Competing for a Cybersecurity Role

I spend a good amount of time in several IT and cybersecurity Discord servers, and a very common question that is asked is, “How do I get a job in cybersecurity?” Those who ask this question are usually high school or college students chasing the money or are career transitioners seeking to transition into a different field. Regardless, obtaining a cybersecurity position is very difficult in today’s job market, so I am writing this article to assist anyone in transitioning into a highly competitive field.

The Big Lie About Cybersecurity Jobs

Whenever I scroll through my feed on Instagram Reels or YouTube Shorts, I often see videos in which computer science graduates complain about the current technology job market and how difficult it is to obtain a job. Unsurprisingly, the comments and replies on those videos always say to “transition into cybersecurity” because “you can make a lot of money” and “it is easy.”

I want to clear that misconception right out the gate. Cybersecurity is not an entry-level field, and obtaining a cybersecurity role as your very first IT job is an extremely rare circumstance. Most employers look for prior IT work experience because it is important to know what is operationally normal within the organization before you transition into a cybersecurity role. For instance, without context, a university housing coordinator installing remote access software is suspicious, but if you know that the third-party vendor that provides housing services to your university uses that remote access software, then you would know how to detect and secure its use from malicious activity. This is very difficult to replicate in a home lab, hence the years of experience requirements placed by employers on job descriptions.

In short, whenever you see the words entry-level and cybersecurity combined together (admittedly, I often combine them together as well), just know that there are certain prerequisites, experience requirements, and qualifications you need to meet before you are even considered for the position.

Competing for Cybersecurity Roles

You might be asking yourself, “If cybersecurity is not an entry-level field, how do I get a cybersecurity position then?” You can do so through work experience, volunteer work, degrees, certifications, and projects. From there, you sharpen your resume and your interviewing skills and obtain a referral (if possible).

1. Gain a Competitive Edge Over Others

There are many ways to gain a competitive edge over others for a cybersecurity role.

• Work Experience: This is the most obvious way to gain a competitive edge over others for a cybersecurity role. Working a customer service job may not be cybersecurity-related, but that work experience can lead to a help desk role, which can, in turn, lead to a cybersecurity role in the future (this is how I got in).
• Volunteer Work: Although this does not remove the requirement for relevant work experience, volunteer work can be a boost to your resume as it shows your compassion, sympathy, and empathy for others without expecting anything in return. Resume screeners are still human and have emotions, so placing volunteer work may differentiate you enough from others to give you that competitive edge you need.
• Degrees: Although the use of degrees as a qualifier for cybersecurity roles is steadily declining, most companies still require or ask for an associate’s or bachelor’s degree from an accredited university. The main problem behind degrees is that employers do not know what you actually learned because they cannot audit the content covered in the courses of a university’s degree program. However, degrees do let employers know that an individual is well-rounded in terms of knowledge and is able to meet deadlines.
• Certifications: For those who are unable to afford a higher education degree or absolutely despise the idea of higher education, certifications can give you a structured learning path for a particular skill, tool, service, or platform. As of this writing, I currently have 9 certifications, and each certification has given me essential skills and knowledge to succeed in a cybersecurity role. The main problems behind certifications, however, is that they are expensive out-of-pocket and they can be cheated. Fortunately, many employers pay or reimburse their employees for certification exam vouchers, and a certification cheater can always be caught using technical questions in an interview.
• Projects: If every applicant has relevant work experience, a bacehlor’s degree, and one or two certifications, how can someone differentiate themselves from the competition? The answer is through projects, which are a very fun and creative way to diversify your skillset. Projects are an easy way to gain hands-on experience without actual professional work experience. Additionally, posting your work on GitHub or creating a blog (such as this one) can serve as documentation that you learned a valuable skill.

Speaking of degrees, is a degree in IT or cybersecurity worth it?

