Oh, but there are a million vacancies right?
When I was researching cybersecurity careers, I read many media posts about the hundreds of thousands of unfilled positions, and checking job postings it seemed to back that up. This was also perpetuated by my online educator, who clearly wanted to get me to sign up with them and was less interested in being completely honest with me, but meh, sales people. It still seems like a great opportunity.
I realised fairly early on that it was not simply a case of taking a half a dozen certs and riding off in to the sunset.
The unfortunate truth is that in order to get what most refer to as an entry level role, you need several years experience in IT. You also need whichever certs HR or the hiring manager decide are essential and maybe an undergraduate or postgraduate degree.
I have come to learn that there is some disparity between what recruiters and hiring managers believe make a good candidate and what the company think they need. Some say there is no such thing as an entry level role in cybersecurity and companies want candidates ready to hit the ground running. Some companies do hire for first cyber security roles with a training scheme, but that is not the norm.
When it comes to applying, you won’t fit all of the criteria that is being asked for. Sometimes the job spec is cut and pasted from a previous vacancy. All of the advice I have been given is not to worry if you don’t meet all the criteria, apply anyway. The experience of people who have recently been successful in obtaining a new position often seems to be that they put out in the region of a hundred applications and received a couple of interviews, of which they got one of the jobs.
So the industry finds itself in the current situation where there isn’t a sufficiently skilled workforce to fulfil all the required security positions and the attackers are winning. The good news is that there are people fighting to change this mindset, and there are plenty of fantastic resources available to give you the practical experience if you haven’t worked on a helpdesk for several years, so with a healthy dose of determination, you can start your dream career.
PAN, LAN, MAN, WAN and LinkedIn
The most important network that you need to know about if you want to land a great job is LinkedIn. Apart from certifications that validate your knowledge to some degree, one of the most valuable resources, probably the single most valuable is LinkedIn. The evidence is that a large number of vacancies are filled via LinkedIn and aren’t even posted. While I’m on the subject, please do connect with me.
If you are new to networking like I was, it’s time to get busy connecting with all of the people who might be able to put you in contact with hiring managers and recruiters. You will find that there are a lot of interesting, friendly, and helpful people in the cybersecurity world who are more than happy to make a little time for you and can help you along with your career. How to do LinkedIn is a whole topic of its own. There are other websites and forums to look out for jobs, traditional job sites as well as specific cybersecurity boards, and discord channels, but LinkedIn is your main go-to.
Homelabs – getting your hands dirty
If like me, you do not have an IT-specific background, there are still ways for you to demonstrate some level of experience. One way I have done that is by setting up a homelab to practice working with Active Directory, configuring DHCP and DNS servers as well as setting up and administering networks, and pentesting. You can understand why recruiters want that real experience, there really is no substitute for it.
It isn’t necessary to go out and buy lots of equipment because you can take advantage of virtual machines, and if you let friends and family know about your career goals, you could quite possibly find yourself with some extra equipment for free, which is what happened to me. I’ve currently got 6 laptops, a desktop and a RaspberryPi. There’s also Amazon Web Services who have a free-for-12-months tier, and other cloud service providers. I’ll write about my homelab and AWS in other pages.
There are countless free training courses and guides on many different tools and utilities that are not only useful to know, but you can add them to your LinkedIn profile. As I complete those I will blog about them too. There are also coding boot camps and free training courses on different languages, to give you at least a good grasp of the fundamentals, as well as a whole host of CTFs and online training like HackTheBox, TryHackMe, CyberDefence, Range Force, Security Blue Team, and others with various levels of difficulty and complexity, which I am really looking forward to getting my teeth stuck in to.
All of these things are going to make it more likely that you will get an interview, but the best way to bypass the HR filters is by communicating directly with the recruiters or hiring manager.
Further reading
Get help with your CV/resume if you are hopeless at writing them like I am, and take advice about covering letters. I will post something up about resources that can help you with this. I’ve heard a few cybersecurity recruiters and professionals working in the industry offer to look over people’s resume. Take advantage of that, and don’t be afraid to ask questions. As I have said there are so many people who want to help you that are in a position to do so.
I’m certain I’m forgetting things, so this list may need to be added to, but one other thing you can do is to start a website with WordPress or another similar website, which is what I’m doing here, or open an account on GitHub or something similar to that. You can use it however you want, but it makes a great tool for giving you a step up, showing potential employers why they should be taking you seriously. It’s something you can create, and link it on your LinkedIn profile and it could be a blogsite, or you could write guides and tutorials, anything really that confirms your wider interest, can demonstrate some of your skills, and help you to standout.
There are also plenty of YouTube videos giving your more tips on how to gain a cybersecurity role with or without experience, which I’ve found extremely worthwhile. At some point I will write a page about the many people, groups and sites that I follow and subscribe to, but a Google search will give you a useful list.
Good luck.
Securing the Cyber World 