Landing your first cybersecurity job isn't easy. Despite the massive "skills gap" or "workplace shortage," cybersecurity employers maintain high standards, often unwilling to compromise on qualifications. This might seem like a daunting barrier for those eagerly looking to start their careers in cybersecurity. However, I'm here to tell you there's light at the end of the tunnel. With dedication, focus, discipline, and a strategic approach to your career path, breaking into this field is achievable.
As someone who has navigated the turbulent waters of job hunting in cybersecurity, I speak from experience. In the past seven months alone, I've successfully secured two positions:
A penetration tester internship (DOD SkillBridge) in July 2023 (remote) (unpaid, but I still received my military pay and benefits)
A full-time senior penetration tester position in December 2023 (at a different company) (remote)
My journey wasn’t straightforward:
I applied to 100-140 positions.
I faced dozens of rejections and was ghosted just as many times.
I managed to attend dozens of interviews.
Even after securing roles, I continued to receive interview offers from other companies I applied to and cold calls/emails for positions that didn’t align with my interests.
Despite these challenges, I landed two desirable positions months before I was ready to start. This article is about sharing the 'secret sauce' of securing your first cybersecurity role. It's drawn from my own long, grueling, yet ultimately victorious journey. I aim to provide insights and strategies to help pave your way to success in this dynamic and challenging field.
Executive Summary
Embrace the 'Secret Sauce': Alongside technical skills, focus on essential soft skills like communication, personal branding, and networking. These attributes are pivotal in setting you apart from the competition.
Mastering the Fundamentals: Start with entry-level certifications like CompTIA's Network+, Security+, PenTest+, and CySA+. A college degree, while beneficial, is not a standalone ticket to success; hands-on experience is crucial.
Gain Information Technology (IT) Experience: Due to the rarity of entry-level cybersecurity jobs, begin with general IT roles. This experience is invaluable and often preferred by employers for more specialized cybersecurity positions.
Specialize with Purpose: Identify your area of interest within cybersecurity and conduct a gap analysis to align your skills with market demands. Advanced certifications and engaging in high-level projects will demonstrate your commitment and expertise in your chosen specialization.
Apply 'The Secret Sauce': Combine your technical skills with the personal and professional strategies discussed, such as effective résumé crafting and strategic networking, to make yourself a compelling candidate.
Stay Informed: Regularly update yourself with the latest trends in cybersecurity through diverse reading materials, podcasts like "Cybersecurity Headlines," and active engagement on platforms like LinkedIn.
Salary Negotiation Strategy: Understand the critical role of salary negotiation in your cybersecurity career. It's not just about personal gain; effective negotiation can influence industry standards. Equip yourself with tactics from resources like "Fearless Salary Negotiation" to confidently advocate for your worth, contributing positively to your career and setting a benchmark in the industry.
Continuous Learning and Adaptation: Cybersecurity is an ever-evolving field. Stay adaptable, continue learning, and be prepared to pivot between roles as needed.
Utilize Artificial Intelligence (AI) for Modern Job Hunting: "The AI Job Seeker's Handbook: Strategies for Success" is your guide to mastering the AI-driven job market. It equips you with strategies to harness AI for enhanced job discovery, sharpening your personal brand and expanding your professional network, transforming the way you approach your cybersecurity career search.
The Secret Sauce
Let's get straight to the point and discuss what you really need to know. I'll start with the most critical information, saving additional background details for later.
Your qualifications alone aren't enough.
Your technical skills are essential, but your soft skills often tip the scales in your favor. Soft skills, as defined by Will Kenton from Investopedia, are character traits and interpersonal abilities crucial for effective interaction. They are the yin to the yang of your hard skills - your technical knowledge and abilities. In the cybersecurity world, where technology and people intersect, being a likable, trustworthy, and helpful professional is invaluable.
Essential Soft Skills:
Customer Service
Personal Branding
Presentation Skills
Business Skills & Acumen
Life Long Learner Mindset
Teamwork and Collaboration
Marketing (for self-promotion)
Sales (to advocate for yourself)
Communication (both written and verbal)
Social Media (for self-marketing and networking)
The Art of Résumé Crafting
It's a common misconception that a neatly formatted list of job duties, education, and certifications is enough to secure interviews. The reality is far different. Crafting a résumé is an art that demands time and attention.