It depends on who you are speaking to. Personally, I think an IT or cybersecurity degree is worth it if and only if you can afford one and if you value network connections a lot. Other than that, most university degree programs fail to incorporate hands-on practice with tools and skills relevant to the IT and cybersecurity industries. If they do, then they are usually outdated by 1-3 years. Personally, I am fortunate enough to attend university at no cost, and I am grateful for the job opportunities my university has given to me to work for its IT Help Desk and Security Operations Center. However, not everyone can afford higher education, which is why I also recommend other ways to gain a competitive edge over others in the cybersecurity job market.

Speaking of certifications, which certifications should I get?

This is a very common question asked in the community Discords I regularly frequent, and although certifications do not guarantee a job, they can still give you a competitive edge over others. I recommend these certifications if you looking to diversify your skillset and beat the competition.

• CompTIA Network+/Cisco Certified Network Associate (CCNA): Networking skills and knowledge are essential to a successful career in IT and cybersecurity, and CompTIA’s Network+ or Cisco’s CCNA can give you the skills and knowledge required to do so. Keep in mind that the Network+ covers networking foundations at a very high-level, while the CCNA covers Cisco CLI configuration and intermediate networking skills and knowledge. Thus, if you see yourself working with network equipment, then the CCNA will prepare you for such roles.
• CompTIA Security+: This certification is a prerequisite for most cybersecurity jobs. The U.S. federal government seems to agree, as it is required under Department of Defense directive 8140 for entry-level cybersecurity positions.
• CompTIA CySA+: If you see yourself as a blue teamer, then the CySA+ can give you a good introduction to the day-to-day life of a cybersecurity analyst. I wrote a blog article about it.
• Splunk Certifications: In addition to the CySA+, I highly recommend Splunk’s line of certifications, which can validate your skills and knowledge in one of the most popular SIEMs in the world. I wrote a blog article about the Splunk Core Certified Power User exam.
• TCM Security Certifications: TCM Security is a company owned by Heath Adams, known as The Cyber Mentor online. Their training and certifications are world-class, and they teach valuable hands-on skills that are applicable to real-world environments.
• Offensive Security (OffSec) Certifications: OffSec is arguably the most famous red team certification provider in the world, with their OSCP being the most sought for penetration testing certification by employers. However, OffSec’s certifications are very expensive, which is why most individuals seeking to be OffSec certified let their employers pay for the associated exam vouchers and/or training.
• SANS/GIAC: SANS is a cybersecurity training institute that is considered to be the gold standard for cybersecurity training worldwide, and GIAC is SANS’s certification entity that certifies individuals who go through SANS’s training. Like OffSec, SANS/GIAC’s certifictions are very expensive, with training and the associated exam voucher costing over $8000 in total, but nothing can compare to the quality and reputation of SANS/GIAC certifications.
• Cloud Certifications: Almost all medium-to-large-sized businesses use one or more public cloud service providers, such as AWS, Microsoft Azure, and Google Cloud Platform. In the near future, cloud experience will be a must, so going through a cloud services provider’s certification paths are a good idea even if the cloud will not be your main specialty.

Speaking of projects, what are good ideas for beginner projects?

If you are into system administration and blue team work, then I highly recommend building a home lab using physical devices or virtual machines (VMs). If you cannot afford physical devices, then I recommend designing and creating a VM home lab based on Tony Robinson’s Building Virtual Machine Labs: A Hands-on Guide (Second Edition), which is completely free to read and use. Once you are finished creating the VM home lab explained in the textbook, you can expand on it or tear it down completely and build your own VM home lab using your newly acquired skills and knowledge. If you are interested in scripting, then I highly recommend learning Python or a scripting shell such as Bash or PowerShell.

2. Write an Effective Resume

If you have not written a professional resume recently, you may be unfamiliar with what an Applicant Tracking System (ATS) is. In essence, an ATS is a tool that many large companies use to automate the process of ingesting, parsing, and flagging resumes that match specific keywords or qualities that align with what the company is looking for. In other words, if your resume is not ATS-compliant or does not include the specific keywords or qualities that the ATS is looking for, your resume will be thrown out before a human ever reads it. So how do you bypass the ATS?

