There is no shortage of people wanting to break into the industry, so how do you stand out?
A few years ago, I hired someone into our team at one of my previous employers. Despite having zero commercial cybersecurity experience yet wanting to break into the industry, they weren’t sure they wanted the job.
Today, they are still at that company, but in a different team doing the role they ultimately wanted.
At the time, their day job wasn’t fulfilling. But it paid the bills.
The most interesting thing however, was they maintained a blog purely focused on cybersecurity. And they wrote about all the things they’d experimented with, learned, and achieved as part of their hobby.
This person wasn’t actively looking for a job. They didn’t even know I existed. But I’d seen enough:
“I have to hire this person.”
I sent them a message introducing myself and asked if they were open to speaking with me about a potential role in cybersecurity. They agreed, but could only be available during lunchtime because their workplace at the time kept employees on very short leashes; they were only “allowed out or could speak with people during lunch”.
I took this person to lunch, spending the first half finding out about them and what made them tick. I spent the second half pitching them on why they needed to join our team.
The stumbling block in their mind despite wanting to break into the industry, was that they wanted to be a pen tester. The role we were offering wasn’t exactly what they’d envisioned.
My pitch was essentially this: “It’s great that you want to be a pen tester. I believe you have the attitude, hunger, and intelligence to get there. And you should take the role we have on offer as a way to get there. It will provide a foundational experience in cybersecurity that you’ll benefit greatly from.”
They thought about it and a few weeks later, they joined our team. Today, that person is a pen tester, and I am extremely proud of them.
Prove, don’t just tell
We’re kidding ourselves if we think the majority of cybersecurity professionals are in the industry because of their passion for it. Many are in the industry because it pays well.
Truth be told, most people aren’t passionate about their line of work in the same way they are about something they truly love. This is not to say there aren’t people who love cybersecurity.
When we try to ascertain someone’s “passion” for cybersecurity, we’re really trying to figure out if they have the curiosity, conviction, and persistence to solve problems and get the right outcomes.
Everyone trying to get an entry-level role in cybersecurity says they are passionate about the topic. So ask yourself:
“How am I proving that I’m truly passionate about cybersecurity?”
You’ve probably completed some courses or certifications. You might even have a university degree with the word “cybersecurity” in the title. This does not differentiate you.
Studying doesn’t prove to the world that you are passionate about something. It shows that you found the topic interesting enough for your own personal reasons to spend some time learning about it.
Ideally, you will come up with your own unique ways to prove that you want a cybersecurity career for the right reasons. Here are some examples:
- Write blog posts.
- Start your own cybersecurity project to build on your foundational education.
- Share articles (via social media) you’ve read that you find interesting, including what you learned.
- Attend events or webinars and tell people on social media what you learned or found interesting about each.
- Join industry associations or groups and actively participate.
Most importantly, do these things regularly.
I want to be a pen tester or SOC analyst
That’s great, but so does everyone else trying to get an entry-level role in cybersecurity. The reality of it is, most will not get one of these roles as the “foot in the door”.
The industry needs pen testers and SOC analysts. But we usually need them to be experienced and effective. Every now and then, a larger company will want to hire an entry-level pen tester or SOC analyst and be willing to train them. For every one of those roles advertised externally, there are 100+ people who apply for them. It’s a very long queue.
Organisations are more likely to train someone internally into one of those roles. They likely already have entry-level people learning on-the-job about other aspects of cybersecurity and it makes more sense for them to find their new trainee pen tester or SOC analyst from the internal pool of junior team members.
In addition, a large proportion of these roles aren’t advertised. They are sourced internally, or via one’s own network. I get these calls all the time from people I trust, and who trust me. Nothing ever gets advertised, and the roles still get filled.
Cybersecurity is more than just pen testing and SOC analysis. Other types of roles you can look at include:
- Awareness and Education
- Identity and Access Management
- Security Governance
- Risk Management
- Regulatory Compliance
- Application Security
- Cloud Security
- Vulnerability Management
- Third Party Supply Chain Risk
- Data Protection
- Business Continuity
- Incident Response
- Digital Forensics
- Policies, Standards, and Guidelines
- Business Intelligence and Reporting
- Quality Assurance and Testing
- Program/Project Management
- Business Analysis
This is not an exhaustive list, but I hope this makes it clear how many other avenues you have into an entry-level cybersecurity role.
The world is built on relationships
You should already know this; it’s especially true in a crowded field of entry-level candidates.
Learn to network a little, even if it doesn’t come naturally to you. You don’t need to be a social butterfly. But as someone looking to get into cybersecurity, it does help to get to know some of the folks already in the industry.
Given the relevance of cybersecurity today, there will inevitably be a number of industry groups, meetups, events, and conferences in your location. Make it a point to learn what’s available.
Of course, in a post-COVID world, there aren’t nearly as many opportunities for industry events. But they haven’t disappeared completely.
In-person or virtual, quite a number are free to attend; target these in the first instance. For example, in our region, the Cyber Risk Meetups are excellent. The Australian Women in Security Network (AWSN) is another great initiative to get involved with.
Another way to stand out is to be referred by a mutual connection. For example, a mutual connection reached out last week and told me we would be doing ourselves a disservice by not speaking with a candidate. So I interviewed them, and was subsequently glad that I did. The aforementioned person is now on our shortlist of candidates for one of our open roles.
I understand that when one is trying to break into an industry, you likely don’t have very many connections. So how do you get them? There’s no easy way to do it. You just have to start.
Look for all the people you respect and think you could learn something from. Follow them on social media. Try to figure out if you have a mutual connection. If you do, ask your mutual connection for an introduction.
If not, then at least follow them for some time and understand what they care about and are interested in before reaching out to ask for a conversation. If they agree, spend the time learning and asking for advice. Don’t expect anything back. You should definitely not try to sell them anything, or ask for a job.
If they are a genuine person, they will likely try to find out what your aspirations are, which is your permission to tell them. Even then, talk about your goals at a high level. Don’t say: “I’d like a job at your company.”
So you got an interview
Congratulations! Getting an interview is difficult, particularly if you are trying to get an entry-level position.
We’re currently hiring for an entry-level cybersecurity role at Avertro. It’s not a pen testing or SOC analyst role. There were 80 applicants, and we’ve shortlisted 15.
I interviewed all 15 people. 20% of them did not make it past the first 10 minutes of the interview with me because they failed the most important question. Even if you fail the interview early, how you react means a great deal.
One of the candidates spent the rest of the interview thanking me for the feedback and explaining how they intended to improve and that they would love to have an opportunity in future to prove it to me. You know what, I’d likely speak to them again for a future role if they show they’ve learned their lesson.
Another hung up on me immediately before I had the chance to thank them for their time. All that did was prove I made the right decision. I will likely never speak with this person again.
The other 80% made it all the way through the 30-minute interview, and we’ve shortlisted three. Why did these people make our final shortlist? Because they exhibited the common traits many interviewers are looking for in their top candidates.
- If you’re truly passionate about cybersecurity, differentiate yourself by proving it.
- There is so much more to cybersecurity than being a pen tester or SOC analyst.
- Relationships and networks matter, even at entry-level.
- Learn how to interview well: there are literally guides on how to do it right.
Ian Yip is the CEO of Avertro, a venture-backed cybersecurity software company. Avertro CyberHQ is a Cyber Management Decision System that helps leaders manage the business of cyber using defensible insights to determine what is essential.