I suppose one could say that I’ve been doing this far too long, and I’ve gained some knowledge about how the cybersecurity industry works, and how people succeed or fail at the field. To give back to newcomers, I recently opened up a Calendly to do ad hoc career mentoring, in addition to the career events and clinics that I run at conferences. Cumulatively, I have been doing a lot of mentoring of folks over the last several years, and I’ve seen some interesting trends and commonalities it might be useful for me to air for my readership’s consideration.
Everyone has trouble choosing a niche. It’s true. I speak to so many people who think they are a special case with a unique problem because they’re interested in multiple fields of cybersecurity. They find penetration testing and malware reversing fascinating. Or they can’t choose between incident response and G.R.C. This is a ubiquitous problem in a field filled with curious, creative, and stubbornly unique people – many of whom are neurodiverse. The advice I have to keep giving over and over again is that you truly will have to eventually choose a niche. You can stay a generalist at a small company, but it will deeply restrict your ability to dive deeply into anything as you are swept up in mundane day-to-day tasks.
I know this seems demoralizing to some people. We all want to learn everything! Here’s some consolation – not a single credible and honest cybersecurity expert out there is a specialist in more than one or two niches. Not me, not that person on social media you admire – none of us. We all have to know people who are experts in other areas. There is just too much to know that changes far to fast in 2023. That doesn’t mean you have to tune out other niches. It is still helpful to learn bits and pieces of other niches to have a better comprehensive understanding of your own. You can still play in another as a side project or hobby. However, eventually we all do have to make a choice in order to have a coherent career track and resume, focus on the right training and certifications, and just be able to manage it all. I’ve seen people who put this off for ten or twenty years run into deep and continual problems in getting hired. Of course, your mileage may vary.
Yes, some job postings are ridiculous. There are companies out there posting for impossible unicorns with absurd experience. That isn’t a reason to not apply. You should always tune your resume to the position you are applying for (they say what they want in the posting!), and give it a shot even if you don’t meet every requirement. It’s a wish list, and it can be heavily mis-targeted by HR. Always give it a shot, anyway.
There isn’t a magical template I can give you to “fix” your resume. I’ve written, spoken, and vlogged a lot about resumes and their pitfalls. I hope these are useful tips that can help you get your content in line and avoid some common causes for rejections. However, two important points: resumes have substantial style trends that change quite routinely, and resumes should be tuned and customized to the role and position you are applying for. Your template from 5 years ago is out of date and might not appeal to HR today. That resume you used to apply for a SOC analyst job is not the one that will get you noticed for a forensics job. Seek a mentor to technically review your content, and seek help from a professional, certified resume editor to get the stylistic stuff banged out. You should be routinely keeping your resume up to date, and that includes full professional rewrites and restyles at intervals.
You should probably be talking to a mental health professional. Not a lot to say here, but we have all been deeply impacted by the past three years and the changes and new stressors to our lives. I can be a good ear as a mentor, and I can probably ferret out some reasons you’re having trouble focusing, or selecting a career path, or not asking for proper compensation. However, I can’t reach and solve the root causes of those things as well as a real therapist. Seeing someone doesn’t require you to have experienced a major trauma you can name. It’s just good hygiene, like brushing your teeth or using a password manager.
We’re in a hiring downturn, but it isn’t universal. There are some regions doing more cybersecurity hiring than others right now (the last year has brought an uptick in European staffing, with a downturn in the US). There are roles and levels of seniority in more demand than others. If your top concern is just getting hired in cybersecurity right away, I highly recommend you research what’s in demand in your city or region, and other potential regions you might be interested in working in. If you’re looking at a move, it might be the time to just get your foot in the door somewhere so you can do local in-person networking. It’s not time to despair, it’s time to be adaptable and creative – there are still tons of open roles in cybersecurity. Find out who is hiring for what, and where. For example, malware reverse engineering and ICS security are still woefully understaffed – and not a lot of people want to put in the effort to do them well.
There are a few truly horrible employers out there in the cybersecurity space. They manage to retain a lot of credibility through lawyers, take down orders, and hiring popular names. I talk to miserable people repeatedly at some of them. I clearly cannot name these organizations for legal reasons, and the employees are in an equal bind. Instead, allow me to tell you some red flags that you should not allow yourself to be gaslit about:
– Anything -ism. Sexism, racism, ageism, transphobia, homophobia, classism. Treating people inequitably in work merely because of a protected characteristic they cannot control, or expressing favoritism. There can always be a poor manager or IC at any organization. The red flag is when this culture is continual and leadership and HR do nothing to step in, create enforceable policies, or have real conversations about it.
– Lack of meaningful and approachable HR in general. Even a small startup should have a person who can address complaints.
– Lack of meaningful written feedback, or not knowing where you stand. If you’re repeatedly surprised by being told you performed poorly, that’s a big communication problem. I wrote about this here: About Cybersecurity Management and Expectations.
– Expecting a wronged employee to choose the punishment for the person who has caused them harm. This should never happen – it puts them in an impossible position and doesn’t do equitable justice.
Networking is (probably) integral to landing your dream job. I cannot count the number of times I’ve told people it would be incredibly beneficial to network in the broader community more aggressively to find a better position. Our professional community is still small, and a lot of the choice jobs are found through human beings. This can also help bypass recruiting voodoo. This isn’t obligatory, but if you’re griping you haven’t found your dream job, and you are not doing some of the following things, you’re missing out on substantial opportunities:
– Playing in open CTFs, notably as part of a team
– Attending your local or virtual BSides conference (and volunteering as a bonus!)
– Attending your local CitySec, DEF CON local group, or 2600
– Contributing to open source projects or research
– Joining professional groups applicable to your niche and vertical, such as ISSA, MCPA, or AFCEA, and participating in them actively
– Speaking, podcasting, vloging, or blogging
– Being active and constructive on infosec Mastodon or Twitter
These are not hard and fast rules, but they’re problems that I see continually with advice I give out on a quite regular basis. Since my calendar is filling up pretty far in advance, I hope you find this a useful start and some of these concerns resonate with you. Wishing you all a happy and successful New Year!