Searching for your first cybersecurity job (2 of 4)
Gary Hayslip
CISO @ SoftBank Investment Advisers | Board Director | Investor | Author | Hacker | Veteran | Servant Leader | Father
This is the second of four articles I am writing for our community. I hope that all of them together will help professionals who are looking to start a career in the cybersecurity filed.
I recently spoke with groups of veterans who were preparing to transition from military life and look for their first job in private industry. The men and women I spoke with were interested in cybersecurity, and I promised them I would write an article with tips to aid them in their first security job searches. Keeping this promise in mind, I also think this discussion would be meaningful to all new professionals planning to join our community. So as we begin, this article is not a how-to guide for the experienced security practitioner who is already working in our career field. Instead, it is a collection of insights for anyone currently performing a technical/cybersecurity job search, and hopefully, this information makes that search easier for you.
1. What information do you have? - To begin the job hunt, remember its all about gathering information. You should first review whom you know, yes that’s correct I am not recommending using a computer first but instead, use your network. If you are looking to get a job in the technology or cybersecurity industry, then one of the best ways to find out who is hiring, what technology is on the rise, what experience is wanted by employers, etc. is by asking peers for their advice. If you are new to the technology/cybersecurity field, you can get this information from professional organizations such as ISSA, ISACA, Infragard, OWASP, ISC2, IAPP, etc. Many of these organizations have chapters all over the world and sponsor monthly meetings where members come together to have a meal, hear a speaker, or conduct an event such as “capture the flag.” Of course, due to Covid-19, many of these events are now online, but chapters are still active and are a good source of information. Another part of the information gathering process is to research the various positions in the field you want to join so you understand the educational, technical, and work requirements you will have to meet. An excellent reference for cybersecurity is the National Initiative for Cybersecurity Careers and Studies (NICCS) NICE Cybersecurity Workforce Framework.
2. Searching for your job, cast a wide net! - I am going to assume you have gathered some information. You have spoken with peers, mentors, friends, etc. and after reviewing the NICE framework, you feel your experience and training matches well with the “Security Analyst” job description (example I selected for the article). Now it’s time to use your computer, and you can start your approach by using a search engine to cast a wide net for information and then narrowing that view with specific job boards. For this step, let’s look at what I get with the wide net approach using the search parameters of “information security analyst.” Initially, with the first search, I find generic data about the occupation, which is useful if this is a new career field for you. Some interesting information I noticed quickly was the pay range, and I can see the questions other people have asked about this role. Plus, I can see other websites such as the Bureau of Labor where you could go and read up on this occupation, and you can see similar professions at the bottom of the search results that you may not have thought about when you started your search. The main thing to remember here is the job is more than the average pay; you need to read about what skills, education, certifications, and what a typical day is like for someone in this type of position. Make sure you have a well-rounded picture, don’t be afraid to go back to the people you spoke with in the first step and validate the information you have currently collected.
3. Narrow the search for to find an opportunity – By this step, you have collected information about the career field you think matches your skills and experience. Plus, you have completed your first group of job searches to validate your decision. Now comes the fun part; searching for an open job requirement for the occupation you selected. To do this effectively, you usually start with some type of job search website. Using this type of website will help you narrow your search to a specific geographical location or a required pay range. I am not going to recommend any particular job search website; there are many you can choose from, plus don’t forget executive sites like LinkedIn also offer the ability to search for jobs. For the sake of this article, I have searched for an Information Security Analyst position in the San Diego area on a job search website. From the search results, I can see specific job positions that are currently open in San Diego, and I can see the estimated monthly pay ranges for some of them. An important point to remember from the picture I have included for this step is most job websites will have advanced search parameters. “Advanced Search” will allow you to create filters so you can search for a particular job, pay range, location, part-time/full-time, etc. The reason I mention this is you can save these unique searches, and if the website has the feature, you can set the search to run daily, weekly, or monthly and email you the results.