Here's what I learned:
Focus on Impact: Instead of listing job duties, highlight the impact of your work.
Attention to Detail: Proper formatting, free of typos and misspellings, is a must.
Quantify Achievements: Numbers speak louder than words. Quantify your contributions for greater impact.
Brevity is Key: Keep it under two pages unless you're aiming for an executive role where three pages are permissible.
Avoid Complex Layouts: Simple formatting ensures better compatibility with Applicant Tracking Systems (ATS).
Networking: A Powerful Job Search Tool
While I landed my first roles through direct applications, the power of networking cannot be overstated. It's often who you know, not just what you know, that opens doors. Making LinkedIn a part of your routine, engaging in professional discussions, and consistently showcasing your work can dramatically boost your visibility and opportunities. For instance, my regular updates on conquering Hack The Box (HTB) challenges have garnered attention for my work ethic and consistency.
The Reality of Entry-Level Cybersecurity Jobs
Contrary to popular belief, true entry-level positions in cybersecurity are scarce. The most feasible pathway often involves starting in a general IT role. My journey from a system administrator and help desk technician to a penetration tester is a testament to this approach. If you're not already in IT, aim for any role in this field first; it's a stepping stone to a cybersecurity career.
Technical Skills: The Cornerstone of Cybersecurity Careers
While "The Secret Sauce" highlights the importance of various non-technical aspects in our careers, it's crucial to remember that technical skills are the bedrock of a cybersecurity career. Think of these skills as the main dish and the non-technical aspects as the sauce that enhances but doesn't replace the core ingredient.
Step 1: Mastering the Fundamentals
Before diving into a specialization, it's essential to understand the universal fundamentals applicable to all cybersecurity roles. This foundational knowledge helps you identify your preferred specialization as you progress. Here's how to build this foundation:
Entry-Level Certifications: Start with CompTIA's Network+, Security+, PenTest+, and Cybersecurity Analyst (CySA+). While PenTest+ and CySA+ were once considered intermediate, the evolving job market now places them at the entry level. I no longer recommend CompTIA's A+ for 2024, as its value has diminished over time.
The Role of a College Degree: A degree alone is not sufficient to secure a job in today's market. I've seen even master's degree holders struggle to land interviews. For insights into the value of a cybersecurity degree, refer to my article "Is a Cybersecurity Bachelor's Degree Worth It?" While opinions vary, the trend shows an increasing preference for degrees in job listings, with some employers considering it a standard expectation.
Hands-On Experience: Practical experience with various tools and technologies is vital. Setting up a home lab might be challenging for beginners, so I recommend platforms like TryHackMe (THM) and HackTheBox (HTB) Academy for practical learning. My article "Choosing Your Cyber Dojo: A Deep Dive into Hack The Box vs TryHackMe" delves into these platforms in detail. Participation in Capture The Flag (CTF) competitions is highly regarded by employers and can be a talking point in interviews.
Step 2: Securing an IT Role as a Launchpad to Cybersecurity
Given the scarcity of entry-level positions in cybersecurity, gaining experience in general IT roles is a strategic move. This was the path I took, and it's a common trajectory in the industry. Here's why and how you can navigate this step:
The Rarity of Entry-Level Cybersecurity Jobs: It's a hard truth that pure entry-level positions in cybersecurity are rare. This makes general IT roles crucial for those aiming to break into the field.
Starting with IT Roles: Aim for any IT-related job once the fundamentals are down. Positions like help desk technicians are excellent starting points. System administrators are particularly valued, as many employers believe that a strong IT background is essential for understanding network and system security.
The Perception in the Industry: There's a prevailing notion that without IT experience, you might lack the practical knowledge to effectively secure a network. While some see this as gatekeeping, it's a reality in today's job market that you need to navigate.
Value of IT Experience: Landing your first IT job, even for a short duration, can provide experience directly transferable to cybersecurity roles. This experience is often viewed as more valuable than degrees, certifications, and lab work. A tenure in IT can be the most effective way to pivot into a cybersecurity career.
Experience as the Ultimate Credential: In the world of cybersecurity, hands-on experience often trumps academic qualifications and certifications. It's the practical, real-world knowledge that counts the most on your résumé.
