This is a five-part series about getting and keeping job in the information security industry. There is no one way to get and keep a job in the information security industry. This is a good thing! The series doesn’t contain THE advice, it just contains advice. Big difference. Some of this information is also found in the Unsecurity book, chapter 10.
The series consists of the following articles:
This is the third installment in the aforementioned series; Landing Your First Job.
Landing Your First Job – Introduction
I have to admit, it’s been a very long time since I landed my first information security job, and it’s been more than 10 years since I’ve hunted for any job at all. This means that my advice will come from somebody who hires more than it will as someone who’s looking for a job. I think the advice is still valid, but you can judge for yourself.
My first information security job came in the early 1990s. I had the pleasure of cleaning boot sector viruses off thousands of Windows 3.0 and 3.1 computers. Back then, information security wasn’t really a thing like it is today. Even though there are more information security jobs today then there were then, I think it’s harder to get jobs now for some reason. Probably unrealistic expectations. Anyway, it’s not easy for most people to land their first information security job.
In this article I’ll give you some tips that I hope will help you get your first information security job.
Getting a job is like finding a girlfriend or boyfriend on a matchmaking site. People post a profile of themselves and all the things they’re looking for in a mate. Then there’s other people who also post a profile, but they’re more active in looking for a date. These people browse profiles, sometimes for hours, looking for the right person to contact. In our analogy, the first person is the company or recruiter, and the second person is the one looking for a job.
The first objective is to get a date with someone. The ultimate objective is to go steady, or enter into a committed relationship. Dates are interviews and going steady is landing the job.
A match isn’t likely to happen if either party has unrealistic expectations. Not all jobs are like an exceptionally attractive European noble with billions of dollars and a love for puppies. You might want a unicorn job, and the hiring organization might want a unicorn to work for them, but these things are extremely rare for someone who’s new to this industry. Keep your expectations in check.
The matchmaking analogy applies best to using job sites like Google, Indeed, Monster and others. As we’ll see, this is only one way you can go about finding a date, and it might not be the best.
Getting a Date
When you’re trying to get a date, you don’t want a date with just anyone do you? Hopefully not. We want to find the right person, the right job. Hopefully, you’ve done some research and prepared yourself for the job market as we outlined in our previous article. If you did the research, you’ve probably found some good job sites .
Where to find dates
There are many ways and places to land a date, and there are many places you can go to try to find an interview. Depending upon your specific circumstances and your specific preferences, choose the right path or paths for you. Here are ways people find us at FRSecure and where we might find you too:
Internships aren’t for everyone because they don’t usually pay well, if at all. Internships come in all forms. Some are paid, some are not, some require experience, some do not. Paid internships can be a challenge to find, but they’re out there. Unpaid internships are a little easier to find. A simple Google search for “where to find information security internships” will produce many leads for you; however, the best way to find an internship is through someone you know. Ask around.
‘Most large organizations with security teams and information security companies offer internships. Contact them directly and inquire. This will give you more control and might land you an opportunity with a company you like more.
Using a job site is fast and easy. It should be included in your strategy, but I caution against using job sites as your sole source for dates/interviews. These are some of the job sites you might want to check out:
- Google – Google integrated with ZipRecruiter in 2017 and produces pretty good results. Just type a job title and the word “jobs” into Google search.
- LinkedIn Jobs – There are plenty of jobs and some good job seeking advice on LinkedIn. You will probably want to use LinkedIn for yourself anyway as you build your career, it’s a well known and heavily used networking tool.
- Indeed – A clean, quality job site.
- Monster – A job site that has been around for a long time (1994). It’s still a quality site, even though it’s not as dominant as it used to be.
- ZipRecruiter – A very popular job site, and probably one of the fastest growing.
- CareerBuilding – A popular job site, but not one of my favorites. I have no objective reason for this site not being one of my favorites though, it just isn’t.
These are the major job sites that I know of. Whatever site(s) you use, be sure to document what jobs you’ve applied to and keep track of any/all responses. It probably doesn’t reflect very well if you apply to the same job multiple times through multiple sites.
Networking is difficult for some people because they don’t feel confident or comfortable in groups or crowds. I get it. I’m one of those people. Go to local information security events, meetups, chapter meetings, etc. to meet new people. You can network with anybody, and they don’t have to be security people. If you get good at networking, you’ll find that most people know a security person that they can put you in touch with. Getting referrals or door openers is a differentiator that could work in your favor.
Mentors are great for many things, helping you land a job is just one of those things. Mentors will help you prep for interviews and offer wisdom throughout your career too. Everyone should have a mentor, no matter where you’re at in your career. My mentor and I met in 1995. He was my boss when I worked for Jasc Software (known for Paint Shop Pro). We’ve both moved on in our careers, but we still have a standing coffee meeting every Friday, and his support has been instrumental in my success.
Finding a mentor isn’t easy. You’ll have to take a risk and ask someone, and they might say no. A mentor could be a teacher you had in school, a boss you admire (like my mentor), a friend you respect, a family member, someone from church, or anyone in between. I suggest that you write down the names of five to ten people you respect and admire, then go ask them if they’d be willing to be your mentor. If you strike out, do some online searches for mentorship programs. They come and go all the time.
