This week I start my first job in cybersecurity. It's been an interesting ride making the leap (or more like head-first, limbs-flailing crash) into a totally new field mid-career. I'm pushing 40, so that kind of rigorous activity is tough on these old bones (well, "old" by industry standards). The process began almost a year ago, and has involved lots of reading (so. much. reading.), fiddling with lots of open source software, and earning a couple of certifications.
But rather than detail the steps I took (actually, am still taking) to learn a new field, I'm going to outline what I've learned about the infosec industry and, more broadly, the job-search process. Hopefully by sharing this info, I can help shorten someone else's learning curve, and help them land their first job.
1. College degrees matter ... to some
Early on in the job search process, freshly-certified-but-still-knowing-very-little me had an interview with a local company at which I have a number of connections. I met all the minimum requirements listed in the position description, the work sounded like something I'd be good at, and I sorta knew the hiring manager. The interview went great and flowed like a conversation between friends. A few days later I was told that when the hiring manager submitted paperwork to HR to extend an offer, they denied the request, saying that because I lacked a degree related to Computer Science, they couldn't approve the hire.
I was incensed. The position was not technical (just lots of spreadsheets and diplomacy). I had a certification that exceeded their DoD-approved baseline. The posting only specified an associate's degree in any field. I knew of others at the company who lacked CS degrees. I already had three degrees, including a PhD, and was not interested in more schooling that would cost money and time. Especially when I knew I could learn more in a few months of self-study than formal schooling could teach me in years. But there was nothing I could do.
Looking back, though, I'm grateful for the experience. It was a much-needed kick in the pants. I wanted to prove myself even more. I immediately began digging more into networking and studying for an operating system certification to show that I do in fact have technical chops, even if I don't have a related degree. But the lesson here is this: yes, to some employers, degrees matter. And if HR puts the kibosh on a hire, you might be better looking elsewhere. I finally landed at a small firm that was way more interested in my determination and ability to self-teach than my diplomas. Which is exactly the kind of forward-thinking place I want to work at anyway.
2. Certs matter ... to some
I read it all the time: certifications don't mean squat. They do not demonstrate experience or depth of knowledge. But for me, the certs I earned got my foot in the door. They got people who wouldn't otherwise take me seriously to give me another look and share my resume with those in their network. So while I don't profess to be an expert in enterprise security or Linux administration, by earning certifications, I've shown that I am capable of learning quickly and busting my hump to accomplish something.
So rather than be dismissive about what a certification says about someone's knowledge base, acknowledge what it demonstrates about their personal drive and desire to further their career, especially if they studied on their own time, and paid for it on their own dime.
3. Passion and excitement matter ... to everyone
I spoke to a number of prospective employers, in both formal and informal settings. They were looking for different knowledge and skills sets. But they all shared one thing: an appreciation for candidates who demonstrate passion for the field, excitement about the company, and an eagerness to learn.
So if I had one piece of advice for someone looking to land a first job, it would be to figure out a way to show you really, REALLY want this. Attend lots of networking functions and meetings of local ISSA or ISACA groups, read lots of articles and books, get active on social media, reach out to others doing what you want to do, post frequently on LinkedIn (even if it seems like no one is actually reading those posts), and if someone offers to help, push your pride aside and take them up on it for goodness sake! In a nutshell, establish a personal history and an online record that demonstrate self motivation and devotion.
4. LinkedIn can actually be useful!
I have kind of a love/hate relationship with LinkedIn. I think it's a poorly designed platform that for whatever reason has not figured out how to show me what I actually want to see in a way I want to see it. It's primary purpose often seems to be a way to legitimize stalking by job seekers, recruiters, and people who do direct sales. But it does offer some utility.
I realized that while others who do the kind of work I want to do are not very active on LinkedIn (probably because they're busy, well, working), their bosses are. Nearly every CEO and company president I sent a connection request to accepted. However, I did not send the generic "I'd like to join your network" message. I tailored each request. Obviously, if I had a personal connection, I'd name names; otherwise I'd mention a podcast I heard them guest-speak on, or a webinar their company hosted. With each additional connection, I feel I gained some measure of legitimacy. My number of profile views increased and I felt more comfortable reaching out to the next person. I never pestered them with questions or requests afterward, but by following them and seeing their posts and "likes," I learned more and more about the industry and timely issues or policies affecting local companies.
