James McQuiggan, besides his role as Security Awareness Advocate at the security awareness training company KnowBe4, has been the Central Florida (ISC)2 Chapter President for the IT security association for a few years. He writes:
In that role, I have the privilege of meeting security professionals at different stages of their careers across various disciplines.
Recently, we held a careers workshop for junior security professionals to speak with seasoned professionals and recruiters about how to further their careers. The event had great conversations and talking points. It’s not possible to recount all the dispensed advice, but I’ve distilled five of the key points that came up repeatedly below.
Emotional intelligence
This concept is always a tricky one for people to completely understand, but according to Daniel Goleman, who popularized the term, it focuses on five concepts: self-awareness, self-regulation, motivation, empathy, and social skills. Each of these concepts can help you get the position you want when you are seeking a new job. You already have the self-awareness and self-regulation put forth to get a new job, and empathy doesn’t apply here, so I want to focus on the other two, motivation and social skills. Networking and relationship skills are one piece to getting a new position, and I will discuss that in greater detail later on. That leaves us with motivation. The emotional intelligence of motivation is the driving factor for you to get a new position. Your job is to get a job. That is your primary focus. Your motivation is to apply to dozens of jobs and keep trying. At KnowBe4 alone, there are 100 open positions, and 8,000 people submitted applications. Out of those people, the average person getting a job is 1pc. Don’t give up, keep trying, and you will capture that position.
Portfolio
Tell me a little bit about yourself is a common question in an interview. What better way to show your body of work than your portfolio? Creativity can be virtual and the more creative you are showing your skills, the more impressed they will likely be. In some positions, you will need to be creative; it will be a lot easier for some compared to others. For developers, your GitHub repository can contain code you’ve written for various projects, along with comments, of course. For security analysts, you could have examples of analysis work you’ve conducted, like reverse engineering malware or other code. If you’re starting, demonstrate your homemade virtual lab and the virtual networking you’ve set up for development, testing, and sandboxing. I know from my experience, showing that extra initiative can help separate you from other candidates with similar qualities. I’ve even seen web pages and blogs with information or thoughts about events that people encountered at conferences and webinars; but of course, nothing confidential that could land you hot water.
Research your new company
When you’re applying for a new position, it’s important to research that organization and to learn about its mission, along with the values they promote. Understanding those can help you get a better grasp on your possible role within the organization. Conducting research on their website, LinkedIn, and Glassdoor are just a few examples of how you can learn more about the people who work there and what they produce. Granted, when you use LinkedIn, it informs the person of someone looking at their profile. This action is okay, especially if you find the hiring manager because it tells them you’re doing your research and have a keen interest in the organization.
Networking
It’s incredible how small the information security world is. When you start meeting people and tell them you know Dave Speeler, and they reply, “Oh yeah, I know Dave,” you realize that it’s not six degrees of Kevin Bacon, it’s two degrees of Kevin Mitnick. Networking and building relationships are vital in any industry, but within the infosec community, it’s even more critical. Over the years, I’ve heard stories from other professionals who were able to get a position from someone they met and had been colleagues with for years. I know from experience of meeting a lot of people over the years that a select few have helped me get new positions to grow my career. It’s often not as easy as meeting someone one day and expecting to get a position through them the next day. It can take some time to cultivate that relationship. Like a garden, it doesn’t grow overnight. It takes time to develop and grow. Your networking and relationships in the industry will help you after you’ve earned the certifications, degrees, and experience to land that next dream role.
Certs, Degrees, Experience
One of the big debates within the industry is which requirement is more important? Certifications, degree or experience. Many people in the industry got into it by obtaining an IT or cybersecurity certification to help secure a position or prove to hiring managers that they understood security. Other professionals will argue that experience is much more critical, as they want to know what work the person has done, either professionally or through their studies. Educational institutions have slowly been developing more and more curricula for the cybersecurity world to get students prepared for the real world. I’ve heard through chatting at conferences, and over coffee meetings, that some professionals believe the degree is no better than the certification. It doesn’t provide enough hands-on experience for them. As a professor at a local college, I’ve seen the students get more hands-on experience towards their networking and operating systems courses than most certifications. If you were to ask me, I’d quote a friend who says that -“Certifications get you in the door, experience keeps you working, and the degrees provide advancement.” While I agree with my friend, I believe that while certifications are essential, if you’re starting in this industry and take the time, get the degree. The learning environment is more supportive and worthwhile than trying to take a week-long boot camp and a test. After you get the degree, get the certification to make you a contender among those stacks of resumes.
Conclusion
Cybersecurity is a vast field with many disciplines and paths. There is no shortage of opportunities, but sometimes too much choice is as bad as not enough. Sometimes you need to try everything before you land in an area where you discover your passion. I started on a help-desk and moved to working on databases, then to programming applications, networking, and network security, where I discovered my passion for cybersecurity. Even within cybersecurity, there are many different paths, so it’s okay to try them all. Therefore, try to figure out how you want your career to pan out. Once you’ve done that, remain persistent in your approach and hopefully one day you’ll arrive at your dream job.
