I’ve been seeing lots of articles on the skills gap and labor shortage in cybersecurity and how the respective sides are talking about either a shortage in skilled workers or a shortage in hiring. While I’m not in a position to argue for either side as I don’t have access to all their data, I will say this – there’s truth in each, up to a point. But what no one is talking about is the individual cybersecurity job seeker. As a corporate and small business trainer, my view offers a unique vantage point to this conundrum.
No one is collecting data or metrics on all those applicants who fail to get hired, or who fail to meet the minimum requirements for the job, or if they are, I haven’t seen that data published. Instead, we are treated to countless article after article on how poor our security hiring practices are that we require three to five years of experience for entry level jobs, and how besieged Buddy, Alice, and Terry are as a result because they can’t land a job fairly with no accumulated experience. Yet none of these articles explain how cybersecurity isn’t an entry level career, or delve into what Buddy, Alice, and Terry might have been up to prior to deciding they wanted a job in cybersecurity, or most importantly, what they do after they manage to finally land a job in cybersecurity.
One generally transitions or gravitates to cybersecurity from another technology role. It’s how the sausage is made. Before we bring up the “we’ve done it that way for 40 years” argument, hear this out. Cybersecurity requires analysis, cerebral not just A.I. reasoning, and logic. It’s hard to apply that right out of the gate without some foundational work experience. In order to protect environments, assets, systems, applications, and whatever else you apply in that space, the cybersecurity applicant first needs to have at least a rudimentary level of understanding about each and how each functions or, at a minimum, is constructed to operate.
We’re not simply talking about throwing out references to technological jargon so that one sounds familiar or justified within their elected space, but truly, what one needs to have a la a background or possess via an educational foundation to intrinsically know that MAC is not just a guy’s nickname, but also stands for mandatory access control in cybersecurity, and could also be easily confused or misinterpreted as media access control in networking terminology. While these terms both share access control in their acronym definitions, they couldn’t be more different in their applications, utilizations, and purpose if they tried. This is just one such example of where having spent time in another IT field will help serve an applicant in a cybersecurity role. Is networking job experience mandatory to be successful in cybersecurity? No. But it’s a lot like trying to write an essay in English when one is first grasping the language and idioms only days after having just learned the alphabet.
So, what is the solution? How does one land an entry-level position in cybersecurity without 3-5 years of experience – besides the beg and appeal approach on social media? The answer is simple: self-investment.
Two Types of Cybersecurity Workers
In my nearly thirty-year career as an IT and cybersecurity professional, I have encountered just two types of workers when you boil things down to their basest elements. While every person is nuanced and each has their own particular traits, mannerisms, and skills, they all fall into one of two categories in the end:
· those who are avid learners/self-investors,
· and those who are not.
That’s not to say the non-avid learners are inferior or are somehow lacking. Far from it. Rather they seem to be more partial to short-term, goal-oriented work; meaning that they will learn or self-invest provided it lands them a particular job or position where they think they will be more comfortable, happy, content, better off financially, or what-have-you. Once that goal is obtained, non-avid learners or non-self-investors are more content for things to evolve naturally, or in many cases, stay as static as possible. Call it their “comfort zone”.
Then there’s the avid learner or self-investor. In most cases, the preceding non-avid learner goals may also align for the avid learner, with the sole difference being for the avid learner these things are secondary. The primary reward for the avid learner and self-investor is the betterment of oneself and the attaining of previously unknown knowledge, the learning of a new skill, a fresh perspective on problem solving, and so on. It is their version of the same “comfort zone”. One might compare it to a test from school where the options are to learn the material just long enough to take and pass the exam or retain that knowledge for life. To this day, I still remember the seven masts of a ship thanks to a class I took. Have I used it much? No. But it’s there. Does that make me more inclined to do a better job than Allison who didn’t commit the masts to memory? Only if the job being met calls for recalling the masts of a ship.
So, what then does any of the preceding have to do with landing a job in cybersecurity? Quite a lot. Keep reading.
The Gist
There are many forms of self-investment. Some require a monetary cost expenditure and others do not. Determining what is right for you is the part you will need to figure out on your own as you know your individual thresholds better than anyone. But if you’re breaking into cybersecurity or attempting to, knowing where to turn for assistance can be daunting, and a lot like that cast a wide net on social media approach and hope for a bite from an empathetic, or better yet, sympathetic person who already works in the field.
Below are more realistic and meaningful ways you can self-invest to show potential employers that you aren’t simply waiting around for the cybersecurity silver spoon to be placed in your mouth:
Join local and area security chapter groups. They are often low-cost or free to join and participate. Some examples include OWASP, HTCIA, ASIS, and more. Use a search engine to find these groups in your area. If you don’t have one, inquire about how to start one, or contact your local colleges and universities for additional guidance.
Visit your local library – yes, the place with physical books – check out their section on information security and/or cybersecurity. They may have some dated materials but show me a 1000 people who know TCP/IP and I’ll show you 10 who know mainframes.
