In part one of this blog post series, we covered some personal backstory of my journey into InfoSec, went over putting a plan together for your next InfoSec mission, recommended some InfoSec immersion ideas, and provided some guidance around seeking out a mentor.
If you haven’t had a chance to read the first part of this series, take a few minutes to get caught up and then jump back into part two where I will cover some InfoSec-specific academic recommendations, tactics for applying to InfoSec roles even if you have limited or no experience, navigating the HR paper shuffle, and remaining humble as you mentally prepare yourself for your new InfoSec role.
Academics Debate: All in How You Look at It
There are differing viewpoints toward obtaining InfoSec industry training and certifications, but my personal feeling is formalized training in some form is a good way of receiving the fundamental baseline information you need to get your feet wet. This is a very important aspect to understand—just because you have the schooling and certifications does not mean you will land a position. It simply means that you can put a goal in front of you to achieve.
Some of the brightest minds I have come across in the InfoSec community have come from System Administrator or Network Engineering backgrounds and evolved or stumbled into InfoSec roles. That being said, delaying specific InfoSec training to obtain some underlying System or Network Administration training and skills is an avenue to think about prior to jumping into InfoSec specific training.
But, let’s not go down the rabbit hole of debate surrounding those trains of thought. Instead, I will impart some wisdom surrounding InfoSec educational training preparation.
Some education preparation approaches:
- Begin your education and certification journey as early as possible. Remember, the fewer technical skills you have, the more time you want to give yourself in your educational goals.
- Research the industry to look for meaningful certifications or training. This will help you identify current skills that are hot in the industry. There may be some underlying education or certifications that you need first to provide the baseline knowledge.
- Explore the wealth of free or low-cost education online. You can receive a tremendous amount of specialized training on the interwebs in a very short period of time. This is 100% in your control.
- Research online higher education schools that have specialized InfoSec degree programs.
- Read, research, and do your own testing. Find books in the technical area that you would like to pursue and start reading.
Online InfoSec training resources:
Entry-level InfoSec certification references:
Online degree reference:
InfoSec positions are not going to come easy, so you will need to work hard academically (formally and informally through your own research and testing) to achieve this next goal. Stay current with your skillset and knowledge—InfoSec is a fast-paced, dynamic career field.
You Never Know Until You Apply
Seek out, search, and apply. This sounds easy, but the question is how and where are the best places to look for InfoSec positions? I have found over the years that personal networking has been the best source of finding a role, which is why I really push the InfoSec immersion idea above. Nothing beats an internal referral 🙂 .
But if you do not have a vast network of InfoSec professionals to tap into, a more traditional approach might be ideal.
Job search suggestions:
- Apply while you are training or while you are going to school—do not wait until after you are done.
- Apply for an intern role that transitions into a full-time employment position after a period of time.
- Go to job fairs. This is an easy way to get in front of many hiring managers. This is your opportunity to sell your skills in person without having to contend with the HR paper shuffle.
- Look for virtual job fairs, put your resume on the mainstream job boards, and work with job recruiters. The goal is to tap into as many job resources as possible and have them work for you.
Do not let a lack of industry experience stop you from applying to roles or talking to employers. Focus on the skills you DO HAVE rather than the skills you DO NOT. As a hiring manager, I have hired individuals based on passion, willingness to learn, and overall desire to achieve over those who had more experience, so take that into consideration when applying to jobs.
Getting Past the HR Paper Shuffle
Time and effort are required to put together a solid resume. Before the resume hits the hiring manager, it usually needs to breach the HR firewall. This usually is not hard to hack, but you must understand how to win over the HR analyst.
Do not stress about writing a resume from scratch. Research resume building websites and other posted InfoSec resumes to assist in formatting and layout, verbiage used, and specific technical content to cover. Do not embellish, be honest, and focus on your strengths.
Some questions to ask yourself:
- Do you have the basic requirements for the role?
- Have you researched the requirements for the role for which you are applying?
- Have you properly prepared yourself educationally?
- Have you drafted your resume so it is easy to pick out your highlighted skillset and capabilities?
This is where your due diligence and preparation pays off.
For those new to InfoSec, here are some qualities to focus on:
- Communication skills
- Work ethic
- Planning skills
- Problem solving skills
Even if you are not fully qualified for the role, the goal is to get the potential employer to call so you have the opportunity to verbally market your skills and lock in an in-person interview. The goal is to convince the potential employer to give you the opportunity even if you are not fully qualified for the role. I have found that motivation and passion go a long way. I have personally seen that you can teach someone technical skills and work with someone who has capability, but someone either has motivation and passion or they do not.
The important part here: Translate your skills (even if they are outside the technical sphere) so the employer can directly associate your value to their company.
Mentally prepare yourself to start at the bottom but go in with a set time for this adjustment. Give yourself 6 months where you put your nose to the grindstone and learn your new role and work to surpass your peers. Then, for your first annual review, confidently show your upward progression and lay out the reasons why you should be promoted or obtain the raise you deserve.
Some items to consider as you take on a new role:
- It may be necessary to take a pay cut.
- It may be necessary to start at the bottom.
- It may be necessary to work a sub-optimal schedule to get started.
But all of these are easy ways to get in the door and prove yourself. Believe it or not, you will see that leaning on your work ethic will result in outperforming others. Be willing to learn anything and everything, maintain a humble attitude, and see how far and how fast you progress.
Doing the Work
Succeeding in InfoSec comes down to three (3) simple words: Do the work!
Put in the time and effort that is required to achieve your InfoSec aspirations. The more work you put in, the greater success you will lay out for yourself. Be disciplined in the goals you want to achieve, and greater career freedom will be your reward. Most importantly, do not let fear stop you from entering a great career within InfoSec.
As you can see, there is a lot of work to do, but I have faith in you.
Set the goals in front of you, plan the necessary steps, reach out and get yourself a trusted mentor, immerse yourself into the InfoSec community, get your resume dusted off and fine-tuned, start applying to roles, and be prepared to put your head down, open your ears, and work hard toward your InfoSec career mission!
I hope this resource is viewed as something valuable to those seeking to break into InfoSec.
A valued motto I have learned: “Discipline equals freedom!” – Jocko Willink