Finding your first infosec gig - some helpful things you can do

First thing’s first, take a second to just clear your head, whether you must stop reading and look out the window, or a few breaths in a quiet space, it’ll help, and you probably need it.

Job searching is always a pain, no matter the industry. Now factor in organizations with unnecessary gatekeeping, pointless complexity, and a lot of difficult working conditions

Maybe you’re considering a career change and finding it difficult to gain any traction, in any case this is a situation where you may find more success by going slower and focusing your effort a little more strategically.

Alright, now that we’re feeling relaxed, I want to preface this by saying like everything, your mileage may vary, like everything there are a lot of variable conditions you don’t control. Bad job descriptions, bad economies, limited opportunities, pandemics, there will always be some things stacked against you, but having spent 10 years in the business in varying roles I have come to learn a lot about showcasing the value of my work experience. I’d like to help you do the same.

Feel free to pick and choose what you need from the info below. It’s designed to be consumed in any order at your own pace. Take care of YOU in all of this.

Please note, this list may change in the future as I remember more helpful info. I’ll post any changes on LinkedIn so if we’re connected then you won’t need to check back here all the time.

LinkedIn

Social media has good value for showcasing your work without costing you a ton in hosting fees. Granted the platform is free so your data is the product, but that visibility can cut both ways. Use the platform to showcase your previous non-security work experience in ways that are relevant to your intended positions*. *Examples of how to do this are under the Work Experience heading

If you’re a student or self-learning, post about what you’ve learned recently. Did a lesson in a class resonate somehow? Complete an online course and it had some cool projects? Show case those! Doesn’t have to be a personal blog, LinkedIn has an article function if you want something outside the usual posting.

Demonstrating your new skills goes a long way and helps build connections in the process, plus it gets a conversation going with many different people, some of whom might know someone looking for someone.

Some thoughts on the “Open to Work” image frame

From one professional to another, avoid the Open to Work frame. If you found it had success for you, then that’s great and I encourage you to disagree with this all day long, dissent is healthy. That said, my logic behind avoiding the use is you demonstrate to “body shops” a.k.a company’s just looking for bodies that you’re available and maybe willing to accept a lower offer or more onerous conditions. It may hurt your negotiating position as they may perceive your situation as desperate. I like to believe companies and the people who run them are naturally good, but you could fire a cannon in any direction and hit someone who has been in situations with bad employers, so I know enough of those types are out there and wouldn’t hesitate to be shady on this.

A note on profile content:

Make sure your profile tells a bit of a career story, rather than just your work experience. Don’t be afraid to put your favorite accomplishments like a self-developed project or something you did in a training session. If you’re not comfortable posting any articles etc. engaging with other content always helps, so start there! It’s not a bad networking tool all in all, just watch out for bad actors and make sure your feed aligns with what you’re wanting to learn and/or the types of work you’re looking to do.

Work Experience

Infosec is multi-disciplinary, meaning you probably have some skills already that’ll be useful. I’ve had a ton of different jobs over the years, I started as a short order line cook at a chain restaurant, but I’ve also driven forklifts full of lumber in the middle of summer and spent time leaning on retail sales counters pretending to look busy for the third slow Saturday night this month.

Customer facing jobs deal with contentious situations no matter the industry. Most jobs have supply chain issues to deal with, inventory to manage, schedules to fill shift coverage, these all show up in infosec too, so it’s about aligning your experience with whatever learning you’ve been doing.

Be sure to detail your work experience with some types of results if you can. Consider something like “Managed warehouse shipments and developed an organization system, which improved the accuracy of stored inventory.” Companies with large tech footprints must manage inventory systems in similar fashion, it’s just the technology available that may be different (although not nearly as often as you’d think). Keep in mind this is just an example, be sure to write this narrative in your own voice, since you need to be able to discuss it in job interviews.

Good information security includes people, process, and technology, I’m willing to bet you have some experience in one of those 3 domains already. Amend your resume and previous experience to showcase what your work experience delivered, that goes a long way in the application process. Showcase that previous experience with the following pattern:

What you did within the role

What were the results

How did it impact the business?

You can apply the same logic to your LinkedIn experience section, consider starting their first as you can make changes and observe traffic patterns much more reliably. If some new keywords show up on your page and suddenly your search metrics improve, that’s a good sign! It takes a bit of practice so keep at it.

DIY Experience

For everything else, there’s DIY experience.

If there is something about infosec you find interesting, pull that thread, and see what you come up with. If you can afford to go, conferences and workshops are a great way to learn some cool concepts that have a lot of value to security programs.

Similarly, consider mining for free content in line with what you want to do. Looking for pentester roles? Find some pentester content that resonates with you and tinker with some cheap tech if you find yourself with a few hours and some capacity to do so.

Find some hands-on training if you can, or follow along with tutorials, but a quick caveat on avoiding “tutorial hell”.

Tutorial hell can sink in when you’re learning concepts to achieve a specific goal. Be sure to spend some time on fundamentals and experiment on your own with the learning outcomes you’ve gleaned from the tutorial work you’ve been doing. Applying the learning to your own ideas will cement the knowledge much better, and you’ll have something uniquely you to show as an example of your work.

An example of how I broke out of tutorial hell would be a web development course I was taking online. I leveraged the concepts I learned from the class into my own web game that I sell as a training service to organizations testing their incident response plans. Combining the skills, you’ve learned in tutorials into your own vision will improve your knowledge outcomes much more effectively.

