How to Secure an Entry-Level Role in Cyber Security
I receive a lot of messages requesting advice on the best ways to secure a role within Cyber Security and thought it would be beneficial to produce an article, summarising my suggestions. Whether you are a recent graduate or looking to move into the industry from a different sector, this article should hopefully give you some useful insight on the best ways to secure a role!
Now obviously this advice differs, depending on your level of education, prior professional experience, salary expectations (and potentially willingness to take a drop) and various other factors, however it should give you a good place to start…
Understanding the different career paths within Cyber Security
Before you decide which certifications to take and what roles to apply for, you need to have a clear understanding of what the different career paths are within Cyber Security. Now obviously there is no specific path that you must follow as people change fields all of the time, however there are positions out there that will give you more relevant skills, required to achieve the end-goal.
If you have already completed a degree in Information Security (or a closely related field), then it’s likely that you would understand the different disciplines within Cyber Security and also have an idea as to which areas you enjoy the most and would like to pursue.
To those that are not sure as to what those career paths are, I suggest you do some research and build your knowledge of the industry. Material is plentiful and much is available that will help you in understanding what the different roles within Cyber Security are and the responsibilities involved, some of my personal favourites are:
- LinkedIn – LinkedIn offer a number of training courses, designed to give you a high-level overview of different topics. As well as courses, LinkedIn can help you with understanding how people have progressed within their career – for example, if your goal is to secure a CISO position, you could search for CISO’s on LinkedIn and take a look at which roles they started in and how they have progressed throughout their career. This could also help you in expanding your network and making a warmer introduction.
- Recruitment Agencies – There are several good recruitment consultants out there – you will quickly realise who the good ones are when you start your search. Recruitment Consultant’s may not be able to immediately help you with securing a role as they may not have the live positions, however they will be able to provide you with valuable advice in getting in to the industry, including what roles you should be applying to, how to structure your CV and the best way to approach potential employers.
- Cybrary - Cybrary have a lot of content and offer virtual labs to practice your practical skills on. A lot of their content is free, and I have personally watched a number of their introduction courses, which have given me a good insight into the different roles, the responsibilities involved, right through to the personality that may be required to work in such a position.
- YouTube – YouTube can be a great resource for security professionals, not only for those looking to get into the industry, but those looking to further develop their skills. There is a lot of content that will help you in understanding the different roles out there and what they require in terms of skillset and personality. I often advise candidates to use YouTube as a source to prepare for interviews too – I will touch on this later in the article.
- Open University – The Open University offer several introductory courses; these are high level and cover most aspects of cyber security from authentication through to network security. These can be helpful for those wanting to upskill but not wanting to pay out for certifications and can also prove useful in understanding which area of Cyber is of high interest to you.
- Podcasts – Podcasts are becoming increasingly popular in both Cyber Security and all aspects of life. There is a lot of valuable and informative content out there, ranging from advice to those seeking entry level roles, through to the daily tasks involved with being a CISO.
These are just a few examples of places to start – there is a lot of available content out there that is free of charge, that you can quite easily find with a Google search, you just need to be proactive.
Identifying what career path you’d like to take at an early stage, will help you in choosing the best certifications and the most applicable roles.
Applying for roles
Having seen the recruitment process from both sides of the table (working for a boutique agency as well as in-house at an international consultancy), I understand that applying for roles can be an extremely draining process for candidates…
First, you need to make sure you are identifying the correct jobs. LinkedIn is probably the most useful tool to do this, closely followed by job boards (Indeed being my personal recommendation). Here is some advice when applying for roles:
- Network – Whether it’s connecting with other security professionals on LinkedIn, attending events and meetups (these will likely be virtual at the moment) or contributing to the community by publishing content, it’s one of the most effective ways in securing a role in Cyber Security. What I have noticed about the Cyber Security community, is that people will always be willing to help, whether that’s giving advice, making introductions or sharing your content.
- Use a Recruitment Consultant – There are Recruitment Consultants out there that will have clients seeking entry-level candidates, however personally, 90% of the roles I pick up, would require candidates with previous, relevant experience – after all, they are paying us a fee for a specific requirement… Employers tend to receive a lot of applicants when advertising for entry-level roles, so do not always feel the need to use a recruitment agency. That being said, I highly recommend connecting with recruiters as they will aid your search.
- Set up alerts – On LinkedIn and most of the job boards, you can set up alerts (I set mine to a daily basis), notifying you when a role has been advertised that fits your search criteria. For example, you could set this search to “Cyber Security Analyst”, “within 50 miles of London”. By doing this, you can make sure you do not miss out on any opportunities and be one of the first applicants to hit the recruiter’s inbox.