Start following others of like-mind or like-interest on social media. If you’re uncertain of who, consider looking at some security-focused companies and following them on X (Twitter), Meta/Facebook or LinkedIn. Not sure where to start – search for security influencers or “movers and shakers” in information and cybersecurity. Consume what they have to say, but ensure you maintain free thinking and free will. There are no points for being a sycophant.
Sign up for and regularly attend free security briefings and webinars. Some national groups such as InfraGard, DC3, and the ECTF can introduce you to other similarly minded folks. Read online blogs from organizations like Dark Reading and Wired. Not sure what you want to specialize in, or still undetermined? Read, read, read. Read as much as you can consume and have time for (see the next bullet).
Read whitepapers, blogs, and complete registrations for free resources such as e-books and company produced “Dummies” books.
Find an online mentor through YouTube channels or other offerings. Lots of content creators put out fantastic and free tutorials, demos, and other videos that rival those of paid-for or commercial trainers/learning groups. Just remember, your mileage may vary and do not take everything literally or as gospel. Experiment for yourself, where legal, and ensure you understand the true message being communicated.
Look into free and low-cost introductory courses; if you can afford it, attend some conferences in person to get a feel for what it’s all about. Look for “buddy” discounts, or better yet, volunteer – it’s both a great way to get free conference access and meet people in the business.
Start a “noob” support group and get others to join. Soon you’ll have a gaggle of closer acquaintances and friends who all share similar interests and roughly similar experiences and help promote each other and invite more seasoned professionals to meet with your group and offer advice and tips and tricks. Try out some of the more new-person friendly conferences in the area and rent a car or van with those in your support group.
Be persistent. Nothing worth having is instantaneous so recognize that it may take some longer hours and more dedication than past jobs you’ve held.
The Differentiator
Forget for a moment that you started reading this article to learn how best to land a job in Cybersecurity. What if I told you for a $200 investment you could double your income? What would you say after the serious head-tilting and BS meter spike? The truth is you can. Even without experience, taking the time to self-invest and learn Cybersecurity terminology, concepts and current issues and threats will help impress upon a potential employer that you are dedicated to your tradecraft of choice and that you are willing to learn, on your own and without anyone funding you, about cybersecurity. Employers are looking for staff who are dedicated and who stand out from the rest of the crowd.
Now what if I told you with that same $200 investment you would gain access to over 500 cybersecurity courses for around forty cents per course, and that these courses would teach you about all different kinds of cybersecurity topics from ICS to AI to mainframe to penetration testing to SecDevOps, and on and on! Has your mouth hit the floor yet? The reality is this deal from none other than EC-Council is unprecedented! Never has the level of content available been released for one such amazing low price.
In full disclosure, I am a certified trainer for EC-Council and my organization is an authorized training center and affiliate. Why? Simply because I have taken their courses and their for-certification courses, and I find them to plain work. Yes, there are competitors in the same space. Yes, you should shop around and see what else catches your interest and eye, but I am here to repeat – dollar for dollar, there is no better offering for your money or more succinctly, your investment than the EC-Council Pro Bundle if you’re starting out, have limited funds, or just wish to round out your cybersecurity knowledge base.
You will be hard-pressed in any line of business to find something this good that provides tangible results and meaningful ROI. So, if everything else that you’ve tried to break into the field has failed, or heck, even if you simply want to improve upon what you already know, lock in your subscription now and start learning at your own pace, and without the added pressures or restricted timetables on in-person and bootcamp style classes.
Use this link to kick-start your career in cybersecurity: https://codered.samcart.com/referral/xjt5dtL8/Z0OLkR3JMtmfjmf3
Just because you don’t have 3-5 years of experience, doesn’t mean you have to show up empty handed to that entry level job!
In Conclusion
It may seem for a moment that this article has been nothing more than a lead up to a poorly couched advertisement for EC-Council’s Pro learning bundle. Hopefully, that’s not the only thing you’re taking away from this article. The fact remains that there are doers and there are dreamers. It’s okay to be both, but at some point, the words of Burgess Meredith’s character in the movie Grumpy Old Men ring true – “You can crap in one hand (e.g., do) and wish in the other (e.g., dream), and see which one fills up faster.”
Having a doer mentality and coming in prepared is going to demonstrate without words to others that you can:
a) finish what you start, or set your mind to,
b) you’re genuinely interested,
c) you’re dedicated to learning and improving, and most importantly,
d) you’re not just blowing hot air; you’re sincere in your approach/inquiry.
While this won’t guarantee you’ll land a job or that any of the above, if followed loosely or to the tee, will promise to employ you in your dream job, it can make the difference between being interviewed and being simply passed over again as unqualified or does not meet.
Remember, the job market is called a market for a reason. Expect to barter and negotiate. Expect too, to compete with others for the same resources – in this case, that coveted cybersecurity role. However, if you just show up with a nice pair of shiny shoes, a freshly coifed hairdo, a spritzed and double-spaced resume, and that good ol’ can-do attitude, you’re going to meet a lot of similarly situated and aligned folks all saying the same thing. Here’s hoping, you know that IAMS is not just a pet-food brand when the time comes, or that SCADA isn’t because your interviewer is from New England and is asking you about hockey.