“You have brains in your head. You have feet in your shoes. You can steer yourself any direction you choose.” - Dr Seuss
We were asked by @_ShaunM to produce an article on this subject, this is a readers request and so I wanted to share some of the more successful methods that I have seen others leverage when marketing themselves as infosec professionals. This is by no means a definitive guide, if you feel that I missed anything out or got something wrong, then please let me know and I will amend my article and credit you.
Welcome to the infosec space! You brought your skills and you brought your experience, but in a competitive job market its rarely enough to land that dream job and the chances are that you need to <horror> start marketing yourself </horror>.
Yes, you have to market yourself, otherwise you will stand no chance at differentiating yourself from the hordes of infosec researchers who are trying to score the exact same job that you are. Infosec space dislikes marketing in general, but this doesn't apply to infosec researchers marketing themselves in the right way.
Nobody forgives a clueless cyber marketer foisting their spam on us, but everyone likes a security researcher who is trying to break through the noise, if only because we dislike those saying the same thing and we love those who differentiate.
“You’re off to great to places. Today is your day. Your mountain is waiting. So get on your way.” - Dr Seuss
Differentiation does not necessarily mean that you have to be contrarian in nature, you can differentiate yourself by having an authentic voice, by adding value to social conversations and by having a memorable personal brand. Don't freak out at the idea of poking your head above the infosec parapets and putting yourself out there, it is the only way to let your prospective employers and peers know that you exist.
Think About Two Personal Brands
It goes without saying that if you want to get hired, you need a credible personal brand, one that doesn't demonstrate your inner demons to anyone stumbling upon it. But what does it mean to have a personal brand and how can you build one?
Well, for a start you need to choose. Do you want to operate under your own name, or operate beneath a handle? Do you want to be yourself on Twitter, or do you want to wear a mask? Have you a black hat history that you want to hide? Were you previously involved with hacking crews and now want to distance yourself? Is there any reason why others would attack you? Do criminals keep an eye out for you?
If the answer is yes then nurture two public brands, your anonymous infosec one and a public facing brand that uses your real name. It's a great idea to have a clean personal brand that prospective employers can look at and a second anonymous brand that you can use for interacting with the community, telling dirty jokes, engaging with black hats, or just being yourself without upsetting anyone.
“Today I shall behave, as if this is the day I will be remembered.” - Dr Seuss
The real you in all of your glory may not be palatable to prospective employers and you never know what other people are going to be offended by these days. It's a highly competitive I'm offended market out there and your old black hat enemies may try to extract vengeance when they notice you winning one day, it is always better to be safe than sorry when it comes to your professional career and life.
The infosec space is a strange jungle in that it contains spiteful people who may try to poison your professional and personal relationships if you say something that they dislike. It can be a safer space if these troubled souls do not really know who you are. The real goal is to present a vanilla presence to prospective employers, one that will reassure them, rather than trouble them because of the network you keep.
Your vanilla profile should use your real name and a real picture, it should also never interact with your anon profile. Your anon profile should have a sweet hacker handle and an avatar that never changes, the infosec community loves a never changing social presence so we know who you are over the long term. Clever people will know who you are anyway, it is the bitter, spiteful souls you are trying to avoid.
Once you have decided what to call yourself on two fronts, you then have to build your presence across social . The key networks are Twitter and LinkedIn, you will need a real <horror> LinkedIn profile </horror> so that recruiters and employers can look at your real history. Whereas on Twitter you should have two profiles, on LinkedIn you just need one and it needs to reflect the real you, your experience, education and credentials. Curate your LinkedIn profile and network over the long term with care, it's important if you want to work in the real world, it's your resume.
“Kid, you’ll move mountains.” - Dr Seuss
Because some employers like to check all of your social media profiles, depending on what kind of work you are in, it is sometimes best to create and curate a vanilla Facebook profile too, for the express purpose of showing others. The whole idea is to create a palatable, yet real profile of you for others who will look into you before hiring you, they rarely look more than a few inches deep and they are mostly checking that will not shame them by disgracing yourself in public.
Recruiters and HR people make quick decisions when considering who to recommend to their clients/employers and they prefer to recommend the obviously well adjusted and vanilla version of you, rather than that half mad, gif sharing, all day swearing, competitive hacker version of you (depending on the job you want).
By all means use your hacker handle to argue with the rest of the community, but your public facing profile should reflect the fact that you add value to the infosec social space in a way that is not reflected upon poorly by your peers.
Never fall into the habit of social posturing, nobody really likes people who do that except others like them and it is the quickest way expose yourself to abuse. People who posture experience increased interwebs hate and bring it upon themselves.
Leave posturing to the attention seeking and avoid these people like the plague, understand that real infosec practitioners are hardly ever on social media.
Who would you hire? The person who is obviously a professional in the way they engage with the community socially, or the person who likes to posture and signal for the kind of people who are impressed by that sort of thing?
Employers like people who can articulate themselves in a professional way, ideally one that demonstrates their understanding of the jobs they are applying for. Nobody is saying that you have to become a one person publishing house, if you can manage to publish an article a month you are doing well. At the very least you should be publishing once a quarter in order to demonstrate your enthusiasm for your work.
