Contact Form

Name

Email *

Message *

Labels

Tips for an Information Security Analyst/Pentester career - Ep. 54: (Humble) recommendations to land a job in info sec

10/24/2018 Update: I've just become a professional penetration tester, read about it here.

As some of you who follow me closely might know, I recently got a new job as an IT Security Associate, all of a sudden.

I'm very excited for this new opportunity and for being able to find a job in my metropolitan area, where info sec positions aren't really all over the place.

Regardless of what's round the corner in my professional future, I'll always be grateful to my new employer for giving me a chance after being far from the industry for so long.

Jeez, I had almost forgotten that feeling.

The monitors, the SIEM, the logs, the tickets, the challenges… I'm back home, baby.

Back where I belong.

But this post isn't about myself.

I don't care for self celebrations, even though I'm very glad right now.

I want to talk about my experience to help others land a job in information security because it's way harder than you could think, or rather it's very hard if you do what everybody else does.

Problems

I talked about some of these issues in the episode 1 of this series: Tips for an Information Security Analyst/Pentester career -Episode 1:General and technical hints (could you guys believe I started out writing this stuff in July?), so please check out my older post for some useful references.

I'm adding here a series of additional insights based on the experience I had in over 6 months dealing with recruiters, job interviews that led me nowhere, missed promises, setbacks and disappointments, until I finally saw the light at the end of the tunnel.

Why you're not getting a job

  1. THERE'S NO TRUE ENTRY LEVEL JOBS OUT THERE. THEY DON'T POST THEM: They want experience for you to get experience in the industry. Crazy, right? Well, there's something you can do about this and I'll show you what.
  2. Unrealistic requirements: That's a biggie. Most companies set a list of unrealistic skills and requirements for the job. Yes, you might have sure looked at some of those ads. CISSP cert for an entry level job, why? Because. Because they look for the purple squirrel. Well, they're not gonna find it that way and, in the meantime, you'll be jobless. 
  3. Discrimination: Some companies and recruiters would rather call someone who's working already over someone who doesn't have a job in the industry, and the longer you've been unemployed, the bigger the red flag for them. Yes, you heard it right. They bitch about skills shortage and rant because they can't find the right people but they don't want to call who could get hired, why? Because you're a damaged good for them. There must be something wrong with you if you were unemployed for so long. Well, maybe there's something wrong with them. Considering how fast the job market is changing, especially in technology and yet more in information security, job hopping and unemployment periods should be considered as normal. Well, it's not my fault if you guys don't wanna f** hire me. Well, this is part of the problem, but also part of the solution. I'll explain there's something you can do to overcome this.
  4. Some recruiters and corporate HR managers are downright jerks: Some of them are nice and I loved to work with them, but some of them are rude, unprofessional and should seriously consider to switch careers. In December, a company called me for a phone interview, out of the blue, without any notice whatsoever. They grilled me for maybe one hour on technical stuff. I had to answer questions from maybe three or four interviewers. Wtf? Final outcome: I haven't heard back from them so far. Of course, they tell you they'll let you know in two weeks or so, but they mostly don't follow up. Well, that's not the type of company I want to work for. Expect this type of conduct and consider some recruiters, especially if they call you from those body shops based overseas in India or even here in the US, don't act in your best interest. They try to place you somewhere even if you're not qualified, for them to get a fee. Most companies don't even want them to submit candidates. They're a bunch of unprofessional guys and, 99 cases out of 100, you're wasting your time and losing your reputation. With in-person interviews, you might think you did great but then the hiring manager maybe discards you for a stupid half-assed reason you might not even think about. They ask you weird behavioral questions and, if you answer you're the wrong type of tree, you're out. It's true, they must like you. You don't wanna have around someone you don't like, I get it. The fact is you can't please everyone and, for God's sake, shouldn't an interview be about making sure the candidate knows how to get his/her job done in the first place? Then, you can't pretend for anyone to know every possible piece of software. What I don't know I can learn. The truth is companies don't want to train people but they don't even want to pay professionals for what they're worth. That's the reason for all this stale situation.
  5. You got too much competition as an entry level analyst/pentester: Yeah, if you have a limited experience and there's someone with 2-3 years' experience, they'll always choose that candidate over you, and they're right. Experience is invaluable but how do I get it if I can't work in the industry? Well, getting out of this scheme and this box. That's what how they want you to think and that's exactly what you DON'T HAVE to do.


