I was involved in an interesting discussion about how long it takes to get a security job. But here’s an even more important question. How long does it take to get a security job with no experience? That’s a tougher question. I’ll also argue there’s no such thing as no experience. But to keep the search engines happy, here’s how long it takes to get a security job with no experience (except there’s no such thing as no experience!).
Why it’s hard to say exactly how long it takes
There’s a lot of gatekeeping in information security. If you can find a hiring manager with a background similar to yours to let you in, you can get a job in three months or less. If you can’t, it may take more than a year.
One trick that can help, if you already have an IT job, is to volunteer for as much security-related work as you can. Get in front of your own corporate security team. Ask questions. Learn from them. This isn’t a fast path by any means, but it gives you a plan B while also giving you security-related bullet points to beef up your resume.
Yes, I’m telling you that to a certain extent, you’re going to have to manufacture some experience to get that first opportunity. But you can do that without being dishonest. It’s about how you spin your existing education and experience.
It’s a competitive field. I once interviewed candidates for an opening on my team. Out of 100 applicants, three candidates made it to me.
Why I say there’s no such thing as no experience
Trying to move from another field of IT to security is like trying to move from fast food to retail. You’ve got to spin your experience to show HR, the hiring manager, and anyone else who interviews you along the way what you can do for them. What you could do for your past managers isn’t relevant to them. Frankly, all too often they are unwilling or unable to look at your past experience and relate it to what they need.
I’m not saying to make up some experience, but you need to apply the same filters to your IT experience that a certifying body would. If you can count that experience as CISSP work experience, it’s security experience. If you can’t count the experience toward required work experience toward a security certification, leave it off your resume. Yes, leave it off.
I always left that kind of stuff on to show my willingness to do whatever it takes, and to show versatility. That slowed me down. Most people don’t see that as a positive. Leave it off and talk about it later. Group all that stuff together on a single line that says, “Other duties as assigned.” And leave it at that.
Do I have printer experience? Sure I do. I have a journalism degree, so of course my first few gigs used me as the printer guy. It has no room on my resume. Sure, it comes up. I know that scanning printers with Tenable products usually causes them to print page after page of garbage until the printer runs out of toner or paper. And I can estimate what that does to the cost of your weekly scan. But I don’t mention any of that on my interview. Knowing stuff like that makes them glad they hired me, but it doesn’t get me the job.
The security job I didn’t get
In 2012, two of my former coworkers landed a job at a Fortune 20 company. And they were bound and determined to take me with them. “They’ve been trying to get me to hire you since before I hired them,” the CISO joked when he met me for the first time. They got me an interview with their director of vulnerability management.
In four short years, I would be working for the company who made the vulnerability scanner he used. But he couldn’t see past my resume, and I hadn’t mastered the art of articulating showing the value of my past experience to security people who didn’t have similar experience. More on that in a minute.
“What can you do for me besides Windows stuff?” he asked, bluntly. Except I’m not certain he used the word “stuff.” And that set the tone for the whole interview.
I had three years of pure security experience, two security certifications, and had worked on getting a little organization called the National Security Agency to change one of its security policies. If anything, I was overqualified for the role, but he couldn’t see past the job I had from 2005-2009 where I was a Windows administrator. It was as off-putting to him as seeing four years of fast food experience.
I learned from my mistakes, eventually. And I’d like to share what I learned.
You probably have experience the hiring manager doesn’t have
If you’re asking how long it takes to get a security job without experience, you probably have one of two reasons for it. Either you work elsewhere in IT and you want to get into security, or you have your degree and you’re trying to land your first job.
Working for a few years in the vendor and MSSP space gave me a weird perspective. I’ve worked with well over 100 security directors to re-architect vulnerability management solutions, and in many cases I’ve also met the people who work for them, and their bosses. All of them took different routes to get where they are. Some never worked a day in their lives outside of security. Some worked as database administrators or software developers before moving into security roles. I’m always surprised how few took the path I took, which was working as a system administrator before moving into security.
I’m also seeing a curious phenomenon. Well, it’s curious to me as a Gen Xer. I see people who got a degree in information security or something related to computers, got a security job right out of college, got an MBA, and ended up in management roles sometime in their early 30s.
On the other hand, I also see people who get the degree in information security and end up working on a helpdesk until they could convince one of those people who went straight into security and ended up in management to hire them. That’s hard. It seems like when people who got a security job right away see someone who didn’t, they automatically assume something’s wrong with them.
Based on what I’ve seen, you’re probably going to interview with people with a very different work background from you.
The problem with diversity
Don’t call HR on me. The problem with diversity is that for all the talk about diversity, many people, especially successful people, don’t see the value in it that they should.
I’m sure you’ve met people whose attitude toward everything is there are two ways to do something: my way or the wrong way. That attitude toward careers happens in security a lot.
Human beings seem to be wired to believe that the path they took to success is the best way. And they tend to believe that they earned the opportunities that they had, so therefore, people who didn’t have the same opportunities must be inferior to them.
When we’re dealing with someone who has a different background than we do, we have to spell out the value of what we learned taking a different path. Don’t expect them to figure it out.
When I apply for a job, I look at the job requirements. Then I take my last 10 years of experience. If you don’t have 10 years, take whatever experience you have. Relate what you did at that job to the job requirements. If you can’t relate it to the job requirements, relate it to something security related.
Take this line item from my past work experience, when I briefly worked at a major ISP:
- Provisioned subscribers and cable modems
That looks useless to anyone who isn’t an ISP. But what was I really doing? Provisioning user accounts and permissions, and maintaining an allow list of permitted cable modems on the ISP’s network. Yay, two security-related bullet points out of one unrelated!
- Provisioned user accounts and permissions
- Maintained lists of permitted and denied devices on the ISP’s network
Quantify it if you can, either by number of subscribers or how many requests per day you processed.
In my case, my big selling point as an expert in vulnerability management is that I pushed patches for a living for nearly 9 years. To someone 10 years younger than me, I look like an underachiever. But having paid my dues makes me good at what I do.
How long it takes to get a security job
Unfortunately, no matter what, getting a security job, especially a first security job, takes patience. One time I had a job come out of the blue. I wasn’t looking, but someone called me offering a career-changing opportunity. I had to be interested. That eliminated a whole lot of overhead. Even without that overhead, it took somewhere around 6-7 weeks to get it done.
When I initiate a search and fill out an application and upload a resume, it can easily take a month to get a response. So, take that month of overhead, add the 6-7 weeks it takes to work the interviews into everyone’s schedules, and you’re looking at three months to get a job. And that’s assuming you find a really good fit right away and both sides recognize it.
Some job descriptions are so vague you may think you’re exactly what they’re looking for, but you never get a call back. Don’t take the lack of a call back as a rejection. Sometimes they don’t know what they’re looking for, sometimes they don’t know how to articulate what they’re looking for, and sometimes they already have their mind up who they’re going to hire when they post the position. I’ve applied for at least three security jobs where I met the requirements perfectly, and I didn’t even get a call back.
So if you can find several jobs that you appear to be qualified for and you apply for all of them, assume three months from the day you start looking to the day you land an offer. If everything goes perfectly it could be a bit less. If not everything goes perfectly, it takes longer. Lack of experience tends to make things go less than perfectly.
Does using a recruiter help you get a security job faster?
I think a good recruiter can help you get a security job faster. But finding a good recruiter can be harder than finding a good job. A good recruiter can leverage pre-existing relationships to get your initial interview much faster, help to sell you to the hiring manager, and coach you on your resume.
To find a good recruiter, discretely talk to former coworkers and ask if they can recommend anyone. If that’s not an option for you, when a recruiter approaches you, interview him or her. Try to meet for coffee in person if possible. Make sure the recruiter understands something about technology and security. Also make sure they know something about the various companies in your area.
One recruiter I know calls me once a year. He knows he probably won’t place me anywhere. For lack of a better word, he wants to gossip. It’s how he learns about the local companies, who’s good to work for, and who isn’t.
I once worked with a recruiter who is now a Gartner analyst. I also once worked with a recruiter who had a second job as a football cheerleader. The future Gartner analyst placed me at two jobs, because he knew his stuff and hiring managers trusted him. The recruiter/cheerleader never got me or anyone I know an interview, let alone a job offer.