People are always asking me how they can get a job in cybersecurity and what I tell them is this. Nobody can guarantee you a job and stay away from people selling certifications and courses who promise you a job afterward. The reality is that you need to prepare yourself for a job in cybersecurity, given some time and some effort from you, I am going to try and guide you to success when applying for infosec jobs and hopefully help you stand out to employers.
Working in the industry might be your goal or it could be a path to somewhere else, we all have to start somewhere and the honest truth is that we all start at the bottom and work our way up because in this industry experience is key. One wrong move and you are out, in this industry, you can only fake it so far until you have to put the work in, so in this article, I will try to help you prepare yourself and build confidence when applying and interviewing for an infosec or cybersecurity job.
Social Media, Cover Letters & Presentation
If you aren't already, get on social media and build an online presence, I would recommend LinkedIn if you are actively looking for work. LinkedIn is a great place to start and can cover everything your CV doesn't just make sure to post things that are relevant to your field and let LinkedIn know that you are actively looking for work within the cybersecurity industry. If you don't ask, you don't get.
Create a nice CV and cover letter, there are lots of websites which can help you with this and if you ask on Twitter, somebody can usually help you with this. Only detail relevant information in your CV, you don't want any more than two pages as employers usually only read the first page before they make up their mind, so make your self stand out. Google elevator pitches and learn to sell your self in under 20-30 seconds, work on your elevator pitch and write that as your profile or introduction to who you are and what you're about. Do not be afraid to be creative and remember that you have to stand out from the thousands of others who are applying as well.
When applying for a job, always write a cover letter. Research the company and do some homework and put some of that information into the cover letter, most companies love to hear how great they are. Try to build in some personality and charm when writing that cover letter, don't be boring but be professional.
Think about starting a 'Portfolio Project' and creating your own website which shows the skills you have, the projects you worked on, the research you have done and what you are working on right now. Write some white-papers and reports that you can put on the website, write some blogs or guides on how to use a particular tool, or if you can code, build your own website, host it on a raspberry pi and then perform a pen test on your own site, then tell others about it on your website in an article!
When going for interviews always dress your best, wear a shirt and tie with a jacket because first impressions are important regardless of the role. Remember what you wrote in your cover letter is what got you the interview, stay calm, confident and relaxed, be professional, smile a lot and if you are a decent person be yourself.
Practice beforehand with mock interview questions about your self and technical questions about your experience, do not try to make something up if you don't know the question, a good response would be 'I am not sure but I can definitely find that out for you', but it will only work on a couple of questions so don't use that all the time. Make good eye contact and have a firm handshake, be courteous and respectful, try to understand what interviewers are trying to ask you and read between the lines, they do not always ask you straight questions. If you find that you know the answer that's great don't just give them one-word answers. Don't forget to ask them questions, if you don't have any think of some and be sure to ask them.
The Elephant In The Room
Most jobs out there will want at least want 2-5 years experience in IT for a basic entry role, if you are new to IT and you can't afford or get an internship/apprenticeship how can you gain experience? There are a number of ways, start by doing bug bounties, most hunters are self-employed and working on a bug bounty platform, that's how you work, get paid and gain experience. If you don't want to do bug bounties then join HackTheBox and start rooting boxes, earning your reputation and gaining experience, you can do these in your free time with no money.
Starting from the bottom, if you are new in IT then you have no choice but to work the support desks to get some experience, working your way up to sysadmin or networking then on to security networking or Devs to DevOps or DevSecOps. There are so many paths to security and you just need to have your foot in the door.
Who You Know
Start getting to know the people that are in the right places. You are in the security industry so let's start using some of that OSINT, have a look on LinkedIn see who's posting the job for a company you want to work for, maybe get to know them (I don't mean by trolling or some stalkerish behavior) ask them questions about the job or strike some conversation with them. Attend infosec meetups and con's, ask vendors about jobs in conversations with them and maybe buy them a drink, so when it's time to apply for that job they will remember you and sparks a great impression already. If you work for a big company see who is hiring and get to know them, when promotion time comes along you will already have an advantage.
When you eventually get that job offer try and negotiate your pay, I know this is hard to do at times but don't sell your self short, if you are not happy with the current salary value then don't be afraid to ask for a salary that you would be happy. But of course, you must not oversell yourself and ask something that is not realistic, like asking for 150k for a junior role. Be realistic, don't undersell or oversell yourself, you want to be professional and to be fair. We force ourselves to wake up in the morning, force-feed ourselves breakfast at early hours because we want to go to work for money, it's not ALL about the money but we need to survive and unfortunately, money is what makes the world go round. We don't get into cybersecurity of money though, we get into it because this is what we enjoy doing, this is what motivates us, we have a passion inside ourselves to make the world a safer place, we stay up at night doing research and work hard to secure the companies we work for.
This is why we push ourselves to become better at what we do, and I see this by attending events and cons and watching the community help each other, watching videos on youtube, twitter, blogs..etc, the community is growing and you should be proud of being apart of that community. Even with mental health issues these days I see so much support in our community, yes there are always some infosec dramas but all communities have drama, you should see the programming community.
Ok, I sidetracked a little bit, back to the negotiation...everyone is entitled to negotiate if it is money, holidays, or company benefits, don't be afraid to ask and if they are shocked in you asking them, then think about if they are the right company for you.
You want to work for a company that can push you to your full potential, a company that looks after your interests and looks out for your personal development and this is important, especially if you are starting out. Ask the company if they do in house training and if they push there employees to do courses and certifications, this will benefit you in the long run, and if they do then try to stay as long as you can at that company, learn as much as you can while your gaining experience. If you are already in a company but maybe doing IT support or network engineer, then ask around to see if they do a personal development program, don't be afraid to ask about it and push yourself to show them that you're interested. Your employer or your management team aren't going to know that you want to head in that direction unless you show it and they want you to get up and do things for yourself, like doing extra courses and certificates focused on different parts of the business.
I hope this helps in getting a job in infosec, remember that this is a long road and it takes time to prepare yourself for that journey, you will get knocked down many times but its how you get back up that counts. Your CVs will be rejected, you will be rejected at interviews, but you gain experience just writing your CV again or talking in interviews. We have all been there, sent off 100 CVs and got back one response, this is how it goes so don't be disheartened and try changing your CV if you do not get the response you want, vary it and your approach until something works for you.
I am on twitter if you want any advice, I'm always here to help out!