It’s a Numbers Game

Many entry level security jobs receive a ton of applications, be ready for this with a few resumes specifically tailored to match the types of jobs you’re applying for, here’s how that works:

Search job banks like LinkedIn for jobs you’re interested in based on title or other keywords.

Examine those descriptions and identify how your learning and experience align.

Save various types of resume templates associated with each job type. Apply to roles that align with how you’d like to spend your time, chances are you’ll be more interested in those interviews anyway.

There will be no shortage of rejection at this stage. Companies claim they can’t find anyone and exclude viable candidates for any number of foolish reasons. Don’t give up! Focus your efforts on companies you’d like to work for, whether it’s because of the culture, projects ongoing, roles available, location, etc.

I’ll let you in on a secret, even with my extensive experience, extracurricular security activities, and everything else I had in my tool belt, I still got rejected for jobs where I had a lot of the right qualifications and relevant background. One reason I didn’t get a gig was because I “wasn’t corporate enough”. If it isn’t wholly unprofessional, I would send them a gift basket, because that rejection was such a blessing in disguise, as I wouldn’t have been a good fit for the culture and the work would have been supremely annoying. Plus, it gave way to a job that was easily the best career move I’ve made to date, working with an amazing team and rock-solid management that cares about their people.

Every “no” gets me that much closer to yes.

- Mark Cuban (paraphrased)

Do your homework

That brings me to the next point, doing your homework. Make sure to research some companies you’re seeing in your job feeds. Have a look at what they’re up to, the work they’re doing, where, how, who, you get the point. That can tell you with some certainty whether you’d be a good fit and how working there can shape your career.

Networking (unfortunately it’s mandatory)

I get it, the idea of introducing yourself to strangers and trying to convince them you’re their type of security professional is a daunting thought to say the least. For some of you, reading that sentence maybe had you breaking out in hives or closing the window. I will say networking is uncomfortable if you’re not used to it or not a very social person, but there’s a way you can accomplish a lot of the outcomes in ways you find more to your liking.

Remember above when I mentioned showcasing your work? That’s a big help in getting the types of like-minded people to visit your showcased work and interact with it, that’s networking too!

Find creators with material aligned with how you want to grow your career. Interact with it a little at a time and feel free to reach out to others while being respectful of their boundaries as well as your own. I field unsolicited connection requests all the time, and routinely message back, because I know this step is tough for a lot of people, so I try to make a difference.

Bringing “YOU” to the interaction

I once asked a recruiter friend if my student should leave his hockey background on his resume, as he’d played on professional teams in the past. She advised that yes it was relevant even for tech jobs because it shows he could be coached to achieve an outcome (there’s a goal joke in here somewhere). She also elaborated that it could break the ice in job interviews for both parties, because it’s an interesting time in the person’s life.

My favorite networking method is to hang out at the hotel bar where a security conference is hosted, and just make friends with other attendees as they pass through between talks. I’ll happily spend most of the day next to the taps like a much younger Norm Peterson and share security stories or hear tons of my own.

Whatever you choose to do, make sure you’re bringing your authentic self to the interaction. It might seem odd and use your best judgement here but bringing a bit of authenticity will work well and help you generate contacts in line with how you want to grow your career.

Interviews

If you’re at the interview stage, let me start by saying a heartfelt CONGRATULATIONS! That’s exciting, even if it doesn’t pan out, know that it was good practice and an opportunity to see what else is out there, rather than yet another rejection. If you’re reading this post rejection, well then, I’m sorry it didn’t pan out, but I have a feeling you’ll find your success here soon enough.

The interview can be a challenging time for new candidates, here’s some ways the interview process tends to pan out:

Culture fit interview. Typically, with a recruiter to determine if you should be put forward to the next steps. They’ll want to know a bit more about your background at a high level, things you like to spend your time on, and career aspirations.

Tech interview. There may be a few of these, be ready for them and listen to the questions intently. Some interviewers (myself included) may ask questions that are obscure in nature or otherwise a bit esoteric on purpose. I used to use this as a teaching opportunity to see how a candidate handles some ad-hoc teaching in the workplace. Being coachable inside a role no matter the level is always an asset, so if you don’t know the answer it’s OK, say you don’t know or you’re not sure and see if they can teach you the answer.

Management interview. Depending on the job role there may be a round with higher level managers. These are designed more to gather information about your work habits, discuss the role in some meaningful fashion, or any strategy associated. This may not always be a phase in interviews, don’t be discouraged if you don’t speak to a division manager or junior executive vice president.

The old’ Uno Reverse Card

As much as they’re interviewing you, you’re also interviewing them. Ask questions about the day in the life of the role, what success looks like in that role, training budget/allocation, PTO, or any other burning questions you want answered. Remember when I mentioned to do your homework? This is a good way to get answers to the questions you came up with during that phase. Interviewers worth their salt will always ask you if you have any questions for them, the answer to this from you must always be YES! One question I like to ask is “what do you like about working here?” It seems like a pointed question that would elicit the usual “we work hard, we play hard because we’re one big family” (and it does in a lot of places), but in a few cases it brought out what they liked and some of what they didn’t like about working there. I found that candor was helpful and made the decision a lot easier to pursue the interview process further.