Advice for people starting to pursue a career in Cyber Security

For many reasons, I frequently get asked for advice from people who are just starting to pursue a career in Cyber Security. I wanted to write this blog post to give advice and give back to the community I love so much.

I think I have a somewhat unique perspective. I’ve been an employee (for very small and very large companies), a trainer/teacher and have employed (hired) roughly 70 people to work for me at one of my companies. I was asked recently by a former student these questions:

  1. Which Entry Level Jobs should I pursue
  2. What skills (hard and soft) would help to stand out
  3. What Certs should I get

First some foundational information:

I think there are two really important parts of cyber security to keep in mind
1) It is generally believed that there are a ‘lack of viable candidates’ (whatever that means)
2) This is still an extremely new field and functional business area for most businesses

What does that mean for you? It’s my opinion that most employers interviewers fall in to one of two categories
1) Employers with hard requirements on certs and experience
2) Employers who understand the softer things that can allow someone to excel in a position (e.g. personal interests, non-traditional experiences, on the job learning, etc.)

Very reductionist, I know, but helpful to highlight a few key points.

For the first camp of employer with hard requirements I generally regard them as ‘stupid and bureaucratic’. Not that the individuals are stupid, just their bureaucratic system. Ultimately I think the biggest thing they fail to account for is the two primary points of cyber (limited talent and extremely new/dynamic field).

What they’re basically doing is putting all of the responsibility on the new hire. Essentially saying “we’re not really sure what to do, so here, you come in with a lot of knowledge and figure it out”. Not realizing that virtually everyone in cyber security needs some molding and coaching to be effective. That approach may make sense for more senior roles, but not for entry level.

The second camp (like me) care far less about many (if any) hard requirements. I hire people to join my technical team on ultimately one thing alone – passion for hacking. Why? There are a few reasons. The most important are:

1) You must be passionate to have the desire to stay as up to date as you can since this is the most dynamic field in the world. If you don’t have a passion for learning about the ever changing threat landscape then every week will seem like a huge chore.

2) I am very passionate (see obsessive) about cyber security, so ultimately I just want to be around like minded people.

3) If you are passionate about cyber security you will by definition always be pursuing personal growth. This means that you shouldn’t stay in an entry level role for very long and we’ll grow together as a team.

 

1. Which entry level jobs should you pursue

The most important thing is to start with your specific goal in mind. There isn’t some universal entry level job that will prepare you for any path in cyber security.

I love this line (image to the left) from Alice in Wonderland and it is perfectly apropos to this question. If you don’t have a specific goal you’re trying to get to then it doesn’t really matter what job you take.

Which means you should write down very specifically what you want, what are your goals? What area interests you most? What are you looking to get from a position – both short and long term goals (and dont just say pay the bills, that is the wrong answer)? I highly recommend writing down the criteria of the position you’d like. Some examples:

  • I want to work from home
  • I want to travel for work
  • I want to work in a big city
  • I want to work with a big team
  • I want to work with a small team
  • I want to be left alone and dig into specific technical problems
  • I want to focus on analyzing live incidents
  • I want to focus on researching new vulnerabilities
  • I want to focus on attacking web applications
  • I want to deal with people

The great thing is there are zero wrong answers here. The more you can articulate exactly what you are looking for the more likely you are to find it and not waste your time on things that don’t fit your criteria.

I understand when you are first starting out you might be thinking “I’ll take anything, I just need to get some experience”. (I’ve been there myself). As much as possible avoid this pitfall.

For me it is helpful to think in a few specific time frames they are:

  1. One quarter from now
  2. One year from now
  3. 3 years from now
  4. 5 years from now
  5. 10 years from now
  6. 20 years from now

If you can start to build the picture of what you would like to be doing at each of those points in time you’ll be on a good path. Also, it’s important to understand that you can always change your path, go off on a new tangent or change it entirely. The point is not for you to predetermine your entire life, but rather to give yourself some direction on what will bring you joy.

A few other (random) points about looking for a position.

