Breaking into the Information Security Industry

What made you decide to get into cybersecurity?

Cyber Operations Analyst 1: I decided to get into cybersecurity a few years ago because I have a lot of friends in the industry who are software developers. I have been a professional educator for almost a decade now, and I have a lifelong passion for learning and problem-solving. My analytical side has always been drawn to this kind of work. In talking with my friends who work in the industry, I became aware of the deficit of experienced individuals with the skills to do this work and decided to take the plunge.

Cyber Operations Analyst 2: Two years ago, I planned to pursue a Ph.D. in criminal justice. As I went through my Master's program, I realized that the academic life was not for me, and I needed to pursue something new. I still wanted to work in a field related to security, and I was drawn to cybersecurity because I also heard about the talent deficit. I decided I wanted to train and become one of those people that helps others secure their networks and web applications. I hadn't thought about it before because I wasn't interested in programming, and until I started looking into it, I didn't have a good idea of what it meant to be in cybersecurity. Now I realize just how vast and diverse the career opportunities are in this industry.

Was it challenging to land your first job, and what was your experience with the interview process?

Cyber Operations Analyst 1: The job search process always feels like forever to me. But from a birds-eye perspective, it did not take long to start finding possible job opportunities in the industry. As far as networking, having friends who have a job, not just in the security industry but in tech in general, goes a long way. When I was starting out, I enrolled in an educational boot camp program that enabled me to create a strong network of like-minded individuals on a similar trajectory. It also helps to volunteer or take any opportunity to be involved in the industry to gain experience working on projects and working with other people in the industry to help you continue developing competencies and meet the right people to help you on your journey.

Cyber Operations Analyst 2: I had trouble finding entry-level jobs. There were a lot of senior-level positions that had long wish lists around desired years of experience, earned credentials, and skills that they wanted from applicants, but all of my resources told me to apply anyway. I think the job search is a beast of its own, and I believe that having a solid network of connections was very helpful to me in finding a job.

What kind of training or preparation did you do before submitting your first job application?

Cyber Operations Analyst 1: Education-wise, I focused on becoming familiar with different operating systems, and I had a lot of exposure to commonly used tools for the security industry. I began by familiarizing myself with those tools, taking introductory courses, and studying the topic of networking. It's also a good idea to join a Discord group to practice Hack The Box with other experienced individuals or those still learning IT security and honing their skills. This helped me meet people and have conversations about what it takes to break into the industry, what skills are most sought after, and how to develop them.

Cyber Operations Analyst 2: My advice is to look at LinkedIn for people that have the position you want. Look at their profile to see their credentials and certifications, and then maybe reach out to them. Many people are willing to help you by giving their advice and sharing their own experiences around the cybersecurity industry and how they entered. There are also large communities on Twitter, YouTube, and Discord that one can join to ask questions and get advice. I would recommend resources like Hack The Box, PortSwigger Web Academy, PentesterLab, Pentester Academy, etc., which teach you some of the tools and techniques specific for penetration testing roles in particular.

Why do you think this industry is so welcoming to individuals looking to break into the Information Security industry?

Cyber Operations Analyst 1: While there will always be some element of competition when you know people are competing for jobs, it seems that the tech industry (even beyond the security industry) is a very open and generous community. When it comes to sharing knowledge, they recognize that this knowledge share helps everyone in the end.

Cyber Operations Analyst 2: Because these forums are outside application-based, you are not competing with these people; you are just learning from them. It has a different 'vibe,' for lack of a better word. The atmosphere is different than if I knew I was competing with you.

Is there any training, certifications, or other prep-work you wish you had done early on?

Cyber Operations Analyst 1: I did spend time using a lot of great resources online to study and learn. Still, I wish I had spent about 500% more time developing my methodology and the level of organization that I bring to each engagement. To me, that is the most crucial piece. To some degree, it develops organically over time depending on what kinds of engagements you are doing and what type of reporting framework you are working within. So there is always more to learn!

What is the best part of your job?

Cyber Operations Analyst 1: I would say that working in an industry or for a company with lots of friendly, interesting people is always satisfying. From a technical standpoint, the most enjoyable part of the job is getting a little window into lots of different kinds of applications used in various industries. In what other line of work can you be subversive without actually harming anybody, and at the end of the day, know that you helped people and organizations make their business in the tech world more secure?

Cyber Operations Analyst 2: The best part of my job is that every engagement is different, and finding a new or rare vulnerability is the most fun. You can come to each engagement with the same methodology, but the results will still be different every time. That's what I find most exciting and rewarding about my job.

Is the work what you expected it to be?

Cyber Operations Analyst 1: More or less, yes. The only thing that surprised me, and in a good way, was how colorful a cast of characters there is doing this work. Everyone has a different background and experience to bring to the table, and I'm glad to work with such an interesting and fun group of people.

Cyber Operations Analyst 2: It's about what I expected, yes. Reporting gets a reputation for not being as exciting as in-the-field penetration testing work, but I enjoy writing and reading reports because I learn something new from every report.

What advice would you give to your younger self or somebody else looking to break into the industry?

Cyber Operations Analyst 1: Don't be afraid or intimidated by approaching a whole new field. There is tons of information and knowledge out there available for learning. Blaze ahead because there are jobs to be had. Enjoy the learning journey along the way because there is a lot to learn. Drink in the knowledge because there are learning opportunities around every corner.

Cyber Operations Analyst 2: Remember the people you meet along the way because they may help you later on. Always be kind, and nurture your network, including those on the same journey as you are on (classmates, collaborators, etc.). It is always easier to reach out to someone who at least knows you a little bit than to reach out to a total stranger. With so much information, remember to pace yourself to avoid burnout. There is a lot to learn, but know that the process of learning is fluid and ongoing in this industry, and good employers will help to foster your education and research.