4. I think I have found a job – This step is where you narrow your search to a specific job opening that you feel matches your skills, experience, and education. The example we will use for this step is an Information Security Analyst position for San Diego State University. One thing I want to point out here is, don’t be surprised how confusing job requirements can be for a position. This is why, for the rest of this article, I will help you decipher the criteria for the job I have selected, and hopefully, this process will provide you the insight to do it yourself. Now, back to the position at San Diego State University that I selected for our example. From the picture, you can see the official job title, that the job is full-time and that it reports to the Chief Information Security Officer. Reading the job description, you can see some of the requirements (investigating, researching, logging, tracking, etc.) someone in this position will be expected to do daily. This is important because if you apply and interview for this position, you will get questions in the job interview about your ability or experience to meet these requirements. Finally, under the “Education and Experience” section, you should note one sentence I underlined because the employer specifically calls out skills/experiences that are a prerequisite, which means you need to have them before applying for the job. Note, they state they expect you would get this experience from having a Bachelor’s Degree, but they don’t make that mandatory, this leaves you room if you have job experience instead of a degree. Look for that opening if you lack the degree but have extensive experience, many in the military have the experience, so don’t be afraid to leverage it.
5. Don’t forget your soft-skills – Now we are into the core part of a job description, the actual qualifications and skills you are expected to have if you apply. As we begin, I want you to first focus on the word I have circled, “Preferred.” Why did I focus on this word? It's important because it means the qualifications and skills listed below aren’t mandatory; they are a shopping list for the employer. They are looking for someone that has most of those skills; I like interviews where it’s “preferred” because now you can tell your value story of how the skills and experience you have makes you the best candidate. A couple of other things I want you to notice and think about: the first is the call out for an “Information Security Certification.” Notice they don’t state what certification, they just expect you to have one, and the good news is you aren’t limited to a specific cert. The other important things I want you to note are the soft-skills they expect you to possess. I focus on this because it is critical, I can guarantee you if you make it to the interview stage you will be asked to give examples of how you have used ingenuity or how you have troubleshot a problem. You should prepare for the hiring manager to ask you in the interview about your approach to solving a hypothetical problem and explain why you made specific decisions. You need to understand they are looking for someone who is a good fit for their team, so its more than just technical skills. Come prepared and be ready; they have given you their roadmap for the interview.
6. Check the final details – To recap, we have found a job that we want to apply for and we feel we have many of the preferred qualifications and skills. In this final step, what I want you to focus on is the last section at the end of a job description. For this example, Information Security Analyst at San Diego State University, the final part is labeled “Compensation and Benefits.” What is essential here in this section will be things like what I have underlined, such as the starting salary, when the review of the resumes will begin/end, if the position requires drug testing, background checks, or work authorization. Do not forget to review this section; if you submit your resume late, you will never get the chance to interview.
In closing, I hope I have given you some necessary information to get you started on applying for positions and some insight into understanding the requirements of any job you select. One last note to help you with this process, I would recommend keeping a spreadsheet that lists each job you have applied for with the contact information and what resume you submitted. This spreadsheet will allow you to track which positions are still active, which ones have been filled, and which ones where a “Did not meet requirements.” Approach this focused on the end goal of finding your job, don’t take not getting a position as a negative. Just move to the next and keep trying. Don’t forget once you start this process, still be actively talking with your network, and don’t be afraid to ask the community for help. Welcome to the field of cybersecurity, I for one am happy you are here as we need continuous diversity and new talent. I hope all of you are doing well, and I look forward to feedback on this article from our community.
***In addition to having the privilege of serving as a Chief Information Security Officer, I am a co-author with my partners Bill Bonney and Matt Stamper on the CISO Desk Reference Guide Volumes 1 & 2 and the author of a new book, The Essential Guide to Cybersecurity for SMBs. For those of you that have asked, all three are available in print and e-book on Amazon. To see more of what books are next in our series please visit the CISO Desk Reference website.
Jay Jay Davey interesting read Gary Hayslip, CISSP great as always sir.
President HZPC Americas Corp
4 年Well written and helpful information Gary. Thank you for sharing!
A very good article, if i could make one suggestion it would be to add decide which area of IT security you wish to work in. As the process of looking for a role in cyber can be daunting at the best of times. As a Veteran it maybe all a bit confusing (I know it was for me). Thus you need to decide which area of cyber security interests you. Once you know this it can help to increase the chances of finding the role that is right for you.
System Engineer, CISSP, MBA
4 年Thank you, Gary , for writing this article. Your article should be used by #Veterans in every field seeking an #AdvancedPosition.