How you can get a job and what you need to do to stand out

  1. Network, network, network: Jobs are out there, but don't get posted. Don't wait for a job posting to come out. If you want to work for a company, network with their recruiters or even better, their CEOs, through LinkedIn. Inquire about suggestions and recommendations on how to break in the info sec field and give them your resume. NEVER ask them for a job directly, unless you're in good terms or interacted with them in the past. Tell them you're willing to help them out even for free because you need to grow professionally. If they're decent human beings, they've been there, too, in the past and can relate to your situation. You might be able to find a mentor and any recommendations or advice are like gold to you. They might also pass your resume to other companies, sometimes. These guys are years ahead of the road, so thank them for their time whatever answer they might give you, even though it's not something you want to hear. Skip postings from websites like Monster and the like. I mean, apply to them, sure, but don't rely on them only. This is a total game changer and is how I got my job. Consider that for any of such postings, you'll have a certain number of competitors, who might have higher qualifications and experience than you do. In a situation like mine, instead, there was no such thing. In this case, employers don't have to wait for a set of interviews to be completed or to X-ray all candidates or for a budget to be authorized. It's you and the employers and, if they like you, you're in.
  2. Work on your skills and face your shortcomings: You have to be realistic. If your skills are outdated, you're not gonna find a job. You need to work on your skills and improve constantly, going to the next level. In my previous post, I talked about how to develop technical skills and I refer you to that but in short you should: study, create a virtual lab, take classes, think of certifications and of furthering your education. If you don't know Windows 10, for example, download an ISO, spin up a VM and learn it. THERE'S NO EXCUSE NOWADAYS. I had to learn how to configure a honeypot. Never done before, right? Well, I read about it, I played with it in a VM and here it is, up and running. I also refer here to soft skills. If you're shy and have problems communicating to or talking to people, take public speech classes. I had to take one in my first college semester and it helped me a lot. There's plenty of tutorials online (free of charge or not) for you to be able to communicate effectively, which is paramount in security. You need to relate to customers who mostly got no clue what the hell you're talking about. Make it so easy that even a fifth grader would understand you. Above all, learn how to communicate in a very professional and cautious way, avoiding to come across as snippy, judgmental or to simply unintentionally piss someone off due to an unfit wording.
  3. Volunteer, CREATE EXPERIENCE FROM NOTHING: Volunteer for non-profit organizations, but most of all, if you want to become a pentester, volunteer for a hacking conference. I'm going to volunteer for BSides Columbus and I think it'll be one of the most amazing experiences of my life. You can network with the big guys in the industry, meet potential employers, get closer to the hacker community and create relationships that might help you in the future. Create a tech blog, like I do, create a virtual lab, play with it and tell the world: I DID IT! I shared my experience through my blog not to brag about it (my achievements are really limited compared to where I wanna be), but to prove what I can do beyond words, behavioral questions and meaningless blah blah. MY PHILOSOPHY IS ZERO EXCUSES. There's no job for me out there? Well, I'm gonna create the conditions for a job to pop up for me. I took any advice I received and performed all the needed steps (and much more challenging steps will have to come in the next months) because it's what I need to do. I never blamed anyone for my unemployment. I was focusing on the wrong thing. I was having a bunch of interviews and thinking: well it's only a matter of time. I shouldn't have waited for them, I should've networked more and maybe I'd find an opportunity even earlier. WHAT YOU SHOULD NOT DO IS USING EXCUSES TO JUSTIFY YOUR FAILURE. OWN IT! It's because you made the wrong choices! I went for one of these unsuccessful interviews and there was this guy who had to go in before me and something he said hit me. He said to the recruiter (we were introduced by a temp agency), "they didn't hire me for that position you tried to place me because I didn't know the software x. But how can I know this if I don't get hired?".  It hit me, "Because it's the wrong mindset". Don't get me wrong, he was a nice guy and I hope he got that job, but that's the root of the problem. NO EXCUSES: if you know from the posting they want you to know a specific software, you spin a VM and play with it and, if they ask you, you honestly tell them you played with it a little bit and you're anyway willing to learn. Turn it into a positive. GET OUT OF THAT BLACKHOLE.
  4. Be persistent: Keep at it, no matter what. There's been a specific day over the latest months when I had three or four rejection emails about interviews I thought I had done great. They came in all around the same time on that specific day. I really felt like crap, it hit me hard, but I didn't allow this to stop me. Even though I thought all I did was pointless, I kept writing, studying, posting, trying, I tried it harder to prove them wrong, with yet greater determination, because I'm the one who decides whether to stop or not. Nothing external can stop me, neither events nor people. I knew that I had to keep going because I was doing the right thing. Someone was looking, it turns out; way more people than I would think possible. I'm grateful for all the support, feedback and recommendations I received over this journey and I want to reciprocate, that's why this post.
  5. Be humble and stay so: No one gives a damn about you, no one knows who you are, what your skills can be nor they care about how awesome you are. You're a darn number, until you deliver something, show something, make a name for yourself. So don't expect for someone to listen to you or give you a job only because you're so amazing or because you have an IT degree. Proven experience is gold in IT and you can be the best in the world, but, if you can't perform the task at hand, you're useless. Then, if you're arrogant, you won't go far. They'll throw you under the bus the first chance they have. Be a team player, especially in the US. Beyond the cliché, it's about being all on the same page, because helping one another goes a long way. If I screw you and you screw me, we all lose. Even when you reach high levels and keep going up, stay humble. My challenge here will be to keep showing my employer not only they made the right choice, but they made the best choice they could have and I need to deliver every day to prove I deserve this. I'm working in a startup, so this is paramount. I was a government employees ages ago. I had to totally change my mindset but there's also pros with working in a startup. At least I have room to express myself. I like LeBron James when he says in North East Ohio nothing is owed, all is earned. That's why he's the best player in the world. I need to thank each and everyone of you for the and the support you gave me along this long journey. I now landed a new stage of my career, maybe the most challenging so far, but I'm looking forward to it.
External resources: 

https://www.youtube.com/watch?v=__lvS2pjuSg 

Episode 55
Episode 53
Labels:

Comments

Post a Comment

Related Posts Plugin for WordPress, Blogger...