Step 3: Honing in on Your Cybersecurity Specialization
Once you've grounded yourself in the fundamentals and gained some IT experience, it's time to pinpoint your specific area of interest in cybersecurity. This step is about transitioning from a generalist to a specialist. Here’s how you can navigate this crucial phase:
Identifying Your Specialization: Determine the role you're passionate about. Whether it’s penetration testing, security research, or cybersecurity analysis, focus on one maybe two areas. Being too general can actually hinder your job prospects. Employers value candidates with clear, focused aspirations evident in their résumés and interviews.
Conduct a Gap Analysis: Regularly review job postings for roles you aspire to. Identify the skills, knowledge, and certifications these roles require. This gap analysis will guide your next steps in skill development and certification.
Pursuing Advanced Certifications and High-Level Projects: Aim for advanced certifications and get involved in significant projects relevant to your chosen specialization. This demonstrates your commitment and depth of expertise. For instance, an aspiring penetration tester should consider the OffSec Certified Professional (OSCP). In contrast, a cybersecurity engineer might pursue certifications like CompTIA's Advanced Security Practitioner (CASP+, soon to be SecurityX), CISSP (Certified Information Systems Security Professional), CISM (Certified Information Security Manager), or CCNP – Security (Cisco Certified Network Professional – Security).
Leverage Specialized Resources: Look for resources tailored to your chosen field. For instance, my articles "From SysAdmin to Penetration Tester: My Path to SkillBridge Internship" and "How to Become a Cybersecurity Engineer: Ultimate Career Guide" on the HTB Blog provide step-by-step guidance and insights into specific cybersecurity roles.
Understanding the Diversity of Roles: Cybersecurity is a broad field with various roles like Governance Risk and Compliance (GRC), Digital Forensics Analyst, and Incident Responder. Each has its unique focus and skill set. Hybrid roles also exist, combining elements of different specializations.
Flexibility and Mobility: One of the beauties of cybersecurity is the flexibility to pivot between roles. The foundational skills are often transferable, making it feasible to shift specializations as your interests and the job market evolve.
Step 4: Apply The Secret Sauce
With the technical skills, knowledge, and credentials for your chosen specialization in hand, it's time to enhance your profile with 'The Secret Sauce.' This blend of soft skills and personal branding is crucial for standing out in the cybersecurity job market.
Think of it this way: you're now like baby back ribs that have been perfectly cooked – tender and ready. But without the BBQ sauce, they lack that final touch that makes them irresistible. Similarly, 'The Secret Sauce' is what transforms a qualified candidate into a compelling one. It's the difference between just satisfying the basic job requirements and truly captivating potential employers.
You've put in significant effort to reach this stage. Now, focus on refining and showcasing those extra qualities discussed in this article. Enhance your résumé, build your personal brand, and sharpen your interview skills. It's these elements, combined with your technical expertise, that create the full package that employers are eagerly seeking.
Remember, 'The Secret Sauce' isn't just a decorative touch; it's what adds flavor and distinction to your professional persona in the competitive world of cybersecurity.
Misconceptions of Landing a Cybersecurity Job
When I transitioned from the Air Force, I was confident about quickly securing a civilian cybersecurity position. The industry's reported 0% unemployment rate and the millions of unfilled jobs seemed to guarantee a smooth transition. With my substantial background – 6 years in Cyber Defense Operations, a Bachelor's degree in Cybersecurity, 11 industry-recognized certifications, and notable rankings on Hack The Box and TryHackMe – I considered myself more than ready, perhaps even overqualified, for many roles.
However, the job market had different plans. Rejection emails and unreturned calls from companies were common experiences. What I had perceived as being 'overqualified' turned out to be merely meeting the qualifications. This realization was a wake-up call, underscoring the importance of hard work and consistency. It became clear that the effort required to be 'qualified' was far greater than I had initially assumed, and the attention to detail mattered immensely.
Previously, I believed that a combination of a college degree, a few years of IT experience, and some certifications would be a surefire entry into cybersecurity. This assumption was off the mark. Despite my detailed blog post "How to Get Into Cybersecurity (and Other IT Fields) With No Experience," I overlooked critical aspects that I now refer to as the 'Secret Sauce.'