It was because of LinkedIn that I eventually connected with a hiring manager who, though I wasn't right for the position he was filling, passed my resume on to someone else. That someone else did hire me.
5. Introvert? Learn to suck it up, Buttercup.
If you're an introvert like me, attending networking events or luncheons is its own special form of torture. You show up, grab that cup of water (or, if you're lucky, something stronger) and grasp onto it for dear life as you do your best impression of the Incredible Shrinking Woman. But like anything else, it becomes easier—and you get better at it—with time. Prepare ahead of time by developing a one-sentence pitch about who you are and why you are there (in case they do the dreaded "New people stand and introduce yourself!" bit). One thing I found helpful was to set very conservative goals for myself, such as asking one person what they enjoy about their work (expressing interest in someone else is always a safe move).
I didn't go in to these events with unrealistic expectations, like that I'd walk out with a job offer. If I learned something and had one nice conversation, I considered it a win. If you attend enough events, you're bound to have multiple interactions with someone who can help put you on the right path. And again, you're being proactive and establishing a history that demonstrates commitment.
An alternative to luncheons hosted by professional organizations where there's a good chance you'll get stuck listening to someone bloviate is to attend low-key meetups. I stumbled across a local Women in Cyber group. Our monthly gatherings usually don't involve much tech talk, but chatting with other women at various stages in their careers has been a great way to learn about the local infosec ecosystem and make connections. Check out meetup.com to see if there are groups for coders, Linux users, or infosec professionals in your area. You may still encounter someone who bloviates, but it'll be easier to hightail it out of there if you do.
6. Everybody's an expert ... but really nobody's an expert
There is so much to be learned by following infosec leaders on Twitter, reading blogs, and subscribing to newsletters. But it's easy to become overwhelmed by the amount of information out there and by the, uh, "passion" with which people will discuss various topics. When others on social media are getting in virtual bar fights over programming languages or technology you've never even heard of, it can be intimidating.
As someone who spent most of her adult life working in academia, I'm no stranger to imposter syndrome. It's become clear to me that the infosec echo chamber can reinforce feelings of inadequacy. Talking heads and self-professed experts abound. But it's important to remember that information security is an incredibly broad field and no one—absolutely NO ONE—is an expert on everything. There are lots of really smart people who know lots of really important stuff, but those people often wear blinders and operate in bubbles populated by others wearing similar blinders.
There are so many different roles in information security that require a plethora of skills and knowledge. If you've been studying and making an effort for any length of time, you probably know more than you realize. Unless you claim to be an expert, then chances are you don't. Regardless, with the dynamic, ever-changing nature of the cyber landscape, there's always new technologies, guidelines, mitigation strategies, information sources, threats, frameworks, methods, infrastructure, regulations, and analysis models to be explored. Be open to learning from others, but don't let them convince you that you don't belong in this space. There's room for all of us.
A final note about checking my privilege
As I wrap up my thoughts on landing my first job, I have to acknowledge that I have a few things going for me. I am a white, straight, cisgendered, native English speaker. I have a spouse who works in IT who taught me some of these new skills. We move in the same circles as other people working in information technology and security. My husband's salary is good enough that I could remain unemployed (aside from the occasional freelance gig) for months and spend hours each day engrossed in self-study. We have more than one computer, so I was free to play around with and potential destroy one. We have high-speed internet. If I wanted to order a certification guide, I could pop on Amazon and have it on my doorstep in two days. We've got a great local library. My kids are school-age, so during the school year I don't have to pay for childcare during the day.
The path I took to this new field is not available to everyone. There are those struggling financially who cannot devote hours each day to studying or shell out hundreds of dollars on certification exams and preparation materials. There are those who have young children or ailing family members and don't have the time or mental energy needed to learn new skills. There are those who live in rural areas and don't have high-speed internet or access to a decent library. There are those who have physical or mental disabilities for whom attending networking events would be difficult.
So if you're a hiring manager, please remember that not all candidates are starting from the same place or on a level playing field. I had many advantages, and it still took months to land my first job, even living a city consistently ranked as one of the top places for people looking for STEM jobs. But hopefully my experiences can help someone else venturing down a similar path establish a foothold more quickly and with more confidence.
Main Image Credit : The awesome piece of artwork used to head this article is called 'Hired' and it was created by graphic designer Blindartist.