How to Land a Cybersecurity Job
There is no shortage of challenges in the cybersecurity space, but one of the biggest is the ability to staff positions long term. As the information security changes over time, and the world shifts even further into a digital landscape, the demand for people who are capable, knowledgeable, and hungry is outpacing the growth of the talent pool.
As a result, many people in the industry have been making a concerted effort to start building the talent pool earlier than we ever did previously. Whether it's coaching/mentoring within programs like CyberPatriots , attending career days, speaking at conferences, or leading internships; cybersecurity leaders are doing their best to inform and drive people into the Information Security space.
At all of those events, one questions is asked over and over: "How do I get my first cyber security job?" From my perspective, that is the best outcome as it means we were able to get someone interested in joining the "good guys" in the cyber security fight.
Here are some tips to land your first cyber security role:
Pick the Job
InfoSec is a BIG space, there are dozens of different roles, different specialties, and different skill levels. Most people I talk to who are aspiring security folk immediately jump to "pen tester" when I ask what they want to do. And while that is a perfectly viable path, it isn't necessarily all the glitz and glam people envision (unless you enjoy spending 60+% of your time writing up reports - then it's TOTALLY what you want). Red Team engineers do have a cool job, they get to try and break into networks, they get you convert a list of vulnerabilities into actionable exploits, they are the "offense" in our InfoSec world.
I'll be the first to admit that Blue Teams aren't as #Infosexy as the hackers we see on TV. We don't get to smash through firewalls with a few clickity clacks on a keyboard, and we don't assemble malware while listening to EDM tracks, but the jobs are pretty fun. You get to mess around with cool technology, protect businesses from all kinds of threats, and you can still tell all your friends you're a hacker if you want. So if that #BlueTeamLife sounds good to you, then you should be sure to keep an open mind and check out roles in a SOC or on an internal InfoSec Team.
There are a lot of ways to skin this cat, you just need to find the one that works for you and get on that grind. Lots of colleges now offer information security tracks, this is a great way to get started. For those who aren't necessarily the higher education type (I know I wasn't for most of my career), there are tons of resources now available. Look for training from people like the group at Wild West Hackin' Fest, who offer high-quality training at incredibly affordable prices. You can also just buy or borrow some books, and get reading, or google for some of the nearly infinite free resources on the internet. Hunt for free webinars from vendors, ask your friends to borrow their books when they are done (maybe even trade for books you have) Whatever method you can stick to and make work, go for it.
Start with computer and networking fundamentals (look at content related to CompTIA's A+ or Security+ Certifications) and work your way up to content targeting information security directly. As you work through some of this stuff, build yourself a home lab if possible. It doesn't have to be fancy, buy a cheap laptop online and install Kali or any of the other InfoSec distros, run Hyper V on your Windows 10 laptop, run the free version of VMWare Workstation, do whatever you can to get some hands-on experience. If you can afford to take the certification exams, go for it. It will make getting an interview easier generally. But if you can't, don't worry, it's not a game-changer usually. You just need to be able to prove you have the knowledge in other ways.
Knowing someone in the field is not the only way to get a job, but it helps. Not only are people already in the field often aware of job openings, but they can also help you learn along the way. Get involved with local chapters of organizations like ISC2 and start networking with locals in the security space. Attending networking functions like B-Side conferences or local job fairs where companies with InfoSec teams (or if you are lucky, service providers who offer InfoSec services) might attend. Check online for events and webinars from local companies, etc. If you did go the school route to learn, check and see if they are holding any events for networking, and attend those. Also, check around for internship opportunities, these can be paid or unpaid depending on who is offering them, but in either case, they will offer you the opportunity to learn and network with professionals in the space.
Finding open positions is a challenge. Job titles are confusing, the actual job can vary greatly depending on the size of the organization as well as the industry, and it can sometimes feel like you need years of experience to get any role. But don't give up. Check out sites like Indeed.com or LinkedIn, set up alarms for roles that have keywords like "security analyst" or "information security" and have the site email you (or notify you if you prefer mobile apps) when something pops up.
Build a LinkedIn profile, engage on the platform, post your accomplishments, show that you LOVE this space and it will get people's attention. The first thing I do after I read a resume is check the person's LinkedIn so I can see what I can find out about them. The more I can learn about a person, the more comfortable I am with them, and that means they will have a solid chance and getting an interview.
If you are big on "On The Job" training and enjoy the "drinking from a firehose" style of education, I STRONGLY suggest looking to find work at a provider (yeah yeah, I'm a bit biased in this). Look for companies that offer security operations as a service, these are often called Managed Security Services Providers (MSSP), but often normal Managed Service Providers (MSPs) have security-related roles too. Providers tend to have access to a wide array of networks to monitor and learn from, this means you will get a lot of exposure to things very quickly.
Nail The Interview
I have a whole series of articles on this process that you can read HERE. But beyond that, I'll just reiterate this point. We want people with passion. We understand not everyone can afford to go to a SANS training course, and not everyone can pay for every cert exam, especially when you are just getting started. We want to see HUSTLE. How did you make the absolute best out of what you had? How are you showing me that you want this more than the next person? Show us you are HUNGRY.
If you are looking to get into the cyber security space, do the above.
If you are IN the cyber security space, don't forget that we can't win this fight on our own - get out, mentor younger engineers, make opportunities for people, and do anything you can to get more people on our side.