My earlier "How to Break into Cybersecurity" article, written before I had actively engaged in the civilian job market, contained valuable information but missed key non-technical elements such as résumé crafting and interviewing skills. Joining the military as a Client Systems Technician had its own set of challenges, distinct from those in the civilian job market. This experience made me realize I wasn't fully equipped to guide others in securing a civilian cybersecurity role.
This revelation is why I am revisiting the topic. I aim to fill in the gaps, offering a more comprehensive and practical guide based on my direct experiences in job searches. The lessons I've learned are not just about having the right qualifications but also about understanding and navigating the nuances of the job market in cybersecurity.
How I Approached Job-Hunting
My objective was clear: secure a full-time position as a penetration tester. This focus shaped my job-hunting strategy, from my résumé to how I managed interviews.
Résumé Strategy
Contrary to common advice, I took a risk and sent the same résumé to every potential employer. My résumé was crafted to align with penetration testing roles universally, so I felt confident it would resonate with most positions in this domain. This approach paid off; I consistently scored high on AI résumé scanners, with a match rate never dipping below 60%. Balancing a full-time military role, college work, content creation, and preparing for the OffSec Experienced Penetration Tester (OSEP) certification left me with little time to customize my résumé for each application. My "master" résumé, which performed well in AI assessments, seemed sufficient for my needs.
While I chose a non-traditional route by using the same résumé for all applications, my strategy was underpinned by thorough research and the use of specialized tools. I discovered that noobvillage.org/resumes offers an exceptional resource hub specifically for crafting IT and cybersecurity résumés. This advice, coming directly from professionals in these fields, is more relevant and effective compared to general résumé guidance.
To further refine my résumé, I turned to AI assistance. ChatGPT played a crucial role in polishing my résumé bullets. I would draft the initial version, and then ChatGPT helped enhance them, ensuring they were impactful yet retained a personal human touch.
Another invaluable tool was resumeworded.com. This AI-powered platform assesses your résumé and suggests practical improvements. I started with a score in the 70s, but after dedicating half a day to this tool, I boosted my résumé score to an impressive 96 out of 100. The platform's effectiveness also extends to LinkedIn profiles, making it a comprehensive tool for anyone looking to create top-notch résumés and profiles. Actual résumé I sent to job applications:
Cover Letters: A Personalized Touch
In contrast to my résumé, I tailored each cover letter to the specific company and role. This approach was fruitful; the technical interviewer at the company I decided to join complimented my cover letter, highlighting its impact.
Here is one of the cover letters I sent:
Each letter followed a consistent structure: the same introduction and conclusion, with customized bullet points that were tailored to the job requirements. This strategy, inspired by Andrew LaCivita’s advice, was slightly adapted to accommodate the extensive qualifications often demanded in cybersecurity job postings.
Some AI tools will write cover letters for you, but in my opinion, they are all pretty bad. I used ChatGPT to help me get ideas to craft bullet points, but I had to significantly modify the bullet points it gave me. Overall, your cover letter strategy should be written by hand and personalized to the company as much as possible.
Interview Tactics
Admittedly, my approach to job descriptions was unconventional. I only read them after receiving an interview invitation. My rationale was simple: if recruiters only spent a moment on my résumé, I would reciprocate this treatment when reviewing their job postings. Upon securing an interview, I would then thoroughly research the job description and the company. This strategy was feasible due to the similarity among penetration testing roles. Beyond just reading the job description and company background, preparing for common interview questions is crucial. Questions like "Why do you want to work here?" or "What are your salary expectations?" are typical. (I'll delve deeper into salary negotiation later in this article.) If you have customer service experience and can handle social interactions under pressure, you're already at an advantage. However, for those with social anxiety, practicing through mock interviews with friends, family, and peers is highly recommended. Despite being fairly comfortable with verbal communication, I sought to further refine my interview skills. I read several books, each offering unique perspectives and strategies:
Knock 'em Dead Job Interview: How to Turn Job Interviews Into Job Offers
My Rating: 5/5
This book is universally applicable and was my favorite. It goes beyond the interview itself, covering pre- and post-interview strategies, including dressing appropriately and follow-up etiquette. Its comprehensive advice makes it an essential read for anyone serious about their career.
