I can imagine that the marketing for a pentest is not mature yet as this seems to be a evolving market. THerefore, not many CEO's are aware of the benefits or even the service. Is that also true? This would equate to a small and tight job market for pentesting I would imagine.
i think this is not true and that alot of people are aware that they "should" in some form or fashion being doing this, whether its from an internal team or an external team. i'm a believe that an external team not tied to the company will 9/10 times give you a more honest look than internal.
Thanks - how do I market myself once I pass the exam?
that's the biggie actually and the toughie too. not to start the cert debate, but cert whoring will help get your foot in the door. experience, is the 2nd part. i volunteered alot, i also did all my work with LearnSecurityOnline.com when i was in a job that i wasnt doing straight security, i was doing IT but not security. one way or the other you have to demonstrate experience, lab time helps too. hopefuly psedu0 will chime in as well.
What does the payscale look like?
that depends on where you live. there are cert salary survey's and what not and the CISSP type ranges is where i'd expect to be. lots of companys will say that its based on experience, yadda yadda, thats the nice way to say they are going to screw you on your "get experience job" in the pay category.
Do you usually work "piece meal" or sit on a list waiting to be picked up on a job like a mercenary or something? Are you employed full time with benefits or are you contracted? i.e 1099 etc. I have a family to take care of so would I need another source of income during the "slow" months?
i am with a govt contractor, so i am full time. I'm in your same situation and while some people can work doing the 1099 stuff i cant, i need to know how much my check is going to be every month and that its actually going to show up.
best advice/opinion, is to work on getting experience while you learn, you obviously have the background. does the place you work have a security section? can you volunteer or get moved. although in alot of places the VA section IS the security section. in addition to volunteering, build you lab and start playing, try to build some decently complex networks once you get the hang of the ./exploit stuff. i read alot on stuff too, some people argue that you need to do more doing than reading, i personally need to see things, so reading helps me but you do have to balance that with alot of doing. reading doesnt equal doing, but sometimes you dont know what to do if you dont read.