- Don’t get caught up on job titles – I know this may contradict some of what I’ve already said, however one thing I’ve learnt is that job titles are not always an accurate representation of the role in hand… For example, two employers could be advertising for a “Security Analyst”, one could be a SOC based role and the other sitting within the GRC function – the responsibilities are completely different, but the title is the same. My advice is to read the job description thoroughly before applying (you will be surprised at how many people do not do this…). Additionally, if you are applying to a smaller business, which may not have a huge budget to spend on Cyber Security, then it is likely that the roles that they recruit for will be slightly broader.
- Be proactive when applying directly – I have posted roles in the past that have received 100+ applicants within 24 hours of advertising. Now consider, the recruiter is working on another 20 or so positions at one time and think how much time and attention is required to individually screen those candidates. You need to stand out from the rest - my best advice in doing so, is by reaching out to internal recruiters and hiring managers directly, with a short introductory message. If the role is advertised on LinkedIn, it will sometimes include the job poster on there. If not, it is not hard to do some digging on LinkedIn and find the most relevant person…
- Search for content – An effective method to utilise your LinkedIn network… You can search for keyworks on LinkedIn, for example, type “recruiting for security analyst” into the search bar, filter it to ‘Content’ and ‘1st hand connections’. This will bring up all the relevant posts from people directly within your network – you may need to try and change up the search string. This will bring up all your connections that have advertised a role on their personal page.
- Sign up to graduate and apprenticeship programmes – Ensure you sign up to all the graduate and apprenticeship programmes, typically the larger organisations will have these advertised all year around. The government website and training providers can be a good place to find apprenticeships.
- Competitions – This is mainly for those looking to get into penetration testing. Several businesses run CTF competitions (or another form of technical challenge) and can be a great place to showcase your skills to potential employers.
- Perfect your CV – A pretty obvious point, however, be sure to include as much relevant information as possible on your CV – this could be links to articles, Meetups that you’ve attended, etc.
Ultimately, LinkedIn is your primary tool here, use it to build your network and follow up with applications.
You need to show employers that you’re genuinely passionate about the industry, if you can prove this at the application stage then it will give you a good advantage over other candidates.
Interview Preparation
So, you have had a successful application and have been invited to an interview – besides the obvious starting points (researching the company online, interview techniques, understanding the company’s values, reading over the job description, etc.) , what resources do you have that can help to prepare?
- Your network – Reach out to contacts to ask for advice. This could be people that you previously studied with that have secured a new position, it could be Recruitment Consultants or even experienced security professionals.
- YouTube – YouTube can be an incredible tool to help you prepare for an interview. For example, you’ve secured an interview for a SOC Analyst role and you know from the job description that they use a specific SIEM solution – you can go on to YouTube and find tutorials of how the dashboard of the tool works, the different functionalities on there and even the different commands if you want to go into that much detail.
- LinkedIn – You can use LinkedIn to find out a lot about your interviewer’s background as well as the company and their hiring trends. This can help you in putting together clever questions that will show the hiring manager that you have done your research and are genuinely interested in joining the business.
- Utilise your soft skills – A lot of people stereotype Cyber Security positions with being deeply technical and spending the day in front of a computer hacking away… What a lot of people miss, are the soft skills required to work in the industry. For example, if you were to go and work for a consultancy, you would spend a lot of your time advising senior stakeholders, this requires excellent communication skills, incredibly high attention to detail and confidence. Make sure that you display your soft skills and personality within an interview – it is a lot easier to teach somebody the technical aspects of the position, as oppose to teaching the softer skills…
- Books – There are plenty of books out there that can help you with technical aspects of the role in hand, this will also help you upskill.
Certifications
Certifications… there is a lot of debate in the industry as to whether certifications are worthwhile and if hands-on experience provides greater value. Whilst I would agree that employers find professional experience of greater interest, a certification can provide useful in showing employers that you are genuinely interested and dedicated to the field as well as personally upskilling.
I have provided a summary of what I feel are the main ones that a potential employer would consider “desirable” and how they differ. Ultimately, the deciding factor in which one to choose, is how much money and time you have available to invest.
CEH (Certified Ethical Hacker)
Cost: ~£450
Time to complete: 4 hours
Format: multiple choice
The CEH is one of the most common entry level certifications. The exam entails most aspects of Cyber Security at a basic level, ranging from the tools available, through to threats and attack vectors. I would recommend CEH to those looking to develop their understanding of Cyber Security, however, would not recommend it to somebody that has completed a degree in Information Security or similar field, as the content would likely be limited in comparison to what you have already learnt.
