Morning OR Afternoon, you lovely people of this subreddit!
/r/cybersecurity tends to receive a lot of “What can I do to get into security?” questions of all different flavors and walks of life. Some people are transitioning from other careers and some are simply trying to get a start in a career. Regardless barrier to entry in security is different and no singular path is for everyone. On my team at work I have a lady straight out of college who is our pentester and a gentleman who has a background in investigating fraud (no real IT background). Both of them have proven time and time again that they are extremely competent in their subject matter, even after being on the job for less than 2 years.
Hiring Process: (Quick Talk)
The hiring process is for lack of a better word, shit. You will receive far more rejections (silent or notified) than you will have interviews or calls. Hiring process are subjective as hell, what the hiring manager may see as a great candidate the recruiter / HR may toss to the side. Some management are willing to look at a candidates soft skills and overall skill set and say this person could do the job with a bit of training, others however may simply say this person is not fit for the job. It’s an absolute soup sandwich and is highly dependent upon the people and mindset. Do not let the rejections get you down. Here are some resume tips I’ve given to quite a few people and it has helped them at the very least get some interviews and make their “paper presence” a bit more.
1. Do not use the word “Assist” or anything that implies you helped as it says you are not “Batman.” Nobody aspires to be Robin, aim to be Batman and let your “paper presence” show that.
2. Depending on the job you are attempting to get – you should tailor your resume/bullets to draw that picture. Again paint the picture that you are Batman for this job and have the skills. Wordsmithing / verbiage to attain this goal can be difficult.
3. If you are not good at making picking up a pencil sound like you saved the world, then do not recreate the wheel or spin your wheels to do it. Go out and look at job postings for the position you want, copy the bullets, adapt them to you.
4. Is your resume fluffed? Do you still have your Windows 2000 certification listed? Remove it. If the certification / class is not pertinent to the job, remove it. Now this can be misconstrued, if you are starting out or transitioning this can be fine to do. However a caveat is if your certification/class is really old, remove it.
5. While looking at jobs if you meet 50% of the requirements, apply. Most job postings have ridiculous requirements and are looking for some magical unicorn. Years of experience is kind of a garbage way to request experience, but it’s easily measured in the companies eyes. Though someone with 1 year of experience compared to someone with two can differ heavily depending on environment and how deep the product was explored.
General Entry Suggestions: (Broad Suggestions)
Gaining entry into Security in general is a pain. For me it took about 1.5 years of searching and I turned down a few jobs because of them being contract jobs and also red flags during the interview process. Your results will vary though, but be aware of some of the wording in job postings and reading between those lines. In general here are a few things to help you get hired.
1. Do you have a homelab? It doesn’t have to be /r/datahoarder levels of sophistication. An old desktop with a hypervisor and a few VMs for testing things will provide you with an excellent amount of continuing education.
2. Have a goal in mind! Do you simply want to enter security or do you have a goal for your next 5-10 years? Tailor your certification choices and homelab experiments to work toward that goal.
3. Start reading some news sources about recent security events. This will help you stay up-to-date on the ongoing struggles in the industry.
4. If you are already working in IT, then start applying security practices to your day to day. Think about some of the low hanging fruit; strong passwords, administrative privileges where not needed, best ways of setting up permissions, is that web-app only using http but contains PII of your users? This will help you start developing your security mindset and getting in that motion. Ready to answer all those tough interview questions, because now you have been thinking about it daily and possible outcomes.
5. Have friends who do IT security? Ask questions! Ask about their experiences and what they think of the current events you read about. If you have technical questions you cannot explore yourself, ask.
6. Realize that not all security issues are “OVER 9000!” issues, everything is risk based. There is a calculated risk for patching, not-patching, exposing services, allowing traffic into the network, and so forth. Sometimes you have to accept the risk and other times you can come up with mitigating factors. It’s all about being adaptive to the business needs.
Hopefully this helps some of you looking to transition from your current role and into a new shiny job. Remember the grass is not always greener and there are times where this job can be extremely stressful. If you are choosing security because it’s the new shiny in your view, keep in mind that security is not all sunshine and buttercups. This field is just much about security as it is communication with the business. Remember, you are there to assist the business to move forward while reducing risk doing it.
Note: This is all pretty general for the field of InfoSec / CyberSecurity. This is not meant to be an “end-all-be-all” list but general enough. Will some people have contradictory things to say to the bullets, more than likely. There are always outlying cases and this simply comes from my experience.