  1. Bigger companies tend to have more specialized roles (as their teams and finances are bigger)
  2. Bigger companies tend to be (although not always) pretty rigid on policies (e.g. work from home, vacation, training, etc.)
  3. Smaller companies tend to have people wearing many (many, many) different hats (e.g. jack of all trade)
  4. Smaller companies tend to be more flexible on policies

One final thought; Again I want to reiterate that you should pursue something specific. That being said, once you’ve defined what you are looking for don’t wait for job postings, just reach out immediately. If you know you want to get into Incident Response at a big company where you’ll travel a lot, then do a little research and start reaching out today! Also, don’t feel bad about reaching out directly to (anyone) on the security team and ask to be pointed to the right person to interview for a role. Don’t feel like you have to start with Human Resources and ask if ‘there are any open positions’. Simply reach out and say you are excited to join their team and would like to determine if there is a good fit.

2. What skills (hard and soft) would help to stand out

First, you should learn how to “interview” well. There are many resources on the Internet for that so I’ll only highlight a few specific things that stand out to me.

Of course as in every other important event in life you must come prepared. How do you prepare?

  • Research the biz, the people (I can’t emphasize this enough!!!)
  • Ask for information about the position AHEAD of time so you can research more
  • Bring your CV, highlight the things YOU choose

Sales is a universal skill that I wish was taught in high school. The number one principle in sales is to identify a problem and solve the problem, it’s that simple. The key here is to focus on the businesses problems (the interviewer) and NOT your problems! The key here is that if a company has a position open they have problems they are trying to solve and their solution is to hire someone to solve those problems.

The art comes in when you understand that there are many problems a business is looking to solve when they hire a person (and many problems they are concerned about in hiring a person). If you can identify those specific problems you are in a much better spot to communicate specifically on how hiring you can solve those problems. The key here is to not simply think that the company’s problem is ‘they need to hire someone’, that is silly. They hope to solve their problems by hiring someone!

Maybe a few examples will help highlight the difference:

  1. I’m looking to hire a sales person. The problem? The business needs to identify NEW clients to work with.
  2. I’m looking to hire a sales person. The problem? The business needs to expand offerings with EXISTING clients.
  3. I’m looking to hire a security analyst. The problem? The business recently experienced a few major security incidents and they need to create a new process to respond to incidents.
  4. I’m looking to hire a security analyst. The problem? The business is moving to the cloud and needs someone to monitor the environment for indications of malicious activity.
  5. I’m looking to hire a security analyst. The problem? We had someone on our team that handled ‘monitoring our network’, they’ve left and we’re not sure what they really did to keep us secure.

How do you identify these specific problems? Assume nothing, ask a lot of questions! Ask a lot of questions, ask some more, and when you think you’ve asked too many then ask a few more.

This leads to my next point which is interviews are always MUTUAL interviews. You should be interviewing the employer as well (not in an entitled, prickly way). You’re trying to understand if they are a good fit for you and if you are a good fit to solve their specific problems.

Lets look at a mock conversation to help highlight how asking questions can put you in a better spot to sell yourself.

Wrong way

You: Thank you for the opportunity to discuss the security analyst role. Can you tell me more about the specific duties.

Interviewer: Thank you for coming in. Yes, we need someone to monitor the security of our Azure environment. Do you have experience monitoring an Azure environment?

You: No, I’ve never used Azure.

Interviewer: Well thanks for coming in, we have your resume.

 

The Right Way

You: Thank you for the opportunity to discuss the security analyst role. Can you tell me more about the specific duties.

Interviewer: Thank you for coming in. Yes, we need someone to monitor the security of our Azure environment. Do you have experience monitoring an Azure environment?

You: That’s interesting, can you tell me how you use Azure.

Interviewer: We host both our client facing applications and some internal applications in the cloud.

You: What does the client facing application do?

Interviewer: It’s our core application, it allows clients to book time with us, receive invoices, pay their bill, etc.

You: How long have you used Azure for that?