Additionally, there are other tools out there which could give you a similar level of insight for free or a much lower price, which I have touched elsewhere in the article.
CISMP (Certified in Information Security Management Principles)
Cost: ~£200
Time to complete: 2 hours
Format: multiple choice
The CISMP is a foundation course aimed at building knowledge of Information Security Management principles as well as international standards and frameworks. I would suggest CISMP to those that are looking for a position that relates to Information Security Governance, Risk and Compliance.
From a hiring manager’s/employers’ point of view, I would say that the CISMP holds a lot more gravitas than a CEH.
Comptia Security +
Cost: ~£300
Time to complete: 90 minutes
Format: mix of multiple choice and practical (performance based)
It seems a lot more candidates are taking the Comptia Security + now, and from what I understand they are updating the syllabus in November 2020. This certification covers most aspects of Cyber Security and would also prove valuable in securing a role in system or network administration.
Based on the cost of the exam and the mixed format, I would say that the Comptia Security + certification is more valuable than the CEH, especially if you are looking to secure a SOC related position.
CPSA (CREST Practitioner Security Analyst)
Cost: ~£300
Time to complete: 2 hours
Format: multiple choice
The CPSA is highly regarded entry level certification and certainly one that I would consider valuable to a candidate seeking an entry-level role within technical security. Its syllabus is most relevant to penetration testing or SOC based roles, making it a slightly more technical certification than some of the others stated on this article.
For those looking to secure a role within penetration testing, the CPSA is a good place to start, especially if you have plans to complete a CRT or CCT at a later stage.
GISF (GIAC Information Security Fundamentals)
Cost: ~£1,500
Time to complete: 2 hours
Format: multiple choice
If you have £1,500 to spend on a GIAC certification (this is excluding the SANS training alongside it), then I’d say that these are the most recognised, desirable certifications in the industry, certainly for SOC, IR and Forensics related positions (albeit the GISF does cover most areas of security).
Whilst it’s not essential that you complete the SANS training in order to take the GISF (or any other GIAC certification), it’s highly recommended and from what I hear from those who have taken it, is most definitely well worth it.
OSCP (Offensive Security Certified Professional)
Cost: ~£750
Time to complete: 24 hours
Format: practical
The OSCP is highly regarded by hiring managers and is often seen as an entry level requirement for those looking for a role in penetration testing. It is arguable as to whether this is an entry-level certification, as it’s quite intense, however a number of organisations include the OSCP as a minimum requirement.
Whilst 90% of those that complete an OSCP have an interest in penetration testing, some Incident Response professionals see this as a valuable certification, not only to see things from an offensive security point of view, but also to build their experience of working with a Linux operating system.
The OSCP is an intense 24-hour exam, in which you will be carrying out hands-on penetration testing in a virtual lab, receiving points based on the number of successful compromises.
If you are serious about moving into a penetration testing position and have the time and money to invest, then I would say OSCP is your best option.
SSCP (System Security Certified Professional)
Cost: ~£200
Time to complete: 3 hours
Format: multiple choice
To become fully SSCP certified, you must have one year of relevant professional experience, however you can take the exam and become an ‘associate of SSCP’.
The SSCP covers most of the areas involved within a security operations related position from access control through to incident response.
I would suggest that taking the SSCP, coupled with either an AWS or Azure foundations course would be a great starting point and desirable to employers.
eJPT (eLearn Junior Penetration Tester)
Cost: ~£450
Time to complete: 3 days
Format: practical
The eJPT is aimed at those looking to secure a role within penetration testing. It is a good certification for those without prior experience looking to further their knowledge.
It’s not as intense as the OSCP, however is a good starting point for those looking to take it at a later point.
BTL1 (Blue Team Level 1)
Cost: ~£500
Time to complete: 24 hours (3 months access)
Format: Practical
BTL1 offer training and certification, aimed at those with 0-2 years’ experience, wanting to secure a role within Security Operations.
This is a purely practical course, covering Phishing Analysis, Threat Intelligence, Digital Forensics, SIEM & Incident Response.
All the information above is based purely on the cost and time to sit the exam. There are other associated costs involved with training for them and some require a lot more time to prepare for than others.
To summarise, if you’re looking at getting into penetration testing, I’d say that the OSCP is by far the best certification, however from what I hear, is pretty intense – so it may be worthwhile starting with the eJPT or CEH if you’re new to security.
If you are looking for a SOC or Incident Response related role, then I would suggest the Comptia Security + or BTL1 to those without any prior IT experience or education and SSCP or CPSA to those that do.
