Infosec Recruiter to Hacker….. Is that even possible?

Hi there, my name is Michael Thompson and I’d like you tell you a story about how I am working to transition from being a specialized information security (infosec) recruiter to actually now working in the cybersecurity industry as an engineer. My journey started over six years ago, I was trying to find a job and at the time I was a substitute chemistry teacher at a local high school.?A friend’s husband was running a recruiting company and she thought that I would be a good recruiter because I was personable.?Being a recruiter was the last thing I thought I’d want to be when I grow up but with not much prospects in front of me I took a chance.?I started working at the recruiting company and ended up being quite good at recruiting, I liked connecting with people and I liked selling.?I also really enjoyed the team that I was working on; I’ve always been good at connecting with people and this job really highlighted that skill set.?

When I first started at this recruiting company they had one cybersecurity client and the owner was trying to build out the cybersecurity business.?No one at the company really knew much about the industry but we were trying to get more clients.?It is quite hard to do this but I volunteered to take it on since love new challenges.?I ended up loving recruiting in the information security industry. The work was always interesting, and the people were all super cool, I loved talking on the phone with candidates and learning about the interesting work that I was doing. I recruited and did business development for this company for a few years there until one day the company decided to close.

At this point I had to decide what to do next and after talking with my lovely wife, we thought it would be best to just open my own company that specializes in recruiting in cybersecurity since I loved it so much. It was just a natural progression since I knew a lot of people in the industry already and was quite well known already for recruiting some of the best infosec talent.?So, in October of 2018 I started my own company called CYVANT. A boutique cybersecurity recruiting company, all we do is recruit the best infosec talent and I’m quite good at it. But in the back of my mind I’ve always wanted to see if maybe I could become an engineer or analyst myself.?I always found that I don’t really have any friends that are recruiters, and most of my friends are engineers in the industry. Plus you can never forget the talent gap in cybersecurity, as a recruiter I am not exactly helping.

But making the transition to an engineer from a recruiter is quite hard, and I have first-hand experience of seeing people try to do this.?There are not many entry-level position in cybersecurity, because it’s not an entry level industry. You are securing peoples information and money and typically is a high risk industry. That’s why you see so many people coming from unconventional paths because there really isn’t a direct way to find yourself into the industry.?A degree in cybersecurity doesn’t even guarantee a position since most of your knowledge is theory and not actual hands-on knowledge. So how do I get into an industry with lots of industry connections but no industry knowledge?

I always knew that companies liked certifications since many of my clients look for them.?And when I spoke with candidates who had certifications from SANS, I always found them to be quite technically good. So, I decided to see if there was a way I could get some SANS certifications to help me build my knowledge.?A friend of mine who I meet through recruiting had qualified for a program in Maryland that would help you get a GSEC and GCIH for free, but you had a be a women, a minority and a resident of Maryland. I unfortunately didn't match any of the criteria.? But in the Winter of 2021, I saw a similar program in Virginia called the Virginia Cyber Skills Academy (VCSA) and if you own a small business you might be able to qualify.?Luckily, I was able to qualify through my own business! The application process took a few months and there were some interviews and exams you had to do but I found out that I would be starting in the Spring cohort of 2022 for the Virginia Cyber Skills Academy along with about 15 other people.?

This would begin my journey to transitioning from a recruiter to an engineer. ?The VCSA is a six-month intensive program that enrolls you in three different SANS certifications, you have about two months to finish each certification. It is self-guided, so you have to figure out your study schedule and what works for you. By the end of the six-month program, you should have passed all three certifications, but this doesn’t guarantee you a job either. And I found they don't exactly help you that much once you have finished the program. I didn't expect the program to help me find a job but this might be the hardest part is finally making the transition. The program does offer you a mentor that will help you solve problems and labs you are stuck on, but it is mostly up to you to make sure you are doing the work you need to do.

The three certifications that you study for in the program are the GIAC GFACT, GIAC GSEC, and GIAC GCIH. You also get to take these courses through SANS' On-Demand program, which allows you to study at your own pace and to study from home if you are working a job already. Couldn't recommend the OnDemand program more. ?The program's first certification begins with the GFACT, stands for Foundations in Cybersecurity Technology’s.?This is not a well-known certification but it should be, it was the first time I had heard of it. ?It is an excellent place to start your cybersecurity knowledge gaining journey, the CTO of SANS (James Lyne) wrote the course and he is an amazing instructor. ?It is very well thought out and at the end of the course you have a solid foundation in cybersecurity. You really touch a lot of different areas, and you get broad strokes of knowledge but everything is well explained. It is worth mentioning there are no CyberLive questions in the final exam portion of the GFACT, it is all multiple choice questions. ?The next certification that I worked on was the GIAC GSEC, which is security essentials. The instructor for this course was Brian Simon, he was fantastic and knowledgeable about the coursework.?The labs were very well thought out and well explained. This builds upon the GFACT coursework and felt more confident in my cybersecurity knowledge upon completing this course. The final exam is 95 questions and 11 CyberLive questions, and takes about four hours.?The last certification in the VCSA is the GIAC GCIH, which is incident handling. The author for this course work was Joshua Wright, he was probably my favorite teacher because of his enthusiasm, and he actually wrote some of the tools used in the course.?The final exam is 95 multiple choice and 11 CyberLive questions and takes about four hours. The only surprise in the GCIH was how much attacker knowledge you gain, it is from the perspective of the defender, but it was very offensive focused. ?At the end of this six-month program I had pass three different SANS certifications and felt super confident in my knowledge base. I am no expert but my knowledge has exceeded my expectations and I am super thankful that I was able to complete this course from VCSA. ?

Now begins the fun part which is job interviewing, it’s quite funny since my actually job is a recruiter, so normally I help other people find jobs. Now it’s my job to find myself a job.?I’m excited for this part of the journey because job hunting is what I know best. I am going into the job hunt with no expectations and open arms to all that would be interested in me on their team. What will I do next, I don’t know, but I am now happy to be apart of the cybersecurity industry more than ever and hopefully I will find my spot on a great team.

#informationsecurity #hacker #infosecjobs #hiring #cybersecurity #SANSworkforce #VirginiaCyberSkillsAcademy #GFACT #GSEC #GCIH #entryleveljobs