Way back before hacking had become a thing that pops up in everyday life with worrisome regularity, actors Robert Redford and Sidney Poitier were the stars of a film about a freelance team of security professionals who conduct live tests — with permission — of security systems intended to prevent break-ins and other criminal mischief. If you saw Sneakers (1992), then you probably recall the following exchange, between Redford’s character and the bank employee who prepares his check upon completion of a bank security assessment:
The employee asks, “So people hire you to break into their places, to make sure no one can break into their places?” Redford’s character shrugs, grimaces, and replies, “It’s a living.” Eyeballing the amount on the check she has just completed, the employee sympathetically says, “Not a very good one.”
So times have changed. Sneakers wasn’t precisely about the line of work that we variously describe today as penetration testing, ethical hacking, or assurance validation, but it gave a pretty good glimpse of the parameters that have come to define the industry. It also guessed wrong about compensation. It turns out that you can make quite a good living as a penetration tester in 2021:
Employment facilitator Indeed recently reported an average annual salary for penetration testers in the United States of $111,647.
There was already ample evidence of the need for skilled professional penetration testers at the end of July 2018, when tech industry association CompTIA completed a six-month development cycle with the launch of PenTest+, a new professional certification for penetration testers. Last week, PenTest+ reached an important milestone with its first formal refresh — the updated exam is available immediately.
As characterized by CompTIA, PenTest+ is intended for cybersecurity professionals of “intermediate” skill level who specialize in “hands-on penetration testing and vulnerability assessment.” As is the case with most other CompTIA credentials, PenTest+ has been formally endorsed for government contractors and other federal employees by the U.S. Department of Defense.
You don’t have to work for Uncle Sam, however, to take advantage of soaring employment demand for skilled cybersecurity professionals. Research conducted this year by cybersecurity professional association (ISC)² indicates that there are more than 2.5 million unfilled cybersecurity jobs worldwide, and that the global cybersecurity workforce needs to grow by more than 60 percent to fill the gap.
Among the changes to PenTest+ formally unveiled last week (just in time to wrap up another fruitful Cybersecurity Awareness Month) are expanded coverage of techniques for testing cloud and hybrid cloud attack surfaces, as well as web applications, desktop computing environments, and servers. The new exam also emphasizes the importance of sound vulnerability management assessment and implementation.
There are a great many job roles among the ranks of cybersecurity professionals, and “penetration tester” is not the only one that a PenTest+ holder would almost certainly be prepared to step into. Other roles PenTest+ can help you nail down include security consultant, cloud penetration tester, cloud security specialist, web app penetration tester, security analyst, network security specialist, and information security engineer.