For Information Security, Governance, Risk and Compliance roles, I would suggest taking the CISMP. Whilst I would highly recommend the SANS training and GIAC certification, it is expensive. A lot of employers out there will have dedicated budgets for training/certification, so perhaps it would better to wait until you secure a role before taking the expensive ones.
Summary
To summarise all the above information, my advice to those looking to get into security is to network as much as possible and be proactive and creative.
When I say network, this includes LinkedIn, Meetups, Events, Graduate Fairs, Online Forums, CTF competitions – the list goes on.
You need to stand out from the rest – this can be achieved by being active on social media and contributing to the community, for example, you could write a blog on ‘your journey in to Cyber Security’ or perhaps a review of a certification that you’ve taken. Just think, “what can I do that the hundreds of other applicants haven’t”.
Whilst I feel certifications are beneficial to securing a role, I do not think that an employer will look at your CV and say, “let’s hire this person, they have a CEH”. You need to show them that you are genuinely interested and passionate about the field and there are plenty of other ways in doing that.
Something that I have not really touched on throughout the article is the amount of free training out there, especially now! Several, well-recognised organisations including Microsoft, Oracle and many more are offering free training throughout the pandemic, ensure that you utilise this!
I would also recommend that you start to learn the fundamentals of public cloud providers, the main ones being Azure, AWS and GCP. Numerous organisations are moving on to the cloud and this kind of knowledge can prove extremely valuable and desirable, even if the only experience you have is from your home set-up!
The unfortunate truth is that it is difficult to get in to Cyber Security, it requires a lot of hard work and perseverance, however, can certainly be a rewarding career, from both a self-satisfaction and financial point of view.
One final point is that if you are struggling to get a role directly within Cyber Security, then it may be worthwhile looking at other junior technical positions, to help gain professional experience and improve your hands-on technical skills. I often advise IT Support, System and Network Administration roles as a good place to start.
Here are a few links to podcasts, YouTube videos and training providers, that I have personally found useful:
- Colin Hardy: Coding Expectations for Malware & Pentesting - https://www.youtube.com/watch?v=x8IK0TaS7iE
- InfoSec Journeys - https://www.youtube.com/channel/UC2flvup7giBpysO-4wdynMg
- CyberTalks - https://www.youtube.com/channel/UCciXtCQER9bAUZqnv32tymA
- Cybrary: Introduction to Cyber Security - https://www.cybrary.it/course/introduction-to-it-and-cybersecurity/
- The Open University: Introduction to Cyber Security - https://www.open.edu/openlearn/science-maths-technology/introduction-cyber-security-stay-safe-online/content-section-overview?active-tab=description-tab
- Oracle Learning - https://learn.oracle.com/ords/launchpad/learn?page=index#OCI
- Pluralsight - https://www.pluralsight.com/
- Security Dumpster Fire: Getting in to Cyber Security - https://www.youtube.com/watch?v=LS2bGCBGnMk
- SecurityBlueTeam – https://securityblue.team/
- Cyber Security Challenge - https://www.cybersecuritychallenge.org.uk/
- Become an Azure Security Centre Ninja - https://techcommunity.microsoft.com/t5/azure-security-center/become-an-azure-security-center-ninja/ba-p/1608761
- BrightTalk - https://www.brighttalk.com/topic/cyber-security/
- Konrads Klints: How to Succeed as a Security Graduate/Analyst - https://medium.com/@truekonrads/how-to-succeed-as-an-analyst-grad-in-a-technical-role-in-big-4-2016-edition-c8924412268b
- Katia Dean’s Cyber Security eBook - https://katiascylife.tech/
- Linux Academy: A Cloud Guru - https://acloudguru.com/
- Josh Mason: How to get in to Security - https://www.dhirubhai.net/feed/update/urn:li:activity:6704370737844645888/
- CompTIA - https://www.comptia.org/training
- CREST Knowledge Sharing - https://www.crest-approved.org/knowledge-sharing/index.html
- Ethical Hacker Network - https://www.ethicalhacker.net/
Procurement Director | Global Category Head | Strategic Projects | Sustainability Projects | Strategic Supplier Management.
5 个月Super helpful for my son who has just left school and wants to start a career in Cyber Security. Thank you!
Looking to grow your sales without selling; let me show you how to make sales calls without selling; effectively, confidently & ethically.
3 年Stefan, thanks for sharing!
Senior Lead, Service Assurance. Major Incident Manager at Tata Communications
4 年That looks like a lot of work. Thanks for sharing and doing the ground work Stefan
Enterprise Security | Threat And Vulnerability Management | SOC | Incident Response
4 年I really appreciate the effort which you took to wrote this article. I really found this article both informative and helpful