( the three core strands of development security). the other side of the coin though is that there is always more to learn. whilst operating with, and advising members of a SOC, I have never worked in a SOC, have little exposure to new developments in DevSecOPs, only manage. plan and respond to ITSHC/Pentest activity, and have no experience or involvement in aggressive activities against the attack communities. Don't even get me started in multiple business domain knowledge or new technologies such as AI and quantum computing. Continue to learn and develop and to bring a combination of knowledge, skill, and experience to the table and remember to enjoy what you do and to act as part of the wider team.