“It is better to know how to learn than to know.” - Dr Seuss
It really does not matter where you publish as long as you do, but I will take this opportunity to mention that Secjuice loves emerging writers and invite you to come and write with us. We can help you polish your writing, establish yourself as a writer and we will promote you and your work widely across social media.
If, however, you are a total powerhouse of knowledge, have enthusiasm for writing and deep experience, then start your own blog, the Ghost platform is best for that.
Who would you hire? The person who has never written anything, or the person who enthusiastically writes about their work, their experiences, their passions and what they have learned anywhere and everywhere that will publish them?
Talk At Conferences
If you want to be an Infosec Celebrity™ then appearing at conferences and speaking at them is the route you want to take. "You have to get on the conference circuit" everyone who is on the circuit will tell you, because standing on stage a couple of times a year is a surefire way to become known by others.
“Why fit in when you were born to stand out?” - Dr Seuss
Infosec professionals who have something of interest to say usually say it through a webcast, twitch stream or podcast instead of saving up their thinking for an annual conference audience. But if you are in love with the idea of yourself rather than others, then getting up on stage, winning the approval of the other Infosec Celebrities™ and validating this star struck approach is the right way to go.
Who would you hire? The person who appears on a CON stage every once in a while, or the person who diligently puts out insightful webcasts, videos, twitch streams and podcasts that are widely accessible for anyone to watch/listen to?
Say The Right Things
If you say the right things on social media, then others who also say the right things will like, share and boost your signal. If you say the wrong things, the people who like to say the right things will <horror> block you </horror>. Unless you are saying the right wrong things and then you will become known as a contrarian, one who is either feared, loved, respected and loathed, sometimes all at the same time.
The only people in infosec who like contrarians are those who are bored with mindless third party opinion repeaters. Also remember that Infosec Celebrities™ are usually scared to associate with contrarians, because they never know what they are going to say next and it may reflect badly on their own positioning.
“Be who you are and say what you feel because those who mind don’t matter and those who matter don’t mind.”- Dr Seuss
Part of the infosec space is obsessed with saying the right things and if you really want to market yourself, then you have to say those things. It doesn't really matter what those right things are, you will know what the right things are because you will see the right people saying them. If you have the right mindset, all you need to do is start parroting them and before you know it they will like you too. #magic
Who would you hire? A person who is in tune with the fashions of the day and who faithfully regurgitates them on social media, or the person who very clearly has a mind of their own and the ability to think critically about ideas and concepts?
Maintain A Git Repo
This goes without saying, if you are applying for technical jobs then you need to demonstrate that you have the technical chops and the quickest way to do this is to build technical things and push them out onto your git repo. Not only does this let the technically minded quickly work out how technical you are, it also separates the wheat from the chaff in a way that writing an article or con talk never could.
Nobody is saying that you have to set the world on fire with innovation, most technical employers will settle for clean, honest code that solves a simple problem.
If you are not code minded you can safely ignore this advice.
Actually Help Other People
'Helping people' on Twitter is always in fashion because its such an easy way to help others, but if you really want to help you need to get your hands dirty.
The best way to get a good reputation when getting your name out there is to actually help people in a sustained and non-public way. Over the long term this is what you will be remembered for and while it may not earn you as much social fame, you will make real friends and maybe even find real happiness in the process.
A bunch of likes on your 'helping tweet' may get your dopamine flowing, but thats all it will do. Try not to not make everything about you when marketing yourself as an infosec professional and start helping others in a meaningful way.
“Unless someone like you cares a whole awful lot. Nothing is going to get better. It’s not.” - Dr Seuss
There are LOTS of ways to really help others in our space, you can help them hack a CTF challenge and explain where their approach us wrong, you can help them edit and prepare their articles, you can help people by introducing them to other people they need to meet in order to grow, you can help them by speaking to them instead of just messaging them or by sending them a few dollars when times are tough.
Better yet, spend some time mentoring somebody. No matter how novice you are, there is always someone who wants to understand what you do. If you are in infosec for the long term, the strength of these relationships will do your marketing for you.
The Law Of Three
The Law Of Three is a key marketing yourself discipline, not because it has anything to do with marketing, but because it has everything to do with you and how you engage with the infosec space. If you really want to market yourself, consider the law of three as an effective framework to market yourself through.
1) Always have a mentor - You will always need somebody else you can learn from and who can help you open up those doors in your thinking. Constantly seek out infosec mentors who can help you grow as a person and a professional.
2) Always keep equals alongside you - The company of equal minded peers is important, if you find that you are the smartest person in the room get out of there and find a space where there are infosec people on your level or slightly above it.
3) Always mentor another - There are no free rides in the infosec space, if you expect the Law Of Three to work its magic, then you have to give back to others and mentor those individuals who hunger to grow personally and professionally.
If you deviate from any of these three laws for too long, then you will have a much harder job of marketing yourself as a professional in the infosec space. If you can more or less stay on top of these three laws in infosec, you will lay the foundation of your future relationships and in the end they will do most of your marketing for you.
TL;DR - Disregard everything I said before the last four paragraphs and listen to Dr Seuss; “Always remember you are braver than you believe, stronger than you seem, smarter than you think and twice as beautiful as you’ve ever imagined.”