When I started looking for infosec jobs coming out of the military, I was very naïve about what I was looking for. To this day, I read the fine details of what the job entails and I will talk about it in this article. Now, if a person just wants a job to get their foot in the door and, maybe, a security clearance, then they might take any job there is. However, always keep in mind, you could hate your life and you might want something you can at least tolerate, if not enjoy. Therefore, a person needs to be aware of what they may be getting into before signing their contract of employment only to realize 2-3 weeks later, “This isn’t what I expected this job would be.” In this article, I will share with you what to really look for, how to go about clarifying what the job description is versus what you may actually do (including networking with people to find out), and how to go about applying for the position along with some tidbits on how the resume should look.
Looking on Indeed.com, simplyhired.com, etc.
If you start looking on Indeed.com like I did, you will enter “penetration tester” or “cyber analyst” or something else matching a job title. Keep in mind, in this world of infosec and “cyber”, many employers have a different definition of the job title and description. This includes the other words like “information security” and “information assurance”, so just be aware. The reason I bring this up is due to the fact of one company advertising for a cyber analyst may make the job sound like the person will be doing risk assessments (e.g. Risk Management Framework) which comes down to “check boxes” applied to a system. Another company may state cyber analyst and have you working with Wireshark and other tools. So, like I said, it’s not the same across the board.
Now, you think you found your match, now what?
So, now you’re excited! You’ve found what you want (you think). OK, now, you want to ensure this job is what you think it is. For example, I once ran across an advertisement stating, “Knowledge of Kali Linux. Knowledge of attack techniques, tactics, and procedures. Knowledge of…” I was very interested in this position. However, coming from the military and I knew the job location and I asked myself, “I know what they do there. Why would they want to know this stuff?” I wanted some hands-on work and thought this could be it. Now, I never investigated the job or put my resume forward. Why? The more I read the job description, the more I started asking myself, “What do they mean by ‘knowledge of?’” Then, it dawned on me: No, this is probably not keyboard work. I will probably be in discussions on the terms mentioned in the job description (e.g. Kali Linux and the tools provided in the operating system). Now, had I read, “Hands-on experience with Kali Linux with experience with tools like nmap, Burpsuite, and others”, I would have considered applying.
Do you apply now?
Notice I stated I would consider applying; not yet. I want to know more about the job. Maybe I know someone who works there. Next stop, LinkedIn. I would start looking through my contacts to see if I know someone (knowing them personally is better). Then, I start asking questions about the job. See if my contact likes it there and what the compensation and benefits are like. My thinking is this: I may have found a dream job, but in a horrid company. Let me explain:
I have come across people when I was considering a job who said, “No, don’t apply here. I’m getting ready to leave for another job. The leadership is terrible and the compensation is worse. If you need time off for family or appointments, good luck.” I emphasize networking with anyone I talk to in this field. When you are connected to people and they know your attitude and work ethic (assuming great for both!) and they like you, they could refer you for a potential bonus on their part (win-win). Oh, and if you have no connections, try to make one; all the person can do is not connect and you try another one.
Now, apply to the position.
So, if you a connection who is willing to refer you, GREAT! Keep in mind, this means they may think you’re an awesome individual, so you need to be prepared for anything coming your way if you are picked up. The last thing you want is to make a bad impression if you get the interview and make your connection look bad.
If you don’t get a connection, you can wait until you find one or apply “cold” and hope for the best. I have applied cold to several jobs and had phone calls, but find it better to network with someone within a company.
When you apply with your resume, it should be no more than 2 pages in length (there are some exceptions such as being a PhD with many publications to your name). Keep in mind, the employer will read about 1/3 of the resume before they decide to continue. The resume needs to contain keywords from the job description to get through the “auto-check” computer filtering for those keywords. Also remember, if there is more than one position you decide to apply for, you will want a separate resume for each position with keywords included and your experience should show the experience you have related to the position. Now, let’s say Jill only has Nessus experience on her home network and thinks, “I know what I’m doing. I taught myself and took a class. However, they want experience on an operational network.” I would tell Jill to write down this experience in her resume under a title such as, “Enthusiast”. There may be a good chance the employer will see this on Jill’s resume and, out of all applicants, she is the only one with Nessus experience and it’s key for the position. Always remember, some of the best security people are self-taught and have the initiative to learn.
Tidbits on the resume.
For this part, I will only tell you what I know and what works. People in another field outside of security will likely tell you different. So, read this and listen to people in the infosec field.
Outside of placing your name, address, email, etc. at the top of the resume as well as security clearance, and a few sentences summarizing your qualifications based on the position. Place all of the job required certifications you possess next (YES, after your summary), and then your education (degrees and colleges). People outside the field will tell you certifications go to the bottom; maybe in other fields, sure, not security. If they want to know your certifications, they want to know up front. After you have this all listed, you can begin listing all of your real world and/or “enthusiast” experience. In the experience, I would also utilize the situation; action; result layout. For example, “Troubleshot client’s networking issue; isolated a defective switch; repaired in 4 hours vs. 8 hours” versus “Helped client with network issue until resolved”. The reason I am stating this is the first one provides more information on the resolution and the time required to arrive at the resolution. In the second one, I am telling you something basic and providing no description on the quality or quantity of work performed. Additionally, if the job requires one or more certifications and you have scheduled a certification exam, add the title of the certification along with your scheduled test date (e.g. Certified Information Systems Security Professional (CISSP) Test date: 24 Dec 2020). This can entice an employer to hold onto your resume until the test date and, if you pass, you may be the one called for the job!
In conclusion, I discussed what to really look for in the job description, how to go about clarifying what the job description is versus what you may actually do (including networking with people to find out), and how to go about applying for the position. I also provided some tidbits on how the resume should look. So, now you know, in this infosec world there are many jobs out there and many you may think are right for you. However, doing some research could land you a very fun and well-paying infosec position!