Once you feel you’re ready, be sure to return the favor by becoming a mentor for someone else.
Local Community Events
There are groups of information security people meeting all over the place, all the time. Chances are very good that there are information security groups meeting regularly in your area. These are great places to meet and learn from other information security professionals. Building relationships with others will create a wonderful support group for yourself and open doors to all sorts of opportunities, including jobs.
Where I live, in Minneapolis, there are more than fifteen information security-related groups that meet regularly. This means that I could conceivably attend fifteen or more events every month, and meet hundreds of other security professionals. Pure gold!
A simple search on meetup.com, will probably produce some good leads for you. The Information Systems Security Association (ISSA) has local chapters all over the world, and they welcome new visitors. Other organizations that have local chapters all over the United States (and maybe the world) include the Information Systems Audit and Control Association (ISACA), InfraGard, and the International Information Systems Security Certification Consortium (ISC2). Check them out, it’s worth it.
Prep for Dating
Alright, hopefully you’ve got some good leads now. You have a solid resume, right? If you don’t, get one.
Need help? Start with a sample resume. You can ask for one from a friend or see if you like one of these free online samples:
- Sample resume for an information security specialist
- Information Technology (IT) Sample Resume
- Information Security Analyst Job Cover Letter and Resume
- Cyber and Information Security Resume Example and Tips – ZipJob
- Cyber Security Specialist CV Template
Now you need to plug your information into the sample/template resume. If you don’t have any experience, you might not have much to put down. Don’t let that discourage you. There are companies who put a high price on intangibles. Take where I work for example, we always hire for the intangibles first. Intangibles are the things that align with our core values, which were covered previously in Part 2.
Think we’re the only company who does this? Think again. Just last week (2/21/19) I had the honor of moderating a panel of amazing female security experts for an AnitaB.org event at the University of Minnesota. AnitaB.org is a great organization supporting women in technology. One of the questions for the panel was “What skill sets would you look for in your team?” Each of the panelists gave their answer, but none of the answers had anything to do with technology skills. All the answers were about the intangibles! Good validation for what we already knew.
Fill your resume with information about you, focusing on how you will help your employer. Include your community work (if you have any) and be sure to list these groups you’ve been attending (see above). I used to customize my resume for each job that I applied for. This would ensure that my tangible and intangible skills would align perfectly with what they were looking for
Additional tips for writing a good resume can be found online:
- How to Create an Awesome Cybersecurity Resume
- Writing a Cybersecurity Resume: The Do’s and Don’ts You Need to Know
- Information security resume do’s and don’ts
Above all, be sure that the resume is true to who you are. We want a company to like you for you.
Your Best Face
Alright, you got a date?!
You want to be you, but you also want to be a good fit for the culture of the organization. If you haven’t already, now’s the time to do some research. Find out everything you can about the organization and about their culture. Find out how they dress, because you don’t want to overdress or underdress for the interview. Find out what they believe in, because you’ll want to validate and compliment their mission. Find out about their successes, because you’ll want to acknowledge them and verbalize your commitment to helping them get more similar successes.
Put the address for the interview into a mapping application days before your interview. Figure out your route and how long it will take you to get there. If you don’t feel comfortable with the drive, make the drive yourself a day or two before your interview.
Get to the interview at least 15 minutes early.
Eat something reasonable before you go to the interview. Pee before you get there.
The best advice I can give you in preparing for an interview is to be you. Don’t try to BS or be somebody you’re not. The person your interviewing with will probably see through your ruse, and if they don’t, you can’t feel good about starting your relationship being somebody you’re not.
Making a Commitment
You had an interview or two, or twenty. Now you get an actual job offer! Somebody wants to go steady. Yay you! Now you need to make a choice, do you take it or not? This is gut check time. My suggestion is to not take any job that you can’t commit to for at least two years, and ideally five years. Ask yourself if you could see yourself with this organization for two years or more. If the answer is no, I would say no to the offer. This takes a certain amount of discipline, and your circumstances may not permit any choosiness. Most people would take the offer anyway
The reason why I suggest staying with an organization for two years or more is because it validates your intangibles. It shows that you take commitment seriously, you are loyal, and you understand that you can’t rush experience.
You may decide to negotiate your offer, but if you’re new to the industry, you probably don’t have much to negotiate with. I’d advise against much, if any negotiation.
CONGRATS on the offer and the new job (hopefully)!
Getting your first job in this industry isn’t as easy as some people think. You need to work at it and you need to be creative. Make friends, make connections, and earn a good reputation. Take a pragmatic and formal approach to the process, after all, you are working for you!
Now that you landed your first information security job, how are you going to become a good (and ever-improving) information security expert?
BONUS: What is an “expert” anyway? This was a question that Brad Nigh (co-host of the UNSECURITY Podcast) asked me today during our recording of episode 16 (available 2/25). Comment below. No Googling or official definitions allowed. 😉