DFIR Training Blog

   


 

How to Make BANK in DFIR!

TL:DR

Do not step foot on the path that leads to DFIR if you are looking for a free lunch or big checks without doing the work. Be prepared to work and to work hard.  The path is tough. There are no shortcuts. You have to do the prep work to earn the chance to do the real work.

Just as no one can wear the Eagle, Globe, & Anchor without graduating Marine Corps boot camp or OCS , no one can make it in DFIR without putting in the work.

With that, you can make “bank ” in DFIR depending on what your goals are, and if nothing else, you can certainly make enough for a comfortable, financial career. I’ll give some average numbers and some crazy numbers toward the end of this post.  This post was spurred by a flurry of “how much do people make in forensics” emails that were sent to me.

Blood, sweat, and tears

If you are already working in DFIR, skip down to “Making Bank in DFIR ”, otherwise, if you just starting your DFIR path, the next sections are for you!

Side note: I took several psychological and personality exams over my life for specific jobs in both military and law enforcement. On the first one that I ever took, there were lots of questions relating to money. The common theme of the money questions was to find if the money and not the job were more important to candidates. I always truthfully answered that the job (the specific job that I wanted) was always more important than any specialty pay. If there were a question that asked if I would pay to get these unique jobs, I would have answered with a big, fat YES. Keep this in mind on your journey to DFIR. Money is important, but so is happiness. They are not mutually exclusive or inclusive. Plus, whenever you do anything for the sake of money, you usually earn it.

The most not-so-uncommon question that I have fielded over more than a decade is ‘how to get into DFIR’. First, a qualifier: I don’t know the answer outside anything that I haven’t seen or experienced first-hand. Second, my knowledge of the DFIR field is a narrow sliver of the whole.  If DFIR is a football field surrounded by a wooden fence, I have only looked between two slats of wood and have seen just that much of the football game.

This doesn’t mean that I have no idea of the rest of the field, but that I know one slice of it much better than I know of the rest of it. I tend to believe that everyone in the field is like this, at least those who have worked toward to heavily specialized knowledge.

Here is my advice on getting to the DFIR field:

Identify your goal and work backward.

Too many people start out on the DFIR path without knowing where they are going, other than getting a cybersecurity aka information security aka DFIR job. This would be like walking to the store without knowing where the store is or what you plan to buy when you get there. It is aimless, fruitless, and pointless. Keep in mind that the job of a digital forensic investigator is drastically different than that of an cybersecurity architect, even though they are both under the broad umbrella of cybersecurity.

Identify your end goal. What do you want to do? What do you think you will be good at? Who do you want to work for?  Even finding out how much pay you want to make is important to know BEFORE you act.

After identifying what you want, find the path from that goal to your current situation. Work backward. Plan backward. Work your way back to where you will be starting.  Then work your way forward to catch anything you may have missed.

If you don’t plan now before you start, or stop right now and self-correct, you will never “make bank”, but will recklessly lose your bank!  I have seen some spend themselves out of all their savings on the wrong courses, the wrong degrees, and thought they were on the right path but were not even on a path. They were aimlessly struggling to no end.

The good news

Many resources point the path for you. SANS , NICE , Cyberseek , NIST , and other resources have nicely laid out, visual infographics for you to follow. Even with these, you may find yourself stepping outside their paths simply because yours may be different. These are great resources regardless!

For your goal, there is a neat trick that is helpful to develop your path. Find a job opening that you would like to have, then look at the requirements. The requirements are “hints” to developing your path. Not every requirement for every job is hardcoded, so you may be able to substitute one for another. Some are non-negotiable, but many are not. A college degree might be a non-negotiable requirement for some jobs, and if that is something you cannot do, find another goal until you can earn a degree!

Your path is not like mine or anyone else’s path. We get tangled up comparing ourselves to someone else. We see someone else flying through this field as if they were born to do it. In reality, everyone works hard. Some make it look easy. Some have luck. Some make luck.  But everyone has to work to learn and fill in the blanks of their path to get to where they want to go.

The easiest way to DFIR is to get hired with an organization that has a pre-planned and all-paid path laid out for you. Then you enjoy the ride (working hard!) without worrying about whether or not you are on the right path. There are internships, apprenticeships, and government positions that fit this route.

