Unlike most of the job market, cyber security is a growing field with no signs of slowing down, lots of upward mobility, and good prospects for getting a raise once in a while. At the time of this writing, there are 500,000 security vacancies in the United States alone. There’s little hope of filling most of them. One of them could be you, if only someone would discover you. Here’s how to get an entry level cyber security job.
There’s no proven formula for getting into the cyber security field. But through a combination of networking and saying the right things on your resume and in the interview process, you can get into this field. Someone dumber than you has a security job. With some perseverance, you can get in too.
Getting a security job is like dating
Maybe this is cliche, but getting that first security job is a lot like dating. There are half a million jobs out there, but the people hiring them and the people who want the jobs can’t find each other. About 45 percent of adults in the United States are single.
The problem is the same in both cases.
I bring up dating because, in this case, the problem is related. Especially in this case. This field tends to attract introverts. Introverts have a really hard time putting themselves out there, and even when they want to, they might struggle to say the right thing, because they’re out of practice. Making matters worse, the person on the receiving end may have completely unrealistic expectations.
How do you fix it? There’s a security analogy here. You brute-force it.
Apply for every entry-level cyber security job you can find
Relationship experts say the best way to get dates is just to strike up conversations. The goal isn’t to date every person you talk to. The goal is to get used to talking to people so that when you do meet someone you’d be interested in going out with, the pressure is off and you can actually talk to them without falling all over yourself.
Same thing here, only hopefully it’s a little less intimidating. At least when you apply for a job, rejection most commonly comes in the form of ghosting, rather than outright rejection.
The next trick is knowing what an entry-level security job looks like, so you’re applying for something in your league. It’s counterproductive to apply for high-end jobs you’re not qualified for yet. Start on the ground floor and work your way up.
Go to local cyber security meetups
In most major cities, there’s a semi-regular meetup of security professionals for the purpose of networking. Find out where yours is, then attend. Find someone holding court and telling war stories. Don’t expect to find a job the first time you attend, but the networking is valuable. It gets you practice talking to experienced security professionals. And if some entry-level job comes available, you’re more likely to be someone they think of.
What an entry-level security job looks like
The classic entry-level security job, I think, is a job in a Security Operations Center, or SOC. This is the security equivalent of the help desk. A SOC Analyst monitors for alerts and routes them. Just like a helpdesk gig, a SOC analyst should be able to filter out low-value events, handle the easier incidents, and route things that appear worthy of attention to higher-level analysts, perhaps participating in some of the remediations.
It’s not the most glamorous work, but you learn a lot in a short time and there’s opportunity for promotion, especially if you take a job at a Managed Security Service Provider. These companies deal in volume, so they’re more willing to train and grow you, and they’re constantly expanding, so you can move up to better roles either due to attrition or growth. You don’t just have to wait for a senior-level person to leave, like so much of IT. And you’ll learn a lot because you’ll see a lot.
The other thing about MSSPs is I think you actually have a better chance of getting on with one of them. I think they’re better at interviewing, better at identifying talent, and have more realistic expectations than whatever Fortune 500 companies happen to be in your area. They also have more openings. And then once you’re there, your network will grow quickly, because you may deal with 5-10 different Fortune 500 companies while you’re working there, and your colleagues will move onward and upward too.
Applying for an entry-level cyber security job
The key to applying for an entry-level cybersecurity job, or any security job, is relating your existing experience to the job you want. There was a time when people read resumes and thought about what was there, so all you really had to do was show a track record. HR departments don’t do that now, and most hiring managers don’t either. The job market for the last 20 years has been so terrible, they’re spoiled, and they can get away with throwing away 90% of the resumes they receive.
Entire books have been written about how to deal with this. Some of them even have a little bit of good advice in them. But the main thing to remember is having a track record isn’t the only thing that matters. The track record has to be relevant to the job.
That means you literally shouldn’t mention half of the job duties you performed on past jobs. Make it look like you’ve been doing security your whole life. If you’re reading this, you might be young enough that you have to mention the fast-food job you had in high school. How does that relate to security? Think about what you did that related to loss prevention. That could mean stopping a quick-change artist who tried to shortchange you at the drawer. It could also mean ensuring you didn’t cook too many french fries on your shift. If you ever received any recognition for any of that, mention it. Fraud, waste, and abuse is part of security.
If you ever had a retail job, same thing. Physical security is security. Frankly some security pros value physical security experience more highly than they value IT experience. I think that’s a bit misguided, but it’s part of the game, so play it.
Do the same thing for any IT jobs you’ve held. Managing antivirus, creating user accounts, and resetting passwords is all security experience. That’s the kind of experience you need to mention. Don’t bother mentioning you changed toner cartridges. Some idiot will see that line, decide that’s all you did, and veto you. I know it shows versatility and a willingness to do whatever needs to be done, but not everyone who sees your resume will see it that way. If it’s not work experience that counts toward a security certification, just lump it all into a bullet point that says “other duties as assigned.”
