Creating career opportunities is not easy. We get that. And while my last post laid the groundwork for creating opportunities, there is more to the story. Anyone entering cybersecurity also needs to know what makes a ‘memorable, personal value proposition.’ In short, you need to know how to answer the question “tell me about yourself” in a way that communicates your curiosity, discipline, critical thinking and how you can address the challenges of the job. Oh, and you must be memorable. I interviewed 8 people over a two-day period just last week. In the 8 seconds it takes to scan a resume, I was most drawn to the applicants that met the qualities noted above.
Understand, first, that cybersecurity is primarily a human endeavor. Even though most branding surrounding IT and cybersecurity makes you think ‘cold,’ ‘impersonal,’ and ‘possibly alien,’ the reality is that the cybersecurity industry is exciting because of the people in the industry, demanding because of the people enabling threat actors, and worth the extended effort because of the people we serve. A large part of what we do is communicate with people to help change their behaviors for improved security and to bring better cybersecurity awareness. It isn’t enough to be great at pen testing; employers (if they’re anything like we are) also look at whether you can connect and collaborate with others to drive positive change. That is a specific, critical skill and one that is not addressed by any industry certification. Below I’ve outlined a few job roles in cyber and a high-level view of attributes to help you ‘hack the job.’ Your passion better be authentic, and then it will be realized when you ‘hack the job’ thru relationships built on trust (their trust in you), service (to others), and confidence (in yourself).
We really care about networks and end points, so maybe that’s your focus. Prove to us that you know how they work, how they integrate, and how to defend them. Even this goes back to my first point above, though. Prove to us that you are curious, disciplined, and passionate about securing networks. If that sounds trite, then you either haven’t moved beyond cybersecurity being a mental exercise, or you simply don’t care enough about it. To create an opportunity in cybersecurity, you must feel more than ‘meh’ about it; it must be your passion.
Some individuals are excellent at hardening systems, and we need them. This is the group that understands how systems are monitored, assessed (e.g., vulnerability), and patched with discipline. Oh, and it starts with proper asset management. It’s like air for them; they are gurus on leading practices in configuring and hardening systems. If this is you, then lean in. It’s your strength since these individuals are necessary for every team. Without them, hardened systems and patching that addresses realistic threats (e.g., to your specific system) are either ill-defined, misconfigured, or quickly grow stale.
Regardless of how strong your defenses are, you must invest in resilience. These “incident response” (IR) specialist are striving to address the question “what will we do in the event of an incident (it’s when, not if you will get attacked). Often, resilience is a more productive investment than defense. These are the men and women who in the good times are preparing for the bad times, and in the bad times ensure that business operations resume with all due course and speed. Maybe this is Jeff: he loves IR plans, playbooks, forensics, and incident response and recovery. He works side by side with a line of business leaders, legal professionals, communication departments Human Resources, Public Relations, insurance agencies, and others.
Finally, we look for people who just want to know. You’ve met them; hopefully, you are one of them. They’re the kids in class who let their grades slip because they were busy learning and forgot about the assignment. She’s the student who created her own SOC/MDR lab at home out of curiosity. He’s the co-worker who sends the interesting updates at 3 AM, not because he’s a workaholic but because he got sucked into finding an answer. The moment you have our attention is when you show us that this is you. Now turn that attention into an interview by showing us that you have used that curiosity to understand why cybersecurity is principally a matter of risk—it’s about who owns it, how bad it is, and what you can do about it.
If you want to hack the job, figure out where you fit. Do your research (do you have any way of connecting with the desired person?) and ask them for ten minutes of their time. Then, make those ten minutes compelling. Outline for them who you are and where you are going, how they can help you, and what you might do for them. Give them a way to get into the conversation with you and get out; serving others is a great place for us all to start and end. You’re necessary—help them see it.