How to Get a Job in Cybersecurity

Posted on by Jeannie Warner

Every time someone comes to me for career advice, or asks where I think they should look for their next big opportunity, I say – “Consider a career in cybersecurity.” It is a huge field with a broad spectrum of job opportunities. When I enter the term “Security Analyst” into a LinkedIn job search, for instance, I find more than 11,000 jobs worldwide. A “Security Auditing” search nets another 11,000. “IT Security” lists over 16,000 available jobs. And that’s all before I enter any word involving “Engineer.” 

I don’t really consider the background of the person asking; I’ve said the same thing to kids out of high school looking for their first job that I’ve said to veterans who are looking for something new and different. Why? Because who you are as a person is more of a deciding factor than what you know when I’m evaluating how you will succeed in the cybersecurity field. These are the tips I advise to identify if cybersecurity is a match for you: 

#1 – Decide where in the cybersecurity rainbow your interests fit 

The “old faithful” is network security (NetSec). This is the most advanced, well-documented part of cybersecurity and it involves how information displays, moves, and rests. This is the land of firewalls and intrusion detection/protection systems, of anti-virus, monitoring and alerting, and response. Most new NetSec workers start out in operations, desktop support, sys admin work, or even helpdesk and troubleshooting for other disciplines. Broad skills that NetSec managers are looking for include how to troubleshoot problems, curiosity, communication, and documentation. It wouldn’t take long to get involved in incident handling from here, so if you love travel, this could be for you. 

If you’re business-minded, try audit and compliance. Many businesses must comply to safety and security standards in several areas. Careers in cybersecurity auditing for all industries require the ability to document business processes, inputs and outputs, examine reports, and translate the language of the governance and compliance mandate (ISO, NIST, HIPAA, FISMA) into processes and procedures that are communicated, supported, repeatable, and documented. Communication is key to this job, as is project management, record-keeping, and a basic knowledge of IT and networks. 

The “new kid” is Application Security (AppSec). Although the field has been around for more than a decade, AppSec is not as well codified in standards and documentation as Network Security and Auditing, although OWASP has done a great job getting this process going. Evaluating the security of applications can be done with open source tools, vendors, or “bug bounty” programs, but for any of these options a basic understanding of how websites and mobile apps function is important. The more code or scripting you understand, the better you’ll do to start out. Interested? Try downloading an open source tool today and try it out on your organization’s test environment. 

#2 – Keywords are important to communicate 

Look at the jobs you want to apply for. Entry-level jobs tend to have words like Associate, Intern, Assistant, Junior, or even (believe it, or not) Specialist. 

Look at the requirements list – maybe you have experience with 60-70% of the list, and have no idea about the rest. Say so honestly, then talk about how quickly you learn – and don’t forget to do some reading in advance! Talk about how you’re into documenting your job, your tasks – managers love this. Tailor your resume with similar ideas. If you ever wrote down a process or procedure, or wrote out step-by-step instructions for someone on how to set up an electronics system, you’re on the road to learning about business process and security troubleshooting. 

#3 – Know someone 

This is the same advice I’d give someone looking to change fields for any career discipline. Networking is hugely important, so try to find a mentor who can steer you toward the right study, the right certifications, and the right online classes for your choices. Having someone who can go to bat for you with their own leadership is important. In security, people tend to know one another from company to company, and network at industry events. 

#4 – Don’t get discouraged 

Sometimes managers are looking for the perfect person who is a clone of an employee who just left. They want an expert who can walk in and be productive on the first day. Some have a problem recognizing the pure gold of potential when they see it. So be persistent. Follow up in a friendly, enthusiastic way. If you don’t get the job, ask them for feedback – what do they think you should consider doing to be qualified for the next round, in study or experience? Where do they recommend you apply? 

#5 – Be passionate 

Security people recognize enthusiasm and competence in others. We know what makes for good communication. I’ve talked to security managers looking to hire new employees who were less concerned about technical skills and languages than about passion, enthusiasm, communication, and the ability to write down and share what you know. I recommend you have someone else read your resume.  Ask them, “Does this say ‘enthusiastic security wannabe’ to you?” 

And never forget – one company may pass you by, because they think they need an expert for their team rather than someone still learning. It’s okay! You can learn from each interview – if you never lie about your qualifications but still show your enthusiasm. Apply to security companies in your area, or look for a remote position if you want to have options about where you live. 

When you do get hired, remember this: as the new employee on the totem pole, you may, at first, own the bad shifts, the boring tasks, and the most tedious parts of the security business, but if you settle in and learn all you can – and write it down for posterity – you will gain experience, attention, and appreciation, and your career will grow.

Jeannie Warner

Security Strategist, WhiteHat Security

professional development & workforce

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs