Recently, I’ve noticed an increase in people wanting to launch their cybersecurity career. As a mentor and someone who has gone through the change myself, switching from web development to penetration testing, makes me both glad and worried.
On one hand, it’s always amazing to see people who have a goal and are striving toward it. On the other hand, it is worrying because I’m uncertain if they know what they’re getting into. The industry can be very unforgiving, especially towards new people with no industry experience. It is even more unforgiving towards those without ANY work experience.
This post is for those looking to break into cybersecurity and launch their career, but have no idea how to get your foot in the proverbial door. You may also have noticed that the title of this post contains “Part 1”. This post is the first in a short series, each diving deeper into a specific part of the job-hunting journey. This post explains how to find companies to work for and identify the skills you will need to reach your first job.
As I’m writing this post based on my journey getting into cyber security, I feel it is crucial to know where I started. I am originally a web developer with roughly ten (10) years of experience, primarily working with WordPress and PHP. I have also done a couple of years of sales, both in brick-and-mortar stores, as well as via telemarketing. That should cover it, so let’s get to the good part and help you break into your cybersecurity career!
In this first part, we will be taking a look at the following:
- What types of jobs exist in cybersecurity?
- What skills do you need to perform those jobs?
- What companies have openings for those jobs?
- Which companies suit you?
- And finally, what does the roadmap look like that leads to the job you want?
Figuring Out What You Want
Before you get started, you have to decide what you want to do. While many cybersecurity roles have skills that can be transferable, there are quite a few differences between them. And if you don’t know what you want to do, you won’t be able to create a good roadmap. So your first step should always be to research the different types of jobs available. For instance, you have red team roles such as penetration testing, “red teaming”/adversary simulation, blue team roles such as SOC (Security Operations Center), threat hunting and incident response, and GRC (Governance, Risk and Compliance). Each of these has different focuses and some are more hands-on-keyboard than others.
Chances are you have already done this, but I wanted to include it anyway. Many people don’t realize just how vast cybersecurity is. Many think it’s only hands-on-keyboard positions. Meanwhile, in GRC, you’ll be more involved in the policies and processes that a company adopts instead of being the one performing the actual tests.
For examples of some available roles with descriptions, check out this article by SANS on “The 20 coolest cybersecurity careers“.
Making the Blueprint
Now that you have a role in mind that sounds nice and that you want to pursue, it’s time for the next step. For this one, you will head over to LinkedIn and look for jobs in your area for that role. The reason I’m emphasizing “your area” in this case, is because many people search outside of their own country for their first job. While it is good to have aspirations and an end goal, it is not very likely that a company will take someone from abroad without any experience. If they did that, they would have to deal with visa sponsorships, relocation packages, and the fact that you might not be able to get any required security clearances in that country. So they are much more likely to choose a local candidate than a foreign one.
At this stage, we are not filtering out any jobs, we are looking at all jobs that match the role we want. Compile all of this information into something like an Excel spreadsheet, and try to gather as much information as possible:
- The name of the company.
- The years of experience wanted.
- The skills they want to see you possess.
- The certifications that they want to see.
- What the role itself entails.
- And so on.
Once you’re done looking at LinkedIn and have exhausted the whole list of jobs there, it’s time to turn to Google. Again, look for companies that provide cybersecurity services in your area. Sometimes, a company will not post their available jobs on LinkedIn. Sometimes, they will have even more information on their site, such as what tools they use or interviews with their employees. Once you find new data, add it to your spreadsheet. This spreadsheet will be your foundation.
As a bonus mission, reach out to recruiters of the company and employees in roles you want. Include a message with your connection request and be respectful of other people’s time. Remember that if they decide to answer your question(s), it’s because they take the time to do so. It’s a privilege they may grant you, not a right that you can demand. The information and insight you can gain this way can be invaluable. It can also help you see if the role you’ve settled for is something you want to pursue.
Laying the Foundation
Now that you have your spreadsheet with companies, skills, and certifications, you are hopefully starting to see patterns in what is expected of you once you enter the role. Now I want you to take a look at the spreadsheet you built previously. Visit the website for each company, read about their company values, and see which companies you want to work for. I am saying this because the job can get very rough sometimes. It might make you want to quit. So find a company that matches your values and has a good work environment. That will help you through those hard times.
For this section, I want you to find the top five (5) companies you want to work for. Remember, at this point in your career, it’s not necessarily the highest-paying companies that are the best. At this point, you probably have no experience in cybersecurity. So it’s better to get some work experience to help you land a better, higher-paying job later. Of course, if you can get a higher-paying job, go for it. But don’t make it the sole reason for choosing a company.
The Roadmap
Now that you have your five (5) or so companies, we can start building the roadmap for your cybersecurity career. For the roles for each of those companies, refer to your spreadsheet and start looking through what skills and certifications each job requires. Any overlap found is likely crucial for the job, so add that to a new list.
Something to keep in mind: For skills it is most likely crucial to the job at hand. For certifications, it is most likely something highly desired in your local market. Every certificate isn’t necessarily recognized or valuable in every part of the world. Skills, on the other hand, are universal. There are also vendor-specific certifications, such as the CCNA by Cisco, which aren’t as useful for companies that don’t use Cisco hardware in their network. So just be aware of that.
Now that you have that list, look up the skills and certificates and see what they include. Start with the base skills and move up from there, creating your roadmap. If you already have some of the knowledge needed, great! That can let you skip some steps. But make sure that you do know the things you think you know. Deceiving yourself doesn’t do you any favors, and being able to see in what areas you are lacking is an important skill to have.
Taking the First Step in the Journey Toward Your Cybersecurity Career
Now that your roadmap is complete, it’s time to start learning. I can already hear you saying it will take you forever to learn everything on that list. And yes, it will take time. Nobody said this would be easy. A reason why this career pays decently is because of the knowledge required for it. A common thing you will hear is: “An entry-level role in cybersecurity isn’t an entry-level IT role.”
They say that because cybersecurity roles require a vast amount of knowledge, which is why it’s often easier to transition into a role via another IT role. Especially if you are aiming for a job in one of the more technical cybersecurity roles. For example, a role as a network penetration tester requires knowledge of networking, operating systems, and more. As such, having experience as a network engineer or a systems administrator can benefit you greatly and allow for a much smoother transition.
The End?
You have reached the end of the first post in a series on how I approach job hunting. I hope it has been of at least some use to you. My approach isn’t the only one out there, but it worked well for me. For the next post, I will talk about resumes, as this is another thing I see people struggle with. The list of your top five (5) companies that you created earlier will make a return here as well.
Future posts will include some ideas on getting around the “chicken or the egg” problem regarding job experience and requirements and some typical interview questions you might come across for various roles.
Until then, I wish you all the best with your pursuit of your own cybersecurity career!