How to build a resume that fits the job
I have a resume that I use for reference that contains all of my job history and accomplishments, and it’s several pages long. I never apply for a job with that. When I apply for a job, I create headings for my last 10 years’ worth of jobs, with the company name, my title, and start and end dates. Then I look at the job description for the job I want. I take as many of those bullet points as I can, paste those in as my job description, then edit those bullet points to match what I did at that job. But this way, I’m starting with their wording, not mine.
For example, let’s say I’m applying for a job that has the following bullet point in its required experience:
- Monitor events in Logrhythm or a similar SIEM
In 2014-2015, I worked with a competing tool called Splunk. So this would be one of my bullet points under that job description:
- Monitored events in Splunk, a SIEM tool similar to Logrhythm
The hiring manager will recognize that Splunk competes with Logrhythm, but having a bullet point that uses seven of the eight words in that job requirement’s bullet point should make it clear to anyone in HR that the experience relates, even if yours is the first cybersecurity resume they’ve seen in their lives.
Before I knew this trick, I got responses to job applications 10 percent of the time. Doing this trick increased my response rate to around 70 percent. I think that’s still lower than it should be, but it’s workable.
Get some IT experience first
Here’s another suggestion. I know some people go to school, get a degree in cyber security, then wonder where the jobs are. You’re really better off getting some general IT experience first. When you work in security, you’re going to spend a lot of time talking to people in the rest of IT. You want them to see you as one of you, not as some clueless security wonk with no view of reality.
System administrators will talk to me because I was a system administrator for about 9 years. Windows admins like me more than Linux or Unix admins do, because I have more Windows experience than Unix, but they can tell from talking to me that I have more knowledge than just the rote memorization required to pass a certification test.
You don’t have to spend four years in desktop support and nine years in system administration like I did. The industry will tell you how long is enough, but I think you should take whatever entry-level IT job you can get, do that job for a minimum of a year, then start applying for security jobs. It if takes a month, so be it. If it takes 18 months, so be it. In the meantime you’re getting a paycheck and gaining experience.
And in the long run you’ll be a better security professional for it.
Here are some tips for getting that first IT job.
Interviewing tips for an entry-level cyber security job
Interviewing for cyber security jobs is harder than interviewing for IT jobs. My success rate getting job offers when I was in general IT was about 80 percent. It’s closer to 50 percent in the security field. Part of it is that I don’t think hiring managers interview correctly. But here’s how I handle it. If I really want to leave a job, I don’t apply for one job. I apply for five. I’ll get three or four interviews. And I’ll get one or two job offers.
If I can give any advice for the interview process, it’s to make sure you know as much as possible about the job duties you’ll be asked to perform. But the main thing about the interview process is to not sell yourself short. Some of your interviewers will try to get you to do that. Talk about your experience and how it can help them.
For example, I used to downplay my home network, because managing a network for my family isn’t the same as managing one for a Fortune 500 company. That’s my toxic boss from 2005 talking. There’s plenty in a home network that applies to corporate networking. I can talk about the value of my long and complex wifi password. Or when it makes sense to use wired connections and when wireless is more practical. I can VLAN my Roku devices off to separate them from the rest of our household devices, because I have a managed switch. It’s overkill, but if I can do that at home, it proves I can do it at work, where there’s definite need to do such things.
Your attitude in your entry-level cyber security job
Getting your first security job is one thing. Keeping it is another. It stinks that we have to pay our dues, and I think many companies overcharge, but that doesn’t mean we owe nothing. I know a guy who set himself back years because he wasn’t willing to pay his dues.
The guy was lucky, in some regards. He didn’t have to start out at the bottom. A large company hired him to scan new server builds and tell the server build teams what patches they had to install before the server could go into production. It wasn’t glamorous work, but it paid well, and it was much better than any job I had before the age of 30. Here he was, 24 years old or thereabouts, complaining the job was beneath him. In all fairness it was, but if he’d done a good job at it, we would have promoted him after six months. We all knew it, and we all told him.
I won’t go into detail, but he didn’t do the work. I don’t remember anymore how long he lasted, but it wasn’t any longer than two months. It could have been as little as two weeks.
Frankly, I think everyone knew he was talented enough for more responsibility. But we had questions about how trustworthy he was, and how much of a team player he was. He came up short on both of those counts, so that’s why he didn’t work for us very long. I can’t go into detail, but we fired him, and he deserved it.
When you get that first job, do the best that you can, even if the work is beneath you. One of two things will happen. That employer will recognize and promote you. Or you’ll find an opening somewhere else, and you’ll be able to use that experience to get a better job at the other place.