Updated: Sep 8, 2021
Three-and-a-bit years ago, at the age of twenty-seven, I was afforded an opportunity that would change my life. After nine years of working in retail, I had found myself suddenly without a job, a career and any form of income. Initially, I believed this to be a blessing-in-disguise as, for a long time, I had known that I wanted to try and break away from what I was doing and, if I could, forge a career for myself in IT. The thirteen months of unemployment that followed however would be more difficult than I could imagine, but eventually, after countless interviews and job applications, I was given the chance to prove what I could do.
I count myself incredibly lucky to of been given that opportunity, and in the years since, I've made an effort to give others as much help as I can in their attempts at changing careers and breaking into the industry.
What follows are a few of the things I recommend to people that are considering a career in cyber, I hope they are of some use to you or someone you know.
If you don't shoot, you won't score
I often see conversations in the infosec community of entry-level jobs with outlandish demands. While this may be the case for some job listings, this shouldn't put you off applying. For many of the jobs to which I applied, I would never receive any form of acknowledgement, from either the recruiter or company, occasionally, I did at least get interviews and, as with all things, failure is an opportunity to learn and improve.
Sincerity and honesty are great tools for building empathy with your interviewer, you may not be successful in your application, but they can at least tell you why they didn't give you the job.
You may not have the skills required for the role but you'll at least come away with a better understanding of how you can improve your chances for next time.
Emphasis your skillset
My time spent working in retail wasn't entirely wasted, it allowed me to develop people skills and taught me how to build relationships with customers. Those are not skills that you would immediately think of value to a career in cyber, but they can be what stand you apart from others applying for that break-through job.
The best security analyst teams are made of people that have different perspectives, different opinions and place importance on different things, a team of people with the same background, skillset and training are likely to identify the same things when threat hunting for example, but a team that consists of varied skillsets, backgrounds and experience stand a far greater chance of spotting unusual behaviour.
Don't be afraid to try and leverage your experience and skills, understand first how they could be of use within a security team and then emphasise it to your interviewer.
Work experience has always been a great way to gain insight into a role before you commit to it. Although you won't be earning a salary, you will be getting a great idea of what it is like to work in the industry, the tools you'll use and how you can expect to spend your day. I've had several people take leave from their current job just to spend a week in our SOC, learning and experiencing what is required to be a successful analyst, and they always end the week more enthusiastic about their chances of landing that next interview than when they started.
Even the smallest amount of experience builds confidence and knowledge, both of which will go a long way to helping you land that life-changing role.
Thinking several steps ahead and identifying skills
Job listings are a great way to understand what employers want and value in their employees, look at job listings not just for entry-level roles, but for senior roles too, this will give you a great understanding of the skills that you need to start working on and, perhaps also an edge in your junior role interviews.
Information security is a deep and dense subject area, there are too many specialisations and certifications to count and this can often seem daunting and off-putting. When taking on work placements or apprentices, I try where I can to have them take on tasks and projects across the entire spectrum of our security operations, often people will enjoy things more than they anticipated. Certainly, when I first started, my long-term ambitions would change almost monthly!
When pushed to recommend training, certifications and skills, I have a few suggestions for building foundational knowledge:
CompTIA Network + and Security +. Both are great courses to study and foundation certificates to earn. CompTIA is vendor-neutral and so is relevant to almost all environments.
Report writing. Whether it's blue or red team, almost everyone in security will spend a considerable amount of time writing reports. The beauty of this skill however is that you can gain excellent report writing techniques from many other professions and academic studies.
Look for risks in everything. While this may seem like a quick and easy route to paranoia, looking for risks is what information security is all about. The sooner you start to think like a security analyst, the sooner you'll become one.
Understand the technologies and services used. This is a great way of demonstrating that you're ready for your first job in cyber, understanding the tech and services shows the recruiter that you are serious about the role. MDR, vulnerability assessments, pen-testing and ISO27001 consultancy are just a few key services and solutions available from most cybersecurity companies.
The information security landscape is one that never remains still for long. New threats loom large on every horizon, any aspect of an organisation's infrastructure is susceptible to exploitation at some point in the likely not-too-distant future. Any aspirations of a long and fulfiling career in cyber must be met with an equal desire to learn and to continue to learn.
Be prepared to become enthusiastic about personal development and self-study, demonstrating an ability to be a studying self-starter will certainly impress any prospective employers and interviewers.
Recommendations for people just starting in cyber include:
LinkedIn. Connect with specialists and contributors, I've learnt of many technologies, methodologies and training through recommendations and posts, and is often the first thing that I recommend to people looking for study material.
E-learning. I have used many different vendors over the last few years, Cybrary, Pluralsight and Udemy all provide excellent content and are highly recommended.
Mentors. Finding and requesting mentorship can be a daunting task but can prove a great resource, again LinkedIn is a great source of professionals looking to help those wanting to get into the industry.
Training. I'd be remiss to not recommend my companies training courses, BIT Training offers a huge array of excellent training courses all with an experienced instructor. More information can be found here.
Finally, I would say, don't give up. You'll have moments in which you will feel despondent, continued rejection can be devasting, but be persistent, it took thirteen months before I landed my full-time role, each knock-back will make you more desperate, but it'll also increase your appreciation once you do find that opportunity.
I'll end on two of my favourite quotes, the first attributed to Vincent Van Gogh "Normality is a paved road, it is comfortable to walk, but no flowers grow." and the second from Napoleon, "Ability is nothing without opportunity".
Changing a career is a difficult and brave undertaking and is not a decision to be taken lightly, but once you land that role, you are set for an incredibly rewarding career. Don't judge yourself on your failure to land that role immediately, the next opportunity is always closer than you think.
Written by Shaun, BIT Security SOC Operations Manager