How did you "break into" Cybersecurity as a career? (pun intended! 😀)
How did you get started? Did you begin with a career in military, start in the IT field or change your career from another path? Share your insight with others!
Starting out brand new or changing career paths is overwhelming.
At (ISC)² we want to help close the cybersecurity workforce gap of 2.7 million and establish a clear new pathway for the next generation of professionals to pursue a rewarding career in cybersecurity. (ISC)² has created a new entry-level cybersecurity certification.
Are you looking to start a career in Cybersecurity? Jumpstart your career and register for the entry-level certification that will prove to employers you have the foundational knowledge, skills and abilities necessary for an entry- or junior-level cybersecurity role. It will signal your understanding of fundamental security best practices, policies and procedures, as well as your willingness and ability to learn more and grow on the job.
Do you have advice for job seekers? Share your insight and post below! What else would you add to our page? How to Find a Cybersecurity Job
Join LinkedIN and start networking with business and IT professionals (including security).
You don't even need to network. Just search topics. Through LinkedIN, if you are new to IT or looking to get into security there are plenty of topics covering career path (security), free online and affordable training resources ($$$$$), which certification is better (depending on position/return on investment), certification vs education vs experience, this topic (how did you get into IT/security), and these comments are provided by actual professionals up to the CISO and CEO levels. Think about it. You can be getting information from actual professionals where career coaches charge 100s/1000s of dollars and for free.
Otherwise like anything else do some research, as there is plenty of information out there on the internet (including job sites).
I echo just about everything RROACH mentioned in response.
Many years ago, it seems like the biggest focus for finding any job was:
You'd send the latter two documents off through email, fax, or post to the HR departments at every employer you were interested in and then some. If you had a direct contact at the company who could drop your CV off on the hiring manager's desk that was gravy! For entry level positions, initiative and the desire or willingness to learn was on of the biggest factors that managers looked at.
I think over the years there has been a substantial shift in the job hunt process, geared largely by the high demand for technical workers but also by technology itself. I think that people who jumped into Cybersecurity 10-15 years ago would absolutely be at a loss if they were trying to do the same today.
In my humble opinion, recruiting, for many companies isn't a personal process anymore. It has become a lot more like gambling - numbers and statistical probabilities. And that's largely because a personalized recruitment process just doesn't effectively scale well. You see this parallel in other areas of industry - especially customer service where interactive voice systems and chat bots have replaced real people.
So in a very similar way many of these companies have thousands of candidates applying for jobs from across the globe. That makes for a hugely diverse candidate pool, but it also means from an applicants perspective - a much bigger pool of competition. The HR departments have also tried to use technology (ATS) to automate processes or outsource them and who can blame them? HR departments from large companies receive 10's of thousands of applications and resumes for jobs/roles/positions that are more or less a complete mystery to them. Who staffs enough people to review resumes from that many people for multiple positions? And even if they had the time/resources, do John or Sally in HR really know what makes a good web application security engineer vs what makes a good cloud identity security architect - probably not. They are loosely aware that there is a job number associated with the cyber security cost center that is titled 'Web Application Security Engineer'. That job description has a lot of familiar HRM framework - probably used as a template for all their job descriptions; general assertions about company benefits; company mission statements; company propaganda; and likely some pop-culture terms like "creativity", "outside the box", "teamwork", "opportunity", "diversity", "equality"; but the actual technical qualifications - are more or less going to be a mystery to John and Sally. (IT acronyms, development languages, security frameworks, etc.) So how do John and Sally cull thousands of resumes down to a stack that the hiring manager has time to review? Automation and technology - Yes you can tell all your grand kids that you lived during the horrible reign of early applicant tracking systems. And you don't have to google very long to find all the horror stories of experienced, qualified applicants having their resumes rejected by these systems. But that's a tale for some other time.
So a security manager or lead was likely the one that typed up the technical section of the job requirements that someone in HR advertises. IT and Cybersecurity Managers always tend to feel like they are short handed, so when they type up the technical job requirements they often do so with very broad brush strokes. And when they are creating that job description they are likely thinking about what kind of candidate it would be nice to have in a perfect world - hmmm maybe someone with development experience, hardware experience, security experience, risk & compliance experience, technical writing experience, cloud experience, etc., etc. Sometimes in really good organizations the manager's peers may slap him/her back into reality after reading the description and realizing that such a candidate would be way outside the positions budgeted pay grade. Even so, such a position is hardly ever entry level, but this is also a reason that you hear a lot of advice to apply for jobs that you only match 75% of the qualifications. So the manager's got limited resources and they're responsible for hiring people to maintain/design/monitor security controls and you can bet that the pressure is high to stay off the front page news as tomorrow's latest breach. To get those people hired they have to wade through resumes that HR forwards them - or they can get candidates "pre-screened" from a third party talent source.
I say a lot of these things because I think we have major issues with Cybersecurity recruiting and I think its across all of STEM to be honest. But I mention all of this to highlight the one thing that can tip the scales in your favor if you are looking for an entry into Cybersecurity. Personal interaction with a person - preferably someone that works in the department you want to work in. And I didn't say in-person, but rather personal interaction. Some people use the term networking, but I try to avoid it since it can cause confusion when talking to other people in IT. Try to focus on building professional relationships or connections with people in Cybersecurity - and I hate to sound like a product sponsor but LinkedIn is one of the best inroads for introducing yourself to people, participating in cyber discussions, asking questions etc. Even ISC2 forums may lead to such relationships - but its probably not going to see as much traffic as LinkedIn. It's akin to the old days when you knew someone working at the company who could drop off your CV and maybe say a few positive words about you to the hiring manager. Try to get to know folks who are doing things you are interested in.
So I know everyone wants to work their first entry level cybersecurity job at Meta, Amazon, Netflix, and Google - but just remember that "everyone wants to work their first entry level _*_ job at Meta, Amazon, Netflix, and Google". If you really want to just get your foot in the door to build some experience in cyber look at other potential employers that don't receive a billion applications everyday. Just remember that entry level cyber is just that - its often menial, non-csi, non-hacking work in unexciting operational roles being paid low amounts of money to train your mind in the foundations of cybersecurity so that someday you will be prepared to transition to a more senior roles.
The best way to start is with certifications first. The ones to start with are CEH- certified ethical hacker and CEN- certified network defender it will give you the base knowledge and hands-on experience you need to know as a cyber professional before moving into other fields.
I would recommend EC-Council University an accredited and 100% online university that provides cybersecurity degree at the graduate and undergraduate levels.
Hope it helps!
We interviewed a few members for advice and here are their stories as they got started in the cybersecurity industry:
Journey Into Cybersecurity - Conversations with Cyber Newcomers, Part 1
Stay tuned as we continue this conversation with additional blog posts in the future!
Thanks for the advice. what you recommend for personnel with more than 20 years of IT experience and recently got CISSP and holding PMP for 9 years. how should I look for security job.
Thanks for advice in advance.
Looking to get into the Cybersecurity career? Hear what others said in part two of this blog series where we interviewed professionals with four-six years of experience: Journey Into Cybersecurity, Part 2
In case you missed the first part, we interviewed professionals with less than three years of experience and heard their experiences and how they got their first role, etc.: Journey Into Cybersecurity, Part 1.