Cybersecurity is a hot topic in today’s job landscape. Whenever I mention that I work in cybersecurity, the majority of people respond with something along the lines of, “That’s a great profession to be in” or “Well, you’ll never be without a job.”
Despite cybersecurity’s cachet, getting a foot in the door can be so difficult for beginners. And there’s no shortage of jobs: a quick LinkedIn job search for entry-level security analyst roles yields 40,000 results. If the field is so popular and so many positions are open, why are entry-level candidates having a hard time landing a first role? In this blog, I want to help cybersecurity jobseekers by highlighting some of the ways to break into the industry and the things you can do to set yourself apart from other candidates, whether fellow newcomers or seasoned professionals.
3 Tips for Breaking Into Cybersecurity
- Be active in the community. Get on LinkedIn and join InfoSec organizations.
- Find your passion and become an expert.
- Use job postings to your advantage and obtain relevant skills and certifications.
Be Active in the Community
I’m sure this isn’t news to anyone, but networking is a key aspect of landing that first security role and subsequent ones in your future. I got both of my security positions thus far through my network rather than by spamming countless potential employers with my resume.
But what exactly does it mean to be active in the community? Hint: It’s more than just connecting with people you’ve worked with and interviewed with. Typically, developing a robust presence comes down to a few things.
Get Active on LinkedIn
Don’t overthink this step because it’s simple: Engage with others and comment on and share posts that interest you or provoke thought. According to a blog posted on Kinsta in April 2022, just 1 percent of monthly LinkedIn users post on the platform. You can set yourself apart and broaden your network just by resharing or posting content that others may find interesting.
Speaking from experience, I tripled my LinkedIn network in 48 hours with just one post. Last November, I went out on a limb and shared a post reflecting on the journey I undertook to earn my CISSP, which is a highly regarded security certification. The post quickly went viral, gaining over 250,000 views and over 3,000 reactions. When I published it, I had around 400 connections, but requests flooded in just as quickly as the post had generated reactions. I now have 1,300 connections and 2,200 followers.
I’m not saying you need to go viral in order to get a job in security, but you should consider engaging with others on LinkedIn. Most LinkedIn users don’t realize the organic reach the platform has, which makes it a powerful networking tool.
Join one or more InfoSec organizations
Dozens of InfoSec organizations offer free memberships and plenty of other resources, like webcasts, blogs and conferences. In addition to the unique networking opportunities you’ll find through InfoSec memberships, they’re a great way to learn new things and stay on top of the current trends.
Although too many organizations exist for an exhaustive list here, I’ll name a few popular ones that hold frequent webcasts and conferences as well as publish weekly and monthly newsletters:
- ISACA (Information Systems Audit & Control Association)
- CISA (Cybersecurity & Infrastructure Security Agency)
- InfoSec Institute
- ISSA (Information Systems Security Association)
- ISC2 (The International Information System Security Certification Consortium)
- CIS (Center for Internet Security)
- CSA (Cloud Security Alliance)
Depending on your interests, you may find that some organizations are more valuable to you than others, but any one of these is a great way to connect with industry experts while also keeping up with the latest information in the field and emerging threats.
Find Your Passion and Become an Expert
The security field is massive, and many beginners often don’t understand that you can’t know everything. Although knowing the foundations of InfoSec — like access control, network security, identity and access management, risk management and so on — is important, expertise in all of those areas is impossible. Too often, when I ask beginners looking for help getting started in security which areas interest them, they say, “I don’t know.”
As a beginner, you need to be able to answer that question, or you’ll have no idea what you’re looking for in a job and will waste your time applying to every entry-level position you see. Interviewers won’t be too impressed with a lack of applicable skills, and you may not even make it past the bots that parse through resumes before passing on a narrowed pool of candidates to HR.
To set yourself up for success, figure out which area(s) you enjoy most. Do you like network security and incident response? Or maybe threat hunting or vulnerability management has piqued your interest. Explore some options by researching popular career paths and then chose one or two to focus on.
Once you’ve done that, it’s time to hone your skills in the chosen area. Various hands-on security training platforms offer a great way to gain experience with technical aspects of cybersecurity. TryHackMe, Hack the Box and Range Force are a few popular ones. By taking this approach, you can develop your skillset and add relevant experience that shows you’ve identified the areas of cybersecurity you’re interested in pursuing and are working to gain a deeper understanding of those topics.
Use Job Postings to Your Advantage
In addition to discovering the areas of security that most interest you, you also need to understand the common skills employers look for in potential candidates. Although we might not think of them as a resource, job postings are a great place to research the skillsets companies want. Whether you’re seeking a technical security analyst position or a less technical role on the governance and risk side of security, job postings will detail plenty of information regarding requirements and preferences.
Obtain relevant skills
A typical job posting will list the role’s high-level responsibilities and will likely include things like software you’re expected to know, the systems you should be familiar with, and most importantly, the security frameworks and concepts used within the organization.
As an example, a job posting for a vulnerability analyst may list things like these as key responsibilities:
- Experience with Windows, Linux, macOS and IoT/OT systems
- Familiarity with vulnerability scanning tools like Tenable and Qualys
- Ability to produce prioritized and actionable reporting for infrastructure teams
- Collaborate with various departments to develop mitigation strategies and countermeasures for identified vulnerabilities
Anyone looking for a technical role in cybersecurity already knows they need to have a basic understanding of various systems that may exist in an environment, so those are relatively easy to check off. You can learn the rest of the skills above through using the tools themselves, which many vendor training platforms offer for free on their sites. In this example, both Tenable and Qualys offer free introductory training courses for their products, which is a great way for beginners to start learning some of the security-specific tooling that exists in most enterprises today.
Obtain sought-after certifications
You can also use job postings to figure out which certifications companies are looking for. Although many entry-level roles look for some foundational certifications like CompTIA’s Security+ or CySA+, they don’t always set you apart from other candidates since many beginners are pushed toward obtaining them. Instead, identify other certifications that are more specific to the roles you’re seeking, like network security, incident response, identity and access management and so on. Some places to start may be researching popular network security vendors like Cisco and Palo Alto, cloud identity providers like Microsoft, or a certification body like GIAC, which provides technical certifications like incident responder or detection analyst.
In addition to industry certifications, product-specific certifications can be useful for technical roles in which the company is looking for someone knowledgeable in one or more security products. For example, Tenable and Qualys offer certifications of completion of their introductory courses, and SIEM tools like SumoLogic and Splunk offer free training and certifications to show your mastery in various uses.
Even though many experts will steer you away from this advice, I’m a proponent of this approach because employers will typically choose someone with tool-specific experience over those without it. Tools are easily learned, yes, but being able to add experience with popular security tools to your resume is a great way to stand out from other beginners applying for the same role.
Start Your New Career Now
Cybersecurity has a reputation for a high level of gatekeeping; in other words, we make it hard for beginners to get into the field. Although many security professionals are pushing to change that, the barrier to entry may not ever fully go away.
Although security has become an integral part of everyone’s lives, it’s still a complex topic. Landing an entry-level role requires a certain level of knowledge. College degrees and fundamental security certifications can provide that knowledge, but what will really help you kickstart your career is networking with others, immersing yourself in the InfoSec community, and discovering the topics that interest you most so you can hone your skills and stand out from the crowd.