My Rating: 4/5
Tailored to cybersecurity interviews, this book offers specialized insights. However, don't rely solely on memorizing its example questions; in my experience, many weren't asked in real interviews. It's a valuable read for cybersecurity aspirants, but remember to use it as a guide rather than a script.
What I Wish EVERY Job Candidate Knew: 15 Minutes to a Better Interview
My Rating: 3.5/5
This concise book offers actionable advice that can be quickly absorbed. Ideal for a quick refresher before interviews, its brevity means it's more of a supplemental resource than a comprehensive guide.
How to Answer Interview Questions: 101 Tough Interview Questions
My Rating: 3/5
While informative, this book tends to be repetitive. The depth of discussion on each question diminishes as you progress, making it less engaging. It's a useful resource if you still feel unprepared after exploring the other books, but it is not as critical as the others.
Salary Negotiation: More Than Just a Paycheck
Salary negotiation is a critical yet often underestimated aspect of job hunting. For me, cybersecurity is about passion, not just a paycheck. However, earning a salary that reflects my worth remains a key goal. It's about finding the balance between financial reward and aligning with a company that shares my values and professional aspirations. Remember, opting for a lower salary with the right company can be a strategic move, but it doesn't mean undervaluing yourself.
Negotiating Salary: Expectation vs. Reality
A common error in job hunting is not negotiating salary at all. Most employers anticipate negotiation and respect candidates who advocate for themselves. It's a misconception that asking for more could lead to a rescinded job offer. In fact, most employers expect job candidates to negotiate their salary. Because of this, the initial offer employers give is typically on the lower end of the budget for a role. Your objective? Nudge that offer towards the higher end of the projected budget. But how?
Fearless Salary Negotiation: A step-by-step guide to getting paid what you're worth (Book)
My Rating: 5/5
This book was a game-changer for me, especially its concept of "determining your aggression factor." The guideline to request at least 10%, and possibly up to 20%, more than the initial offer is a standout. It's a comprehensive guide from pre-negotiation to the final stages.
Salary Negotiation: How to Negotiate a New Job Offer (Pro) (Udemy Course)
My Rating: 4.5/5
Thanks to an Air Force benefit, I accessed this insightful Udemy course for free through Digital University, which includes many Udemy courses. For those considering cost-effective alternatives, Hopkinson's book, "Salary Tutor: Learn the Salary Negotiation Secrets No One Ever Taught You," offers the same valuable content at a fraction of the price. Although I haven't read the book, its content mirrors the course, making it a recommendable resource. The course is informative, yet I found some scripts slightly unrealistic and noted a lack of strategies for email counteroffers, which I believe are highly effective.
Negotiating Your Salary: How To Make $1000 a Minute (Book)
My Rating: 4.5/5
While it shares valuable information, it strongly advises against email negotiations, a method I found effective. Reading various perspectives is crucial to developing a negotiation style that resonates with you. Overall, the book has very good advice, whether you choose to negotiate in person, over the phone, or via email.
71 Brilliant Salary Negotiation Email Samples (Book)
My Rating: 3.5/5
It lacks guidance on handling counteroffers or rejections. The book primarily features successful negotiation scenarios, which might not always reflect real-life situations. However, despite some overly specific scripts, it's a useful resource for email and phone negotiations.
The Imperative of Salary Negotiation
Negotiating your salary in the cybersecurity field is not just a personal matter but can also contribute to setting broader industry standards. While an individual's negotiation might not drastically shift the entire industry's pay scale, collectively, when more professionals advocate for fair compensation, it can lead to a gradual uplift in salary standards over time. Therefore, never settling for the first offer and aiming for a reasonable increase not only benefits you but can also subtly influence the market norms.
Negotiating salary, particularly in a specialized field like cybersecurity, is a crucial skill. It might feel daunting at first, especially since the art of negotiation doesn't come naturally to anyone. However, with the right resources and strategies, this skill can be developed and refined. Every successful negotiation you undertake not only benefits your career but also, in a small but meaningful way, helps out the rest of us, who are also cybersecurity employees.
