Two High Probability Paths To Your First Cyber Security Job

Information security has become one of the most highly desired career fields. With millions of cyber security jobs unfilled, the most common question that I see posted all over social media has to be around how people can successfully enter the field without experience.

Breaking into the field can be difficult or at least appear to be so. This seems to leave candidates without experience scratching their head and wondering what might be a high probability path to that first information security job.

You might think that your certification or a degree that will earn you a cyber security role. Certs may or may not be important to employers.

My opinion as a CISO and hiring manager for dozens of infosec roles is that certifications are probably less valuable than you might think. I’ve sometimes selected new transfers to the infosec field over experienced candidates. I have a 4 year work-study intern that I would have hired immediately into a full time role when I first interviewed him before his high school graduation. This may surprise you but not because of salary reasons.

Great candidates share common traits regardless of their level of direct work experience. Many of these traits are not taught in school and are difficult to coach. I’ll consider the following indicators of a great candidate long before I consider certifications, school attended, or any other factor:

• Great candidates demonstrate their ability to think critically about issues and define issues in a useful way before they begin to look for solutions
• Great candidates demonstrate that they are self-motivated and have a strong desire to learn new things as well as show that they can apply sound and diverse judgment gained from a wide range of previous experiences, even if from outside of information security
• Great candidates focus more on developing and sharing strongly held infosec opinions in non-toxic way that can change with new facts and experiences and puts team success over their own individual egos

Depending on the potential employer, the above points might be actually be enough to close the deal. But, actual experience on your resume might still be a decision factor. Even a small bit of experience can also help ensure that you are a competitive candidate as well as help determine your starting pay in your first role, once selected.

So, how can an aspiring infosec professional get that experience without real job experience?

Here are two possible paths which can provide real experience as well as really set your application apart from other entry level candidates:

• Info security internships.
• Volunteer work with a non-profit.

Info Security Internships

Think of a cyber security internship as both an extended job interview and your chance to really get to know an organization and their cyber team before committing to a job. They also provide a means to put you into situations that you can use in later job interviews to demonstrate your ability to think critically, show your drive/self-motivation, and be a team player. Most infosec interns also have the chance to hone their technical skills with real enterprise tools or explore less technical infosec roles and understand how those disciplines fit within the larger security program.

All this great experience can occurring within the context of an infosec role. Of course, the amount of value you’ll gain from an cyber intern role is determined by your drive and self- motivation to learn the details that you’ll need for later interviews.

I can’t speak to every organization, but within my team at an insurance company in the midwest, cyber security interns are paid positions. This may not be true everywhere, but it shouldn’t matter. The goal is to break into the field, right?

Look for an organization that takes their intern program seriously. There should be a clear position description and have the opportunity to perform meaningful work. You’ll shouldn’t just be doing “intern stuff.” As a intern candidate, you should also look for solid evidence that the organization hires some of their former cyber security interns.

My team started building a robust cyber security internship program in the spring of 2018 with the first interns hired in over that same summer. We know that application security and cloud security positions are the lowest density skill sets (read, “hardest to find”) so we decided to grow our own.

We also find that we have to change the mindset of our cyber security internship candidates. Most initially believe that there are only two possible roles on cyber security teams — SOC analysts and red teamers. My team of 23 full time cyber security employees doesn’t have either of these roles. We contract out our 24x7 monitoring and our penetration tests. There is a big world of many other cyber roles: endpoint security, cloud security, app security, data security, security operations, cyber risk, etc. At least half of our curent internships are focused on growing smart college sophomores and juniors over the course of two internships into either application security or cloud security professionals. In 2021, we’ll turn our internship focus to cyber risk.

Since that first summer two years ago, we’ve had 6 cyber interns in total comprised of 4 summer interns as well one intern each for spring 2019 and fall 2019. Of those six, we’ve extended job offers to two of those former interns. A third has a formal job offer already extended to them to join us upon their May 2020 graduation.

That’s not just a win-win for everyone but also a clear high probability path into the cyber security field.

Work hard and learn everything that you can. If the organization doesn’t pick you up as a full time time employee, some other organization likely will. One of my team’s best hires came directly from an internship at another company that had no open full time headcount. Their loss. Our win.

Internships are not the only path particularly if you’ve chosen to not attend college.

Non-Profit Organizations

Non-profit organizations everywhere have cyber security requirements. They also generally do not have the resources to pay market rates for full time cyber professionals. They may not have funds to pay at all. You could choose to volunteer your time helping them out with their cyber security issues.

There are few ways that are more fulfilling than to help a non-profit with a mission that stokes your passion. You’ll gain valuable experience and references that you can bring to future job interviews.

Chances are you’ll also learn the most valuable skills at a non-profit that a cyber practitioner can have — engaging with others in a way that builds a security culture and learning how to find real solutions when resources are scarce. Both are traits that have value for the future hiring managers that will be interviewing you.

Who knows. You might also decide to stay at the non-profit. Again, a win-win for everyone.

So, yes, breaking into the cyber security field can be challenging. I’ve only laid out two of N paths .The choices and options to get that first cyber security role are only limited by your imagination.

You can do this.

For more insights into how cyber leaders can best enable the business and build rock solid cyber programs, please follow me on Twitter at @opinionatedsec1

You can also find more of my previous content at the “CISO & Cyber Leaders” publication on Medium: https://medium.com/ciso-cyber-leaders