Since there are more positions, titles, duties, and tasks in DFIR than you could ever learn, I am going to skip the part of which path fits you. If you are at the stage of just wanting a cybersecurity job without knowing exactly what you want to do, that is just as clear as wanting to be a doctor but having no idea about what kind of doctor you want to be (Foot? Brain? Heart?). Or wanting to be a mechanic without knowing what you would like to work on mechanically (Cars? Planes? Trains?). Find what you want to do first. With that…let’s skip right to the “making bank in DFIR”.

Making Bank in DFIR

This is the part you came for, right?

Let me digress again with the money part. I sincerely suggest that you do not go down the DFIR path solely because you think you will make a lot of money. The amount of work required, the intense studying, the frustrating attempts of practice and research, the extent of reading needed, and the sheer volume of information to be familiar will overwhelm the most determined person.  On top of that, there are expenses on this path! Software and hardware. Courses and education. Exams and certifications. 

You have to want to do this job if you want even a chance of being successful, let alone competent, in the field. Once you embark on this path, every dime you spend will either end up being a great investment of your money or have the end result of buying pet rocks.

How much can/will you make in DFIR?

As you will learn doing this job, the most common answer to every question is, “It depends.”  Sorry. It is as simple as it is frustrating for the salary or commission or bonuses or rates that can be earned as it is for figuring out if a malware or a user was responsible for some dirty deed on a computer.

For hints on salaries, check out job postings.  Government jobs most always list the salary ranges. Private organizations sometimes will.  When I first started out in the private sector, I quickly learned that DFIR paid more than I expected. In one of my first interviews, I was told, “We only pay x amount, but there is room for y bonuses.”  When I heard the “x” number, I was quite surprised! It was about 40% higher than the salary that I would have taken at the time. I didn’t even negotiate the salary, which looking back on it, I should have. Learning experience.

So, the salary is there. Some organizations do not pay what others will; be aware that the exact same job in one organization can pay nearly twice as much as another organization.

But for making money, if that is your goal, you can succeed if your heart is in it for the right reason. I have met some who come across as extreme money-loving, money-grubbing, and charge-the-maximum practitioners, and none are as successful as those who give more than they take, at least for the short term.

If you eventually go “solo” and work for yourself, or with partners, the potential to make more money than working for an organization is possible. It is not probable, but certainly possible. You’ll need to run a business like a business and do good work. Doing that, I have seen billable rates as low as $95 an hour to $800 an hour.  Yes, I said $800 an hour, for a self-educated forensic expert. That’s not me by the way!

More common, I’ve seen the average of those two ends being the rate charged for the small shops.  For the $95 expert that I know, he could charge hundreds more an hour and still be a great value for his clients. But that is his comfort zone for what he wants to do.

Other ways to “make bank” on the side

I guided (or pushed…) a few DFIR salaried employees to branch out beyond their day jobs, partly for my benefit and mostly for the community’s benefit. There are so many DFIRers working day-to-day with amazing knowledge and skill, yet it is all kept without the 2 or 3 partitions of a cubicle.  If they were to go private, they would be the $300 - $800 experts in big cases!  For them, I gently push as much as I can, into sharing their information publicly, and encourage that they charge for their worth.

Many in DFIR donate hours each week to the community, which adds up to weeks or even entire months of a year when added up. That is a lot of time and work.  Let me leave this that if you are good, and your heart is in it to help others, this is a path to being compensated for your time.  I don’t suggest that this is to make money, but to help you continue helping the community while avoiding overspending your bank account!

Back to ‘making bank in DFIR’

Yes, you can make more money than a doctor and more than most lawyers without having near the education and student loan debt in those two fields. Yes, you can charge thousands to speak at events for 45 minutes. Yes, you can charge hundreds of dollars per hour, on a case that takes 100 hours before it even gets to trial.

I suggest for good of soul and good of community, that sharing and helping others should be your goal and path. The money will come.  Maybe you’ll make a ton! Or maybe you’ll be more than financially comfortable and be able to provide for yourself and your family.  

But then again, being a source of encouragement or enlightenment may not only be the inspiration of another to make a difference in the world but will feed your soul more than sending out a big invoice.

Written by :Brett Shavers

{rscomments option="com_rsblog" id="141"}