• Use Microsoft Word or Google Docs to create the resume.
• Submit the final draft of your resume in .pdf form to retain formatting. Other formats such as .doc, .docx, .txt, and .html may be inadvertently altered before a human reads your resume.
• Tables can result in ATS ingestion errors, causing the ATS to miss key skills listed on your resume. Thus, avoid the use of tables as much as you can.
• Logos and images can also result in ATS ingestion errors, and the use of self-portraits and headshots may unfortunately lead to discrimination based on facial features, sex, or skin color.
• Use Serif or Sans Serif fonts such as Times New Roman, Tahoma, Verdana, Arial, Helvetica, Calibri, Georgia, Cambria, Gill Sans, or Garamond with a font size of 10 or larger.
• Use predictable headings for each section of your resume such as “Education” for your degrees and “Work Experience” for your work experience.

If your resume is flagged by the ATS for human review, it is important to let the resume screener know about your key accomplishments and skills.

• Keep your resume short. As a general rule of thumb, a resume screener spends only 7-10 seconds skimmming through your resume before moving on to the next. This means that you have only a short amount of time to impress the screener enough to convince them to pass your resume to a hiring manager. Aim for 1-2 pages at maximum unless your resume is for a U.S. federal government job.
• Keep your resume concise. Do not list every programming language known to man. That does not tell a resume screener what you actually know, and you may be accused of dishonesty if you do so, especially if your resume looks as if you tried to blatantly bypass the ATS with keyword stuffing. Additionally, saving a company $25,000 every quarter is a good accomplishment, but how did you accomplish that? A resume screener wants to know not only what you did, but how you did it.
• Proofread your resume. Typos, grammar mistakes, and punctuation errors make your resume difficult to read.
• If you place a skill or topic on your resume, it is fair game to be asked in an interview. Do not place topics you are unfamiliar with on your resume. You will most likely fail the interview if you do so.

All of these resume tips and tricks come from Asa Hess-Matsumoto’s ByteBreach blog article.

3. Obtain a Referral

According to multiple sources, 60% of jobs are found through networking, employee referrals count for 30-50% of all new hires, and a referred candidate is hired about two-thirds of the time. What does this mean for you? Network, network, network! I cannot stress enough the importance of building your professional network and obtaining referrals from cybersecurity professionals already working in the industry. A single referral can get your foot in the cybersecurity door, regardless of your prior work experience, degrees, certifications, or projects. So how do you get a referral?

• Go to a cybersecurity conference and meet people. As long as you are approachable, friendly, and not an overall jerk, security professionals are always willing to talk about their career stories and their current position. If you find vendors that are recruiting for entry-level roles, talk with them!
• Check with friends and family. You may have a connection inside a company if a friend or family member already works there.
• Build a professional network on LinkedIn. You can build a professional network on LinkedIn and ask to speak with recruiters for more details about a position or with cybersecurity professionals for a quick 15 to 30-minute chat. You may not get a referral out of this, but you will be remembered as a self-starter.

4. Sharpen Your Interviewing Skills

I wrote a blog article that contains a list of HR and technical questions for entry-level cybersecurity roles.

I received no response from an employer after I applied or have been speaking with them for a while. What do I do?

It happens to all of us. Do not let it discourage you. There are a myriad of reasons why an employer suddenly ghosts you even if there is repeated back-and-forth communication between both of you.

• There may have been department cutbacks or budget cuts that forced the employer to terminate the position before anyone is hired.
• Internal politics may have led to an internal candidate winning the position.
• A referral from an internal employee may have given another candidate the position.
• There was another candidate that had work experience, skills, and knowledge more aligned with business needs. An important thing to note is that a “more skilled” or “more experienced” candidate may not win a position if another candidate with less experience has skills directly related to what the business actually needs.

Personally, I have had applications declined within 24-72 hours of submission, while my other applications were ignored and I was not given a rejection notice until the job posting was taken down. Regardless, I never let application rejections discourage me, and as a result, I am now working as a SOC Analyst for my university.

Final Thoughts

The cybersecurity job market is highly competitive, but it does not have to be if you make the correct career decisions. Invest in your future career in cybersecurity now by gaining the relevant skills, knowledge, and qualifications needed to be competitive for a cybersecurity role.