Key Points for Successful Salary Negotiation:
Deflect Early Salary Questions: When asked about your expected salary, aim to defer the conversation until after a job offer is extended. Use responses like: "I'm looking for fair compensation that reflects the value I bring, my skills, and the responsibilities of the position." If pressed further, you can say, "At this stage, it's challenging to pinpoint a specific number without a full understanding of the role."
Turning the Question Around: If the interviewer persists, you can redirect by asking, "Can you share the budgeted range for this role?" This tactfully shifts the focus back to the employer.
State Your Range if Necessary: If you're still pressed for a figure, provide a wide range, with the lower end at least 10% higher than your actual minimum. Example: "I'm considering roles in the $X to $Y range based on my market research and the responsibilities I've encountered so far."
Conduct Thorough Market Research: Investigate publicly available salary data and consult with industry peers to understand the standard compensation for your target position.
Don't Rush Your Decision: Never accept a job offer immediately. Take your time to consider the offer and prepare a counteroffer if needed. Job changes are significant life decisions and should be made thoughtfully.
Express Gratitude for the Offer: Always show appreciation for the offer, regardless of whether you plan to negotiate for a higher salary or better benefits.
Focus on Value, Not Need: When negotiating for more, emphasize the value you bring to the organization rather than your personal financial needs.
Staying Updated On Emerging Trends
Keeping abreast of the latest developments in cybersecurity and technology is essential for your success in this rapidly evolving field. Regularly engaging with a variety of informational sources is key. Here's how you can stay informed and sharp:
Diverse Reading Materials: Immerse yourself in books, news articles, and journals relevant to cybersecurity. This broadens your knowledge and keeps you informed about the latest trends and threats.
Podcasts: Incorporate cybersecurity podcasts into your routine. For example, "Cybersecurity Headlines" by the CISO Series offers daily updates and insights, making it a valuable resource for busy professionals.
Social Media Engagement: Platforms like LinkedIn are invaluable for staying connected with industry leaders and news. Following prominent voices in cybersecurity can provide you with timely updates and diverse perspectives.
Preparing for Interview Questions: It's common to be asked how you stay updated in the field during job interviews. A well-rounded answer could be something like: "I maintain my skills through continuous certification and practical engagement with platforms like Hack The Box. For news, I listen to 'Cybersecurity Headlines' daily and read the 'CompTIA Smart Brief' every other day. Additionally, I actively follow top cybersecurity influencers on LinkedIn, which is often the first place where breaking news appears."
Bringing It All Together: Charting Your Path in Cybersecurity
As we reach the end of this guide, it's clear that breaking into cybersecurity in 2024 is a journey that demands not just technical acumen but a holistic approach to personal and professional development. From mastering the fundamentals to specializing in a niche and from crafting an impactful résumé to negotiating your salary, each step is a critical piece of the puzzle in carving out a successful career in this dynamic field.
In charting your path in cybersecurity, don't overlook the transformative role of technology in your job search. "The AI Job Seeker's Handbook: Strategies for Success" is an essential read that unveils how to skillfully navigate the modern job market using AI. This handbook offers a treasure trove of strategies - from leveraging AI for job matching and interview preparation to building a standout personal brand and effectively networking using social media. It’s not just a guide; it's a roadmap for employing advanced AI techniques to ensure your job-hunting approach is as cutting-edge as your cybersecurity skills.
In the ever-evolving landscape of cybersecurity, your journey doesn’t end with securing a job. It's a continuous process of learning, adapting, and growing. Staying informed about emerging trends, being an active member of the cybersecurity community, and constantly refining your skills are what will set you apart in this competitive field.
Remember, the path to a successful career in cybersecurity is unique for everyone. Your journey will be shaped by your choices, experiences, and the dedication you bring to each step along the way.
As you embark on or continue this journey, carry with you the lessons, strategies, and insights shared in this article. Use them as a compass to navigate the complex but rewarding world of cybersecurity. Your path is yours to chart, and the tools and knowledge you've gained here will be your guide to a fulfilling and successful career in this vital and exciting industry.
Disclaimer: All links to Hack The Box, Hack The Box Academy, and Amazon in this post are affiliate links. This means that if you make a purchase through these links, I may receive a commission at no additional cost to you.
Your support through these purchases helps me continue providing valuable content. Thank you!