Interviewer: Well actually it’s brand new, we haven’t technically rolled it out yet. We’re moving our client facing application to the environment and hope to have it live in 3 months.

You: Very interesting, so technically if I came on board in two weeks I might have two and a half months to help design and implement how we monitor the environment.

Interviewer: Yes, I suppose those duties have not been spelled out very well yet.

You: That’s great, I actually haven’t used Azure, although I have experience with other cloud environments, as well as security monitoring for traditional environments. I feel very confident that given even just a few weeks of working with the team building the Azure environment that I could easily learn the specific nuances of the Azure before the go live date. In fact if there are any certifications for Azure that you think are beneficial I would be willing to pursue those immediately.

Interviewer: Excellent.

See the very different approach? I understand that at first it might be a little awkward in some cases essentially ‘avoid’ answering a question immediately. However, with a little practice I guarantee it is a natural part of almost every conversation already, and one you can use to have more meaningful conversations. You’ll want to make sure you always come back and answer it directly, but there is nothing wrong with first asking a few more probing questions to really understand WHY they are asking their questions. After all there is so much overlap between technologies that given some of the bureaucratic interviewers many times they don’t realize that their hard requirements are not nearly as important as they may believe. I’ve also seen terrible instances where ‘requirements’ were technically inaccurate or just laughably irrelevant.

Finally, when looking to get your foot in the door don’t focus primarily on money, focus on the mutual value you will both receive (look for growth opportunities, the path you’re choosing, a specific mentor, on the job training, formal training, etc.). If you are asked about compensation the best answer is that you are looking for “fair compensation based on the market value of the work I’ll be performing and the opportunity for my advancement in pursing my chosen career path”.

Skills Summary

  1. Learn to interview well
  2. Research the business, the people and the opportunity
  3. Come prepared
  4. Learn to sell yourself (by identifying their specific problems)
  5. Communication

 

3. What certs should I get

I know you want a specific list of certs that will help you get a great entry level job. The fact is, there is no such thing. It depends on the context of the specific position you are pursuing and what the specific company wants to see. That being said I’ll give you a few pointers and try to give a few specific examples.

First, just make sure when you are first starting your career to follow your ABCs – That is – Always Be Certing. When you are just starting out you should always be pursuing your ‘Next Certification’. I don’t care if you think you’ll get the cert in the next 6 days or the next 6 months (or even the next year). The key here is that when you highlight this to your interviewer it will convey that you are actively learning, you are still in personal growth mode. As an employer if I know someone is driven to continue their education on their own time that is a huge positive.

This also gives you a great opportunity to ask another question of the interviewer. Are there any certifications that you would like someone in this role to have or pursue? You’re then in a great spot to say something like: “That’s great, as soon as I finish the certification I’m working on now, I’d be happy to get that certification”. That’s all you need to say, the rest of the details can be figured out later (preferably after they hire you), that is, when would they like you to have it by, who is paying for it, what is the real value in it for the organization, etc.

For me personally, I don’t actually care about hiring people with certifications specifically. That is to say, I don’t have any hard requirements for certifications to join my team, you don’t even need to have a single one. However, I love to see certifications on a resume because it gives me a lot of insight into what a person may have worked on previously, and more importantly where their career path interests lie. If I see certifications that appear to be unrelated to what we do at Leet, I’ll ask about them. Does this person not really want to pursue what we do at Leet? Are they looking for a change from their previous path? Do they have things that complement our work well but are not direct ‘offensive security’ certs?

As I write to wrap up this section I googled ‘Entry level cyber security certifications’. I recommend you do the same and find a cert that looks like it will help you pursue your specific path.

Certs Summary

  1. The specific certs matter based on what you want to pursue
  2. Any cert is better than no cert
  3. Actively pursuing a cert is a great positive indicator for an employer

Conclusion

I wish you luck on your journey and I hope you found value in my advice. Remember to define specifically what interests you most and enthusiastically pursue that path without hesitation! I hope to write more in the future to help you on your path so be sure to check in from time to time.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: