Published on August 19th, 2021 📆 | 4177 Views ⚑
0Cybersecurity startup founder Ian Yip explains how to get an entry-level job in the sector
There is no shortage of people wanting to break into the industry, so how do you stand out?
The unicorn
A few years ago, I hired someone into our team at one of my previous employers. Despite having zero commercial cybersecurity experience yet wanting to break into the industry, they werenât sure they wanted the job.
Today, they are still at that company, but in a different team doing the role they ultimately wanted.
At the time, their day job wasnât fulfilling. But it paid the bills.
The most interesting thing however, was they maintained a blog purely focused on cybersecurity. And they wrote about all the things theyâd experimented with, learned, and achieved as part of their hobby.
This person wasnât actively looking for a job. They didnât even know I existed. But Iâd seen enough:
âI have to hire this person.â
I sent them a message introducing myself and asked if they were open to speaking with me about a potential role in cybersecurity. They agreed, but could only be available during lunchtime because their workplace at the time kept employees on very short leashes; they were only âallowed out or could speak with people during lunchâ.
I took this person to lunch, spending the first half finding out about them and what made them tick. I spent the second half pitching them on why they needed to join our team.
The stumbling block in their mind despite wanting to break into the industry, was that they wanted to be a pen tester. The role we were offering wasnât exactly what theyâd envisioned.
My pitch was essentially this: âItâs great that you want to be a pen tester. I believe you have the attitude, hunger, and intelligence to get there. And you should take the role we have on offer as a way to get there. It will provide a foundational experience in cybersecurity that youâll benefit greatly from.â
They thought about it and a few weeks later, they joined our team. Today, that person is a pen tester, and I am extremely proud of them.
Prove, donât just tell
Weâre kidding ourselves if we think the majority of cybersecurity professionals are in the industry because of their passion for it. Many are in the industry because it pays well.
Truth be told, most people arenât passionate about their line of work in the same way they are about something they truly love. This is not to say there arenât people who love cybersecurity.
When we try to ascertain someoneâs âpassionâ for cybersecurity, weâre really trying to figure out if they have the curiosity, conviction, and persistence to solve problems and get the right outcomes.
Everyone trying to get an entry-level role in cybersecurity says they are passionate about the topic. So ask yourself:
âHow am I proving that Iâm truly passionate about cybersecurity?â
Youâve probably completed some courses or certifications. You might even have a university degree with the word âcybersecurityâ in the title. This does not differentiate you.
Studying doesnât prove to the world that you are passionate about something. It shows that you found the topic interesting enough for your own personal reasons to spend some time learning about it.
Ideally, you will come up with your own unique ways to prove that you want a cybersecurity career for the right reasons. Here are some examples:
- Write blog posts.
- Start your own cybersecurity project to build on your foundational education.
- Share articles (via social media) youâve read that you find interesting, including what you learned.
- Attend events or webinars and tell people on social media what you learned or found interesting about each.
- Join industry associations or groups and actively participate.
Most importantly, do these things regularly.
I want to be a pen tester or SOC analyst
Thatâs great, but so does everyone else trying to get an entry-level role in cybersecurity. The reality of it is, most will not get one of these roles as the âfoot in the doorâ.
The industry needs pen testers and SOC analysts. But we usually need them to be experienced and effective. Every now and then, a larger company will want to hire an entry-level pen tester or SOC analyst and be willing to train them. For every one of those roles advertised externally, there are 100+ people who apply for them. Itâs a very long queue.
Organisations are more likely to train someone internally into one of those roles. They likely already have entry-level people learning on-the-job about other aspects of cybersecurity and it makes more sense for them to find their new trainee pen tester or SOC analyst from the internal pool of junior team members.
In addition, a large proportion of these roles arenât advertised. They are sourced internally, or via oneâs own network. I get these calls all the time from people I trust, and who trust me. Nothing ever gets advertised, and the roles still get filled.
Cybersecurity is more than just pen testing and SOC analysis. Other types of roles you can look at include:
- Awareness and Education
- Communications
- Identity and Access Management
- Security Governance
- Risk Management
- Regulatory Compliance
- Privacy
- Application Security
- Cloud Security
- Vulnerability Management
- Third Party Supply Chain Risk
- Data Protection
- Business Continuity
- Incident Response
- Digital Forensics
- Policies, Standards, and Guidelines
- Business Intelligence and Reporting
- Quality Assurance and Testing
- Program/Project Management
- Business Analysis
This is not an exhaustive list, but I hope this makes it clear how many other avenues you have into an entry-level cybersecurity role.
You should already know this; itâs especially true in a crowded field of entry-level candidates.
Learn to network a little, even if it doesnât come naturally to you. You donât need to be a social butterfly. But as someone looking to get into cybersecurity, it does help to get to know some of the folks already in the industry.
Given the relevance of cybersecurity today, there will inevitably be a number of industry groups, meetups, events, and conferences in your location. Make it a point to learn whatâs available.
Of course, in a post-COVID world, there arenât nearly as many opportunities for industry events. But they havenât disappeared completely.
In-person or virtual, quite a number are free to attend; target these in the first instance. For example, in our region, the Cyber Risk Meetups are excellent. The Australian Women in Security Network (AWSN) is another great initiative to get involved with.
Another way to stand out is to be referred by a mutual connection. For example, a mutual connection reached out last week and told me we would be doing ourselves a disservice by not speaking with a candidate. So I interviewed them, and was subsequently glad that I did. The aforementioned person is now on our shortlist of candidates for one of our open roles.
I understand that when one is trying to break into an industry, you likely donât have very many connections. So how do you get them? Thereâs no easy way to do it. You just have to start.
Look for all the people you respect and think you could learn something from. Follow them on social media. Try to figure out if you have a mutual connection. If you do, ask your mutual connection for an introduction.
If not, then at least follow them for some time and understand what they care about and are interested in before reaching out to ask for a conversation. If they agree, spend the time learning and asking for advice. Donât expect anything back. You should definitely not try to sell them anything, or ask for a job.
If they are a genuine person, they will likely try to find out what your aspirations are, which is your permission to tell them. Even then, talk about your goals at a high level. Donât say: âIâd like a job at your company.â
So you got an interview
Congratulations! Getting an interview is difficult, particularly if you are trying to get an entry-level position.
Weâre currently hiring for an entry-level cybersecurity role at Avertro. Itâs not a pen testing or SOC analyst role. There were 80 applicants, and weâve shortlisted 15.
I interviewed all 15 people. 20% of them did not make it past the first 10 minutes of the interview with me because they failed the most important question. Even if you fail the interview early, how you react means a great deal.
One of the candidates spent the rest of the interview thanking me for the feedback and explaining how they intended to improve and that they would love to have an opportunity in future to prove it to me. You know what, Iâd likely speak to them again for a future role if they show theyâve learned their lesson.
Another hung up on me immediately before I had the chance to thank them for their time. All that did was prove I made the right decision. I will likely never speak with this person again.
The other 80% made it all the way through the 30-minute interview, and weâve shortlisted three. Why did these people make our final shortlist? Because they exhibited the common traits many interviewers are looking for in their top candidates.
Key takeaways
- If youâre truly passionate about cybersecurity, differentiate yourself by proving it.
- There is so much more to cybersecurity than being a pen tester or SOC analyst.
- Relationships and networks matter, even at entry-level.
- Learn how to interview well: there are